赵斯琴,付勇,陈康,郑纬民

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2013.02.013

2013-01-01

Abstract:This paper aims to improve log security in computer systems, with trustful logs then provided to data tracing and analyses with collected modification information. Logs can be in different security levels (SLs) as for data. When users do work such as log analyses and auditing, there should be logs in different security levels. Virtual machines (VMs) can be used to represent different security levels i.e. they can be used to generate system logs and keep the logs in virtual machines with different security levels. With the data files being accessed, the virtual machine monitor intercepts the operations from the working virtual machines and generates logs in logging virtual machines. When working virtual machines are in different security levels, the logs are also divided into different security levels. If the files are shared among virtual machines or the data might be transferred from the working virtual machine to the logging virtual machine, the access control module controls the data transfer based on the predefined access rules. Experiments on the virtual machine monitor xen with sHype show that producing the multi-SL log of data files causes fewer losses in system performance.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

Rongrong Huang,Jiwu Shu,Da Xiao,Kang Chen

2009-01-01

Journal of Computer Research and Development

Abstract:Network file systems facilitate data sharing but also introduce new vulnerabilities.Audit logs that trace the changes of file system data to prevent fraudulent manipulation of data have great value in evaluating system security.Current systems cannot satisfy the requirement of users because they fail to ensure the security of audit logs.The powerful insider adversary can modify the audit logs covertly to erase evidence of illegal modification directly via device drivers.A data integrity protection method is presented for network file systems based on secure audit logs.Every file and directory has an authenticator to ensure the integrity of data.All changes to data are traced and the corresponding audit logs are generated.At a later time,an auditor may verify the data of a file according to the authenticators and audit logs.A trusted hardware is introduced to manage audit key and to enable the generation and trustworthiness of authenticators and audit logs.A prototype of Nfsd-log is implemented based on the NFS server in Linux and its performance iS evaluated. SSH-build benchmark test shows that the total time overhead of Nfsd-log only increase by 9.2% comparing with original NFS server.

Siqin Zhao,Kang Chen,Weimin Zheng

DOI: https://doi.org/10.1109/ChinaGrid.2009.45

2009-01-01

Abstract:It is very important to protect critical resources such as private data and code in computer systems. It is promising to protect private data and to improve the system security by leveraging the isolation attribute of virtual machine(VM). The isolation attribute of VM is provided by Virtual Machine Monitor (VMM) that runs in higher priority than guest OSes. If the critical components are isolated in VMs,access control can be enforced or attestation can be made when the subject is accessing via VMs. In this way, VMs can improve the security level of critical components such as OS, kernel, data, and applications. For computer system security, VMs can be used to detect malware intrusions and to protect critical components, which can be implemented by integrating detection or protection mechanism in either VMM or VMs. Authentication is required to create trustful VMs. This paper surveys technologies related of using virtual machines to enhance system security.

Youhui Zhang,Yu Gu,Hongyi Wang,Dongsheng Wang

DOI: https://doi.org/10.1109/sbac-pad.2006.32

2006-01-01

Abstract:In this paper we present a storage-based intrusion detection system (IDS) that makes use of advantages of virtual machine (VM) and smart disk technologies. The virtual machine monitor (VMM) can prevent the IDS itself from potential attacks while the smart disk technology provides IDS with a whole view of the file system of the monitored VM. We show how to use a tool and some file system knowledge to enable the virtual disk to maintain a sector-to-file mapping table (called file-aware block level storage) as well as how to detect the changes to file content on-line. Based on these features, normal file-level intrusion detection (ID) rules can be converted to sector-level ones in order to integrate ID functions to the virtual storage. We implement such a prototype based on QEMU VMM and the OS of VM is Windows XP. Moreover the time overhead introduced by this solution is tested

