Deqing Zou,Wenrong Zhang,Weizhong Qiang,Guofu Xiang,Laurence Tianruo Yang,Hai Jin,Kan Hu

DOI: https://doi.org/10.1016/j.future.2012.12.020

IF: 7.307

2013-01-01

Future Generation Computer Systems

Abstract:Virtualization is a pillar technology in cloud computing for multiplexing computing resources on a single cloud platform for multiple cloud tenants. Monitoring the behavior of virtual machines (VMs) on a cloud platform is a critical requirement for cloud tenants. Existing monitoring mechanisms on virtualized platforms either takes a complete VM as the monitoring granularity, such that they cannot capture the malicious behaviors within individual VMs, or they focus on specific monitoring functions that cannot be used for heterogeneous VMs concurrently running on a single cloud node. Furthermore, the existing monitoring mechanisms have made an assumption that the privileged domain is trusted to act as expected, which causes the cloud tenants’ concern about security because the privileged domain in fact could not act as the tenants’ expectation. We design a trusted monitoring framework, which provides a chain of trust that excludes the untrusted privileged domain, by deploying an independent guest domain for the monitoring purpose, as well as utilizing the trusted computing technology to ensure the integrity of the monitoring environment. Moreover, the feature of fine-grained and general monitoring is also provided. We have implemented the proposed monitoring framework on Xen, and integrated it into OpenNebula. Our experimental results show that it can offer expected functionality, and bring moderate performance overhead.

Ding Shun,Li Minglu,Weng Chuliang,Liu Qian

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.06.015

2012-01-01

Abstract:As virtualization is widely applied to various fields such as cloud computing,it gradually becomes a target that various malicious attacks aim at.The runtime security of virtual machines is of the most importance.Aiming at this problem,a monitoring scheme suitable for virtualized environments is proposed.Moreover a security monitoring prototype system of a virtual machine is implemented in Xen.With this scheme,a privileged virtual machine can execute dynamic and customized monitoring upon the massive client virtual machines hosted in a same physical machine.Particularly,this system is very effective at detecting rootkits inside OS kernels.The security monitoring scheme can effectively increase the security not only of client virtual machines but also of the whole VM system.

CHEN Zhu-Hong,CUI Chao-Yuan,WANG Ru-Jing,ZHOU Ji-Dong

DOI: https://doi.org/10.3969/j.issn.1003-3254.2013.07.015

2013-01-01

Abstract:As the foundation of cloud computing,virtualization technology’s security problems are gained more and more attention of the specialists with the development of cloud computing.This paper presents a virtual machine system kernel intrusion detection system,which use the introspection technology provided by Xen hypervisor to get internal states of kernel of the virtual machine.To achieve the goal of monitoring the kernel and preventing it from being compromised.This system can effectively defend the case of attack that dynamically modifies the kernel code and kernel unchanged data structure.

Bin Shi,Lei Cui,Bo Li,Xudong Liu,Zhiyu Hao,Haiying Shen

DOI: https://doi.org/10.1007/978-3-030-00470-5_31

2018-01-01

Abstract:Virtual machine introspection (VMI) is one compelling technique to enhance system security in clouds. It is able to provide strong isolation between untrusted guests and security tools placed in guests, thereby enabling dependability of the security tools even if the guest has been compromised. Due to this benefit, VMI has been widely used for cloud security such as intrusion detection, security monitoring, and tampering forensics. However, existing VMI solutions suffer significant performance degradation mainly due to the high overhead upon frequent memory address translations and context-switches. This drawback limits its usage in many real-world scenarios, especially when fine-grained monitoring is desired. In this paper, we present ShadowMonitor, an effective VMI framework that enables efficient in-VM monitoring without imposing significant overhead. ShadowMonitor decomposes the whole monitoring system into two compartments and then assigns each compartment with isolated address space. By placing the monitored components in the protected compartment, ShadowMonitor guarantees the safety of both monitoring tools and guests. In addition, ShadowMonitor employs hardware-enforced instructions to design the gates across two compartments, thereby providing efficient switching between compartments. We have implemented ShadowMonitor on QEMU/KVM exploiting several hardware virtualization features. The experimental results show that ShadowMonitor could prevent several types of attacks and achieves 10\(\times \) speedup over the existing method in terms of both event monitoring and overall application performance.