Mao Ye

DOI: https://doi.org/10.48550/arXiv.2104.08699

2021-04-18

Hardware Architecture

Abstract:With emerging non-volatile memories entering the mainstream market, several operating systems start to incorporate new changes and optimizations. One major OS support is the direct-access for files, which enables efficient access for files hosted in byte-addressable NVM systems. With DAX-enabled filesystems, files can be accessed directly similar to memory with typical load/store operations. Despite its efficiency, the frequently used system call of direct access is troublesome for system auditing. File system auditing is mandatory and widely used because auditing logs can help detect anomalies, suspicious file accesses, or be used as an evidence in digital forensics. However, the frequent and long-time usage of direct access call blinds the operating system or file system from tracking process operations to shared files after the initial page faults. This might results in imprecise casualty analysis and leads to false conclusion for attack detection. To remedy the tension between enabling fine-grained file system auditing and leveraging the performance of NVM-hosted file systems, we propose a novel hardware-assisted auditing scheme, FOX. FOX enables file system auditing through lightweight hardware-software changes which can monitor every read or write event for mapped files on NVM. Additionally, we propose the optimized schemes, that enable auditing flexibility for selected files/memory range. By prototyping FOX on a full system simulator, Gem5, we observe a relatively small reduced throughput and an acceptable extra writes compared to our baseline. Compared to other instrumentation-based software schemes, our scheme is low-overhead and secure.

Jian Zhang,Yang,Yanjiao Chen,Fei Chen

DOI: https://doi.org/10.1109/iwqos.2017.7969107

2017-01-01

Abstract:With the development of cloud storage, data owners no longer physically possess their data and thus how to ensure the integrity of their outsourced data becomes a challenging task. Several protocols have been proposed to audit cloud storage, all of which rely mainly on data block tags to check data integrity. However, their block tag constructions employ cryptographic operations, which makes them computationally complex. In this paper, we investigate a secure cloud storage protocol based on the classic discrete logarithm problem. Our protocol generates data block tags with only basic algebraic operations, which brings substantial computation savings compared with previous work. We also strictly prove that the proposed protocol is secure under a definition which captures the real-world uses of cloud storage. In order to fit more application scenarios, we extend the proposed protocol to support data dynamics by employing an index vector and third-party public auditing by using a random masking number, both of which are efficient and provably secure. At last, theoretical analysis and experimental evaluation are provided to validate the superiority of the proposed protocol.

Siavash Ghiasvand,Florina M. Ciorba

DOI: https://doi.org/10.48550/arXiv.1706.04337

2017-06-14

Distributed, Parallel, and Cluster Computing

Abstract:System logs constitute valuable information for analysis and diagnosis of system behavior. The size of parallel computing systems and the number of their components steadily increase. The volume of generated logs by the system is in proportion to this increase. Hence, long-term collection and storage of system logs is challenging. The analysis of system logs requires advanced text processing techniques. For very large volumes of logs, the analysis is highly time-consuming and requires a high level of expertise. For many parallel computing centers, outsourcing the analysis of system logs to third parties is the only affordable option. The existence of sensitive data within system log entries obstructs, however, the transmission of system logs to third parties. Moreover, the analytical tools for processing system logs and the solutions provided by such tools are highly system specific. Achieving a more general solution is only possible through the access and analysis system of logs of multiple computing systems. The privacy concerns impede, however, the sharing of system logs across institutions as well as in the public domain. This work proposes a new method for the anonymization of the information within system logs that employs de-identification and encoding to provide sharable system logs, with the highest possible data quality and of reduced size. The results presented in this work indicate that apart from eliminating the sensitive data within system logs and converting them into shareable data, the proposed anonymization method provides 25% performance improvement in post-processing of the anonymized system logs, and more than 50% reduction in their required storage space.

Sepideh Avizheh,Reihaneh Safavi-Naini,Shuai Li

DOI: https://doi.org/10.48550/arXiv.1910.14169

2019-10-31

Abstract:Logging systems are an essential component of security systems and their security has been widely studied. Recently (2017) it was shown that existing secure logging protocols are vulnerable to crash attack in which the adversary modifies the log file and then crashes the system to make it indistinguishable from a normal system crash. The attacker was assumed to be non-adaptive and not be able to see the file content before modifying and crashing it (which will be immediately after modifying the file). The authors also proposed a system called SLiC that protects against this attacker. In this paper, we consider an (insider) adaptive adversary who can see the file content as new log operations are performed. This is a powerful adversary who can attempt to rewind the system to a past state. We formalize security against this adversary and introduce a scheme with provable security. We show that security against this attacker requires some (small) protected memory that can become accessible to the attacker after the system compromise. We show that existing secure logging schemes are insecure in this setting, even if the system provides some protected memory as above. We propose a novel mechanism that, in its basic form, uses a pair of keys that evolve at different rates, and employ this mechanism in an existing logging scheme that has forward integrity to obtain a system with provable security against adaptive (and hence non-adaptive) crash attack. We implemented our scheme on a desktop computer and a Raspberry Pi, and showed in addition to higher security, a significant efficiency gain over SLiC.

Cryptography and Security

Dongyang Zhan,Lin Ye,Hongli Zhang,Binxing Fang,Huhua Li,Yang Liu,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.48550/arXiv.1804.01633

2018-04-05

Abstract:Cloud-assisted Cognitive Internet of Things has powerful data analytics abilities based on the computing and data storage capabilities of cloud virtual machines, which makes protecting virtual machine filesystem very important for the whole system security. Agentless periodic filesystem monitors are optimal solutions to protect cloud virtual machines because of the secure and low-overhead features. However, most of the periodic monitors usually scan all of the virtual machine filesystem or protected files in every scanning poll, so lots of secure files are scanned again and again even though they are not corrupted. In this paper, we propose a novel agentless periodic filesystem monitor framework for virtual machines with different image formats to improve the performance of agentless periodic monitors. Our core idea is to minimize the scope of the scanning files in both file integrity checking and virus detection. In our monitor, if a file is considered secure, it will not be scanned when it has not been modified. Since our monitor only scans the newly created and modified files, it can check fewer files than other filesystem monitors. To that end, we propose two monitor methods for different types of virtual machine disks to reduce the number of scanning files. For virtual machine with single disk image, we hook the backend driver to capture the disk modification information. For virtual machine with multiple copy-onwrite images, we leverage the copy-on-write feature of QCOW2 images to achieve the disk modification analysis. In addition, our system can restore and remove the corrupted files. The experimental results show that our system is effective for both Windows and Linux virtual machines with different image formats and can reduce the number of scanning files and scanning time.

Cryptography and Security

Xian Chen,Wenzhi Chen,Zhongyong Lu,Yu Zhang,Rui Chang,Mohammad Mehedi Hassan,Abdulhameed Alelaiwi,Yang Xiang

DOI: https://doi.org/10.1002/cpe.4028

2017-01-01

Abstract:SummaryWith the advantages of extremely high access speed, low energy consumption, nonvolatility, and byte addressability, nonvolatile memory (NVM) device has already been setting off a revolution in storage field. Conventional storage architecture needs to be optimized or even redesigned from scratch to fully explore the performance potential of NVM device. However, most previous NVM‐related works only explore its low access latency and low energy consumption. Few works have been done to explore the appropriate way to use NVM device for improving virtual machine's storage performance. In this paper, we comprehensively evaluate and analyze conventional virtual machine's storage architecture. We find that, even with cutting‐edge optimization technologies, virtual machine can only achieve 30% of NVM device's original performance. Based on this observation, we propose a memory bus–based storage architecture, which we named MBSA. Memory bus–based storage architecture can greatly shorten the length of virtual machine's storage input/output stack and improve NVM device's use flexibility. In addition, an efficient wear‐leveling algorithm is proposed to prolong NVM device's lifespan. To evaluate the new architecture, we implement it as well as the wear‐leveling algorithm on real hardware and software platform. Experimental results show that MBSA can provide a big performance improvement, about 2.55X, and the wear‐leveling algorithm can efficiently balance write operations on NVM device with a negligible performance overhead (no more than 3%).