Lei ZHANG,Xing-shu CHEN,Yi REN,Hui LI

DOI: https://doi.org/10.3969/j.issn.1671-1122.2015.04.010

2015-01-01

Abstract:Kernel-level Rootkits of virtual machine in cloud can destroy the integrity of virtual machine of tenant. This paper presents a kind of kernel-level Rootkit detection technology based on Virtual Machine Monitor (VMM). This technology establishes True Module List (TML) by critical path breakpoint and obtains the virtual machine''s kernel module view, the user mode view was established by bottom-up calls from VMM, and the reconstructed kernel mode view of virtual machine was get in the VMM layer, then by cross-referencing these three views to detect Rootkit hidden in a virtual machine. Finally, a prototype system was realized based on the Kernel-based Virtual Machine (KVM), experimental results showed that Rootkits in Virtual Machine could be quickly and ac-curately detected in the prototype system, details of Rootkit could be reported according to TML, the overall per-formance loss of the prototype system was in acceptable range.

Nan Li,Bo Li,Jianxin Li,Tianyu Wo,Jinpeng Huai

DOI: https://doi.org/10.1109/HPCC.and.EUC.2013.194

2013-01-01

Abstract:Cloud computing service has been evolved in providing a whole virtual data center from selling scattered virtual machines (VMs). Process Monitoring of a VM is a fundamental feature to guarantee the security of the virtual data center because of the rapid growth of the malware. Existing approaches are mainly based on virtual machine introspection (VMI) technique to isolate the monitor out-of-vm and designed to inspect the VM internal processes. However, few of them consider the real time control of process execution in the VMs, such as process termination or files operation conducted by the process. Early VMI-based solutions relied on some specific OS kernel data structures, so they need to know the OS information in advance instead of identifying the OS version at runtime for operating system compatible. In this paper, we propose a novel out-of-the-box process monitor named vMON, which can not only identify different guest OS versions and reconstruct rich semantic information for the target VM processes at runtime, but also control the behaviors of processes with fine granularity. In addition, vMON provides uniform programming interfaces to support the development of application-level security tools. A prototype of vMON has been implemented in kernel-based virtual machine (KVM) hypervisor, and its effectiveness and performance have also been evaluated through several experiments. The results show that vMON can successfully identify, analyze and control the behaviors of the processes in Guest OS with acceptable performance overhead. vMon incurs 0.74%similar to 10.20% I/O overhead and 0.003s average interface return time.

Huaizhe Zhou,Haihe Ba,Yongjun Wang,Zhiying Wang,Jun Ma,Yunshi Li,Huidong Qiao

DOI: https://doi.org/10.3390/sym11020252

2019-01-01

Abstract:The dramatic proliferation of cloud computing makes it an attractive target for malicious attacks. Increasing solutions resort to virtual machine introspection (VMI) to deal with security issues in the cloud environment. However, the existing works are not feasible to support tenants to customize individual security services based on their security requirements flexibly. Additionally, adoption of VMI-based security solutions makes tenants at the risk of exposing sensitive information to attackers. To alleviate the security and privacy anxieties of tenants, we present SECLOUD, a framework for monitoring VMs in the cloud for security analysis in this paper. By extending VMI techniques, SECLOUD provides remote tenants or their authorized security service providers with flexible interfaces for monitoring runtime information of guest virtual machines (VMs) in a non-intrusive manner. The proposed framework enhances effectiveness of monitoring by taking advantages of architectural symmetry of cloud environment. Moreover, we harden our framework with a privacy-preserving capacity for tenants. The flexibility and effectiveness of SECLOUD is demonstrated through a prototype implementation based on Xen hypervisor, which results in acceptable performance overhead.

XIANG Guo-Fu,JIN Hai,ZOU De-Qing,CHEN Xue-Guang

DOI: https://doi.org/10.3724/sp.j.1001.2012.04219

2012-01-01

Journal of Software

Abstract:In recent years, virtualization technology is the novel trendy of computer architecture, and it provides a solution for security monitoring.Due to the highest privilege and the smaller trusted computing base of virtual machine monitor, security tools, deployed in an isolated virtual machine, can inspect the target virtual machine with the help of virtual machine monitor.This approach can enhance the effectiveness and anti-attack ability of security tools.From the aspect of the implementation technologies, existing research works can be classified into internal monitoring and external monitoring.According to the different targets, the related works about virtualization-based monitoring are introduced in this paper in detail, such as intrusion detection, honeypot, file integrity monitoring, malware detection and analysis, security monitoring architecture and the generality of monitoring.Finally, this paper summarizes the shortcomings of existing works, and presents the future research directions.It is significant for virtualization research and security monitoring research.

Qian Liu,Chuliang Weng,Minglu Li,Yuan Luo

DOI: https://doi.org/10.1109/MSP.2010.143

IF: 3.105

2010-01-01

IEEE Security & Privacy

Abstract:Cloud computing relies heavily on virtualization. Virtualization technology has developed rapidly because of the rapid decrease in hardware cost and concurrent increase in hardware computing power. A virtual machine monitor (VMM, also called a hγpervisor) between the hardware and the OS enables multiple virtual machines (VMs) to run on top of a single physical machine. The VMM manages scheduling and dispatching the physical resources to the individual VMs as needed, and the VMs appear to users as separate computers. Widely used virtualization technologies include VMWare, Xen, Denali, and the Kernel-Based Virtual Machine (KVM). In this framework, a module measures executables running in virtual machines (VMs) and transfers the values to a trusted VM. Comparing those values to a reference table containing the trusted measurement values of running executables verifies the executable/s status.

Hai Jin,Guofu Xiang,Deqing Zou,Feng Zhao,Min Li,Chen Yu

DOI: https://doi.org/10.1016/j.camwa.2010.01.007

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:The file system becomes the usual target of malicious attacks because it contains lots of sensitive data, such as executable programs, configuration and authorization information. File integrity monitoring is an effective approach to discover aggressive behavior by detecting modification actions on these sensitive files. Traditional real-time integrity monitoring tools, which insert hooks into the OS kernel, are easily controlled and disabled by malicious software. Such existing methods, which insert kernel module into OS, are hard to be compatible because of the diversity of OS. In this paper, we present a non-intrusive real-time file integrity monitoring method in virtual machine-based computing environment, which is transparent to the monitored system. The monitor is isolated from the monitored system, since it observes the state of the monitored system from the outside. This method brings two benefits: detecting file operations in real time and being invisible to malicious attackers in the monitored system. Furthermore, a kind of file classification algorithm based on file security level is proposed to improve efficiency in this paper. The proposed file integrity monitoring method is implemented in the full-virtualization mode supported by the Xen platform. The experimental results show that the method is effective with acceptable overhead.

Guofu Xiang,Hai Jin,Deqing Zou

DOI: https://doi.org/10.1109/icoin.2012.6164438

2012-01-01

Abstract:Virtualization can divide or aggregate the underlying resource flexibly, and it attracts attention from both academic and industry in recent years. Guest operating systems in virtual machines can be various, and the states of virtual machines changes all the time. Due to the complexity of virtual computing environment, it brings tremendous challenges for security monitoring. Existing monitoring mechanism can not adapt to the dynamic and diversity of virtual machines. Therefore, a comprehensive monitoring framework, named ComMon, is proposed in this paper, which implements comprehensive monitoring from three aspects: network, process, and file. It has the characteristics of real-time, transparency and generality.

Fengzhe Zhang,Jin Chen,Haibo Chen,Binyu Zang

DOI: https://doi.org/10.1145/2043556.2043576

2011-01-01

Abstract:Multi-tenant cloud, which usually leases resources in the form of virtual machines, has been commercially available for years. Unfortunately, with the adoption of commodity virtualized infrastructures, software stacks in typical multi-tenant clouds are non-trivially large and complex, and thus are prone to compromise or abuse from adversaries including the cloud operators, which may lead to leakage of security-sensitive data.In this paper, we propose a transparent, backward-compatible approach that protects the privacy and integrity of customers' virtual machines on commodity virtualized infrastructures, even facing a total compromise of the virtual machine monitor (VMM) and the management VM. The key of our approach is the separation of the resource management from security protection in the virtualization layer. A tiny security monitor is introduced underneath the commodity VMM using nested virtualization and provides protection to the hosted VMs. As a result, our approach allows virtualization software (e.g., VMM, management VM and tools) to handle complex tasks of managing leased VMs for the cloud, without breaking security of users' data inside the VMs.We have implemented a prototype by leveraging commercially-available hardware support for virtualization. The prototype system, called Cloud Visor, comprises only 5.5K LOCs and supports the Xen VMM with multiple Linux and Windows as the guest OSes. Performance evaluation shows that Cloud Visor incurs moderate slow-down for I/O intensive applications and very small slowdown for other applications.

Dongyang Zhan,Lin Ye,Hongli Zhang,Binxing Fang,Huhua Li,Yang Liu,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.48550/arXiv.1804.01633