Xiaowei Li,Hongxiang Sun,Qiaoyan Wen

DOI: https://doi.org/10.1109/ccis.2012.6664413

2012-01-01

Abstract:Numerous virtual machines have been designed to make full use of the adequate resources and facilitate people's lives. In turn, it results in the necessity of communication between the virtual machines. As we know, the data of communication between the virtual machines which located on the different hosts, could potentially be altered or intercepted during transport. To solve the problem, we design and operation of the transparent encryption-decryption communication mechanism (TEDCM) in the privilege virtual machine, the result suggests that the TEDCM in our paper is a good choice to solve the problem of information leakage.

Alexander Hicks,Vasilios Mavroudis,Mustafa Al-Bassam,Sarah Meiklejohn,Steven J. Murdoch

DOI: https://doi.org/10.48550/arXiv.1805.04772

2023-05-04

Abstract:We propose VAMS, a system that enables transparency for audits of access to data requests without compromising the privacy of parties in the system. VAMS supports audits on an aggregate level and an individual level, by relying on three mechanisms. A tamper-evident log provides integrity for the log entries that are audited. A tagging scheme allows users to query log entries that relate to them, without allowing others to do so. MultiBallot, a novel extension of the ThreeBallot voting scheme, is used to generate a synthetic dataset that can be used to publicly verify published statistics with a low expected privacy loss. We evaluate two implementations of VAMS, and show that both the log and the ability to verify published statistics are practical for realistic use cases such as access to healthcare records and law enforcement access to communications records.

Cryptography and Security

L. Jin-gang

Abstract:This paper introduces a new security and reliability mechanism of the file system of Linux-limiting OS physical storage space,and make it can’t be rewritten.Will be relatively independent of the operating system installed in the physical space,and other applications software in the physical separation of space,the operating system will be installed into a physical storage medium limited to read-only,so that the operating system installed can not be rewritten on the physical layer,so as to achieve secure and reliable;at the same time,user space and system space isolated from each other in the physical space,when users need to install software or preserve documents,can be transparent in the storage space.Then describes its design principle and implement details,and comes to the conclusion of providing security and reliability without performance loss by giving fully test results.

Computer Science,Engineering

Yi Jie Tong,Wei Qi Yan,Jin Yu

DOI: https://doi.org/10.4018/ijdcf.2015010104

2015-01-01

International Journal of Digital Crime and Forensics

Abstract:With an increasing number of personal computers introduced in schools, enterprises and other large organizations, workloads of system administrators have been on the rise due to the issues related to energy costs, IT expenses, PC replacement expenditures, data storage capacity, and information security, etc. However, Application Virtualization (AV) has been proved as a successful cost-effective solution to solve these problems. In this paper, the analytics of a Virtual Desktop Infrastructure (VDI) system will be taken into consideration for a campus network. Our developed system will be introduced and justified. Furthermore, the rationality for these improvements will be introduced.

Xian Chen,Wenzhi Chen,Peng Long,Zhongyong Lu,Zonghui Wang

DOI: https://doi.org/10.1109/cbd.2013.32

2013-01-01

Abstract:For the ability to explore the memory's fullest potential, memory de-duplication has been widely experimented with in current main stream virtualization platforms. A lot of work has been done to improve the efficiency of memory de-duplication, while too little attention was paid to the introduced security issues which have been proved by prior work. To deal with this security risk and efficiently manage the memory we start our work in this paper. We first conduct extensive experiments on different OS platforms to study the realistic situation of page sharing. By analyzing the results we find: 1) Page sharing is contributed mostly by self-sharing (nearly 90%), and the self-sharing rate varies significantly between Linux and Windows OS platforms. Compared with self-sharing the inter-VM sharing rate is extremely low, under 1% in most cases. 2) Page size has a larger influence on Linux platform than Windows platform, so sub-page de-duplication proposed in prior work may achieve better performance on Linux platform. On the basis of above findings we propose a group-based secure page sharing model (or GSKSM), in which we consider both VM processes and normal processes. We have successfully implemented it in Linux kernel 3.6.6, and the experiment results show it works well with negligible overhead. Finally based on GSKSM we further present an efficient memory management approach (or SEMMA), which combines GSKSM and balloon technique to efficiently manage the memory, and the preliminary experiment result is satisfactory.