2018-04-05

Abstract:Cloud-assisted Cognitive Internet of Things has powerful data analytics abilities based on the computing and data storage capabilities of cloud virtual machines, which makes protecting virtual machine filesystem very important for the whole system security. Agentless periodic filesystem monitors are optimal solutions to protect cloud virtual machines because of the secure and low-overhead features. However, most of the periodic monitors usually scan all of the virtual machine filesystem or protected files in every scanning poll, so lots of secure files are scanned again and again even though they are not corrupted. In this paper, we propose a novel agentless periodic filesystem monitor framework for virtual machines with different image formats to improve the performance of agentless periodic monitors. Our core idea is to minimize the scope of the scanning files in both file integrity checking and virus detection. In our monitor, if a file is considered secure, it will not be scanned when it has not been modified. Since our monitor only scans the newly created and modified files, it can check fewer files than other filesystem monitors. To that end, we propose two monitor methods for different types of virtual machine disks to reduce the number of scanning files. For virtual machine with single disk image, we hook the backend driver to capture the disk modification information. For virtual machine with multiple copy-onwrite images, we leverage the copy-on-write feature of QCOW2 images to achieve the disk modification analysis. In addition, our system can restore and remove the corrupted files. The experimental results show that our system is effective for both Windows and Linux virtual machines with different image formats and can reduce the number of scanning files and scanning time.

Cryptography and Security

Huaizhe Zhou,Haihe Ba,Yongjun Wang,Tie Hong

DOI: https://doi.org/10.1587/transinf.2019EDL8148

2020-01-01

IEICE Transactions on Information and Systems

Abstract:The arms race between offense and defense in the cloud impels the innovation of techniques for monitoring attacks and unauthorized activities. The promising technique of virtual machine introspection (VMI) becomes prevalent for its tamper-resistant capability. However, some elaborate exploitations are capable of invalidating VMI-based tools by breaking the assumption of a trusted guest kernel. To achieve a more reliable and robust introspection, we introduce a practical approach to monitor and detect attacks that attempt to subvert VMI in this paper. Our approach combines supervised machine learning and hardware architectural events to identify those malicious behaviors which are targeted at VMI techniques. To demonstrate the feasibility, we implement a prototype named HyperMon on the Xen hypervisor. The results of our evaluation show the effectiveness of HyperMon in detecting malicious behaviors with an average accuracy of 90.51% (AUC).

Dongyang Zhan,Huhua Li,Lin Ye,Hongli Zhang,Binxing Fang,Xiaojiang Du

DOI: https://doi.org/10.1109/icc.2019.8761433

2019-05-01

Abstract:Monitoring kernel object modification of virtual machine is widely used by virtual-machine-introspection-based security monitors to protect virtual machines in cloud computing, such as monitoring dentry objects to intercept file operations, etc. However, most of the current virtual machine monitors, such as KVM and Xen, only support page-level monitoring, because the Intel EPT technology can only monitor page privilege. If the out-of-virtual-machine security tools want to monitor some kernel objects, they need to intercept the operation of the whole memory page. Since there are some other objects stored in the monitored pages, the modification of them will also trigger the monitor. Therefore, page-level memory monitor usually introduces overhead to related kernel services of the target virtual machine. In this paper, we propose a low-overhead kernel object monitoring approach to reduce the overhead caused by page-level monitor. The core idea is to migrate the target kernel objects to a protected memory area and then to monitor the corresponding new memory pages. Since the new pages only contain the kernel objects to be monitored, other kernel objects will not trigger our monitor. Therefore, our monitor will not introduce runtime overhead to the related kernel service. The experimental results show that our system can monitor target kernel objects effectively only with very low overhead.

Dongyang Zhan,Lin Ye,Binxing Fang,Hongli Zhang,Xiaojiang Du

DOI: https://doi.org/10.1007/s00500-017-2745-x

2017-01-01

Abstract:Kernel control-flow integrity (CFI) of virtual machines is very important to cloud security. VMI-based dynamic tracing and analyzing methods are promising options for checking kernel CFI in cloud. However, the CFI monitors based on tracing always work at instruction or branch level and result in serious virtual machine performance degradation. To meet the performance requirements in the cloud, we present a page-level dynamic VMI-based kernel CFI checking solution. We trace VM kernel execution at page level, which means that the in-page instruction execution cannot trigger our monitor. As a result, the tracing overhead can be greatly reduced. Based on page-level execution information, we propose two policies to describe the kernel control-flow so as to build the secure kernel control-flow database in the learning stage. In the monitoring stage, we compare runtime execution information with the secure database to check kernel CFI. To further reduce the monitoring overhead, we propose two performance optimization strategies. We implement the prototype on Xen and leverage hardware events to trace VM memory page execution. Then, we evaluate the effectiveness and performance of the prototype. The experimental results prove that our system has enough detection capability and the overhead is acceptable.

Weiwen Tang,Zeyu Mi

DOI: https://doi.org/10.1109/sose.2018.00031

2018-01-01

Abstract:In JointCloud computing, the hypervisor used by each cloud plays a key role in providing services and protection for guest virtual machines (VMs). Unfortunately, the commodity hypervisor usually has a considerable attack surface and its memory is especially prone to be tampered with by an attacker who resides in one VM and then threatens the security of other co-located VMs. To mitigate such threat, previous solutions proposed an out-of-the-box design which leverages the nested virtualization to introduce a higher privileged software layer (a nested hypervisor) below the hypervisor. It also installs a security monitor into a trusted VM which is protected by the nested hypervisor and isolated from the untrusted hypervisor. The monitor is responsible for dynamically validating the behaviors of the untrusted hypervisor. Although monitoring from outside of the hypervisor can help ensure security, the large number of context switches caused by the nested virtualization incurs unacceptable overheads and makes this approach unsuitable for the cloud environment. In this paper, we introduce In-Hypervisor Memory Introspection (IHMI), an in-the-box way to monitor the hypervisor based on the nested virtualization. Our system puts the monitor into the untrusted hypervisor for efficiency while guaranteeing the same level of memory security as monitoring the hypervisor from a separated secure VM. By leveraging hardware virtualization features of current processors, IHMI isolates the monitor from the hypervisor via the nested page table and implements an efficient switch between them. Further, IHMI configures a uni-directional mapping for the monitor which allows the monitor to access the hypervisor's memory at native speed while forbidding the hypervisor from accessing the monitor's memory. Our IHMI system is currently still in an early stage and we report our design as well as preliminary evaluation results in this paper.

Lin Ye,Xiangzhan Yu,Lei Yu,Bin Guo,Dongyang Zhan,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/ACCESS.2018.2859767

IF: 3.9

2018-01-01

IEEE Access

Abstract:With the advancement of cloud computing, the control flow integrity (CFI) of virtual machines' kernel becomes more and more important for the security of cloud services. Many CFI checking and protecting approaches have been proposed. Among them, dynamic analysis approaches have the best detection capability, but they are rarely used because of the high overhead introduced to the virtual machines to be monitored. In this paper, we propose a function-level kernel CFI checking approach to meet the performance requirements in the cloud. By combining the static memory analysis and the dynamic tracing, our system can achieve high detection capability with low overhead. Since the analysis and tracing targets of our system are kernel functions, our system incurs lower overhead to the monitored virtual machines than the instruction-level monitors. We propose two models to describe the kernel control flows. After building the secure control flow database by learning the normal behaviors, we can detect abnormal control flows in real time. With the help of virtualization and virtual machine introspection techniques, we implement a prototype system in the hardware virtualization environment. From the evaluation, our system has high detection capability with reasonable overhead.

Ge Cheng,Hai Jin,Deqing Zou,Xinwen Zhang

DOI: https://doi.org/10.1002/cpe.1614

2010-01-01

Concurrency and Computation Practice and Experience

Abstract:In the cloud computing infrastructure, there is an increasing demand to maintain and verify the integrity of software stacks running on remote systems and protect users' sensitive data. However, due to the fact that software stacks running on cloud platforms are usually provided and maintained by different authorities (or providers) who are potentially untrusting to each other, the problem of measuring and protecting runtime system integrity becomes very challenging and has not been well addressed yet. In this paper, we present an integrity measurement and protection architecture for software stacks running on a guest operating system (OS) of a virtualized platform in cloud environment. Our solution does not change the guest OS, and thus is transparent to the OS authority. Furthermore, our architecture ensures that sensitive information of users is protected once the integrity of software stacks is broken during runtime. We implement our solution on Xen, and present a simple prototype-based Nimbus. We demonstrate the capability of dynamically detecting the integrity change of programs in cloud computing, and our evaluation results show that the solution is effective for integrity protection with acceptable performance overhead. Copyright © 2010 John Wiley & Sons, Ltd.

Chonghua Wang,Zhiyu Hao,Xiaochun Yun

DOI: https://doi.org/10.1007/978-3-319-75160-3_29

2017-01-01

Abstract:Cloud platforms of large enterprises are witnessing increasing adoption of the Virtual Machine Introspection (VMI) technology for building a wide range of VM monitoring applications including intrusion detection systems, virtual firewall, malware analysis, and live memory forensics. In our analysis and comparison of existing VMI systems, we found that most systems suffer one or more of the following problems: intrusiveness, time lag and OS-dependence, which are not well suited to clouds in practice. To address these problems, we present NOR, a non-intrusive, real-time and OS-agnostic introspection system for virtual machines in cloud environment. It employs event-driven monitoring and snapshot polling cooperatively to reconstruct the memory state of guest VMs. In our evaluation, we show NOR is capable of monitoring activities of guest VMs instantaneously with minor performance overhead. We also design some case studies to show that NOR is able to detect kernel rootkits and mitigate transient attacks for different Linux systems.