Jiansen Huang,Hui Li,Jiyang Zhang

DOI: https://doi.org/10.1109/bigdata.2018.8622204

2018-01-01

Abstract:The logging system records the logs generated by the software so that the administrator can handle the problems that occur. However, the traditional log system is not secure enough and the stored logs are easily falsified. As a decentralized distributed storage technology, the blockchain can ensure that the blockchain network works normally in the presence of a few malicious nodes or failed nodes. So we use the blockchain to store the logs, which improves the security of the log system. In order to improve the performance of the blockchain, we use a voting-based consensus algorithm as a blockchain consistency protocol. This article introduces the architecture and implementation of the log system and verifies the feasibility of the system through experiments.

K. Suzaki,R. Ando,Kazushi Takahashi

DOI: https://doi.org/10.22667/JOWUA.2012.03.31.120

Abstract:Leveraging hypervisor for security purpose such as malware analysis has been well researched. There still remain two challenges for analyzing security incidents on virtual machine: real-time monitoring and semantic gap. First, current active monitoring methods need to be improved for real-time protection of virtual machine. Second, semantic gap between virtual machine and hypervisor poses a significant impediment on security analyst. In this paper, we propose an inter-domain communication protocol for real-time monitoring of virtual machine and bridging semantic gap. We have deployed the inter-domain communication module between a guest Windows OS and a hypervisor in two ways. While the one is a register based transfer using vCPU context, the other is a shared memory based communication. Our protocol is event driven, which makes the proposed system enable to monitor the file access of a guest Windows OS in real-time without suspending it. We have implemented our system on XEN virtual machine monitor and KVM (Kernel Virtual Machine). We have measured the resource utilization of these two systems in the case of decompressing files and receiving HTTP requests. On the guest OS, the KVM based system outperforms the processor idle time by about 30-50% in decompressing file and the memory usage by about 35% in receiving HTTP requests. We conclude that our system can monitor file access inside virtual machine without suspension and also with reasonable resource usage.

Computer Science

MA Jian-kun,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.11.024

2011-01-01

Computer Science

Abstract:The message flow of Windows operating system was introduced and the potential threats was analyzed.A solution based on hardware-assisted virtualization was developed to defend against the software key logger.A virtual machine monitor was implemented using Intel virtual technology.When the protected thread is reading keyboard input,the keyboard interrupt is handled in the virtual machine monitor.By reading scan code of the keyboard in the virtual machine monitor,the keyboard input can be safely sent to the protected thread.

Francesco Gadaleta,Raoul Strackx,Nick Nikiforakis,Frank Piessens,Wouter Joosen

DOI: https://doi.org/10.48550/arXiv.1405.6058

2014-05-22

Abstract:Protecting commodity operating systems and applications against malware and targeted attacks has proven to be difficult. In recent years, virtualization has received attention from security researchers who utilize it to harden existing systems and provide strong security guarantees. This has lead to interesting use cases such as cloud computing where possibly sensitive data is processed on remote, third party systems. The migration and processing of data in remote servers, poses new technical and legal questions, such as which security measures should be taken to protect this data or how can it be proven that execution of code wasn't tampered with. In this paper we focus on technological aspects. We discuss the various possibilities of security within the virtualization layer and we use as a case study \HelloRootkitty{}, a lightweight invariance-enforcing framework which allows an operating system to recover from kernel-level attacks. In addition to \HelloRootkitty{}, we also explore the use of special hardware chips as a way of further protecting and guaranteeing the integrity of a virtualized system.

Cryptography and Security