Rui Wu,Ping Chen,Peng Liu,Bing Mao

DOI: https://doi.org/10.1109/DSN.2014.59

2014-01-01

Abstract:Existing VMI techniques have high overhead, and require customized introspection programs/tools for different guest OS versions - lack of generality. In this paper, we present Shadow Context, a system for close-to-real time manual-effort-free VMI. Shadow Context can meet several important real-world VMI needs which existing VMI techniques cannot. Compared to other automatic introspection tool generation techniques, Shadow Contexthas two merits: (1) Its overhead is significantly less. It achieves close-to-real time VMI. (2) It significantly improves the practical usefulness of introspection tools by allowing one introspection program to inspect a variety of guest OS versions. These merits are achieved via a new concept called \"Shadow Context\" which allows the guest OSessystem call code to be reused inside a \"shadowed\" portion of the context of the out-of-guest inspection program. Besides, Shadow Context is secure enough to defend against a variety of real world attacks. Shadow Context is designed, implemented and systematically evaluated. Experimental results show that the performance overhead is about 75%with a median initialization time of 0.117 milliseconds.

Ji-Ming Chen,Shi Chen,Xiang Wang,Lin,Li Wang

DOI: https://doi.org/10.1155/2021/2729949

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:With the rapid development of Internet of Things technology, a large amount of user information needs to be uploaded to the cloud server for computing and storage. Side-channel attacks steal the private information of other virtual machines by coresident virtual machines to bring huge security threats to edge computing. Virtual machine migration technology is currently the main way to defend against side-channel attacks. VM migration can effectively prevent attackers from realizing coresident virtual machines, thereby ensuring data security and privacy protection of edge computing based on the Internet of Things. This paper considers the relevance between application services and proposes a VM migration strategy based on service correlation. This strategy defines service relevance factors to quantify the degree of service relevance, build VM migration groups through service relevance factors, and effectively reduce communication overhead between servers during migration, design and implement the VM memory migration based on the post-copy method, effectively reduce the occurrence of page fault interruption, and improve the efficiency of VM migration.

Chonghua Wang,Xiao-chun Yun,Zhiyu Hao,Lei Cui,Yandong Han,Qingxin Zou

DOI: https://doi.org/10.1007/978-3-319-27137-8_32

2015-01-01

Abstract:Upon practical implementation of virtual machine introspection (VMI), administrators may be overwhelmed by dozens of research works. Specifically, the adopted introspection mechanism perform differently with regard to various performance and security requirements. Besides, most of previous works do not clarify the boundary between Trusted Computing Base (TCB) and attacks towards introspection. This paper aims to help administrators to determine the appropriate introspection approach. Firstly, we summarize current VMI technologies, and present a classification method mainly depending on whether hardware assistance is required, how it solves the semantic gap problem and how introspection is triggered. Secondly, we discuss how to achieve a good trade-off between the two metrics of performance and security. Thirdly, we propose a TCB threat model to employ VMI along with other enhancing mechanism to tackle attacks in different levels of TCB. Finally, we discuss some future trends related to VMI for further improving security.

Xianming Zhong,Chengcheng Xiang,Miao Yu,Zhengwei Qi,Haibing Guan

DOI: https://doi.org/10.1007/s10766-013-0285-2

2015-01-01

International Journal of Parallel Programming

Abstract:Digital evidences hold great significance for governing cybercrime. Unfortunately, previous acquisition tools were troubled by either the shortage of suspending the target system's running or the security of the acquisition tools themselves, thus the correctness and accuracy of their obtained evidences cannot be guaranteed. In this paper, we propose VAIL, a novel virtualization based monitoring system for mini-intrusive live forensics, which employs hardware assisted virtualization technique to gather integrated information from the native computer system. Meanwhile, the execution of the target system will not be interrupted and VAIL keeps immune to attacks from the target system. We have implemented a proof-of-concept prototype that has been validated with a Windows guest system. The experimental results show that VAIL can obtain comprehensive digital evidences from the target system as designed, including the CPU state, the physical memory content, and the I/O activities. And on average, VAIL only introduces 4.21 % performance overhead to the target system, which proves that VAIL is practical in real commercial environments.

Weiwen Tang,Zeyu Mi

DOI: https://doi.org/10.1109/sose.2018.00031

2018-01-01

Abstract:In JointCloud computing, the hypervisor used by each cloud plays a key role in providing services and protection for guest virtual machines (VMs). Unfortunately, the commodity hypervisor usually has a considerable attack surface and its memory is especially prone to be tampered with by an attacker who resides in one VM and then threatens the security of other co-located VMs. To mitigate such threat, previous solutions proposed an out-of-the-box design which leverages the nested virtualization to introduce a higher privileged software layer (a nested hypervisor) below the hypervisor. It also installs a security monitor into a trusted VM which is protected by the nested hypervisor and isolated from the untrusted hypervisor. The monitor is responsible for dynamically validating the behaviors of the untrusted hypervisor. Although monitoring from outside of the hypervisor can help ensure security, the large number of context switches caused by the nested virtualization incurs unacceptable overheads and makes this approach unsuitable for the cloud environment. In this paper, we introduce In-Hypervisor Memory Introspection (IHMI), an in-the-box way to monitor the hypervisor based on the nested virtualization. Our system puts the monitor into the untrusted hypervisor for efficiency while guaranteeing the same level of memory security as monitoring the hypervisor from a separated secure VM. By leveraging hardware virtualization features of current processors, IHMI isolates the monitor from the hypervisor via the nested page table and implements an efficient switch between them. Further, IHMI configures a uni-directional mapping for the monitor which allows the monitor to access the hypervisor's memory at native speed while forbidding the hypervisor from accessing the monitor's memory. Our IHMI system is currently still in an early stage and we report our design as well as preliminary evaluation results in this paper.

K. Suzaki,R. Ando,Kazushi Takahashi

DOI: https://doi.org/10.22667/JOWUA.2012.03.31.120

Abstract:Leveraging hypervisor for security purpose such as malware analysis has been well researched. There still remain two challenges for analyzing security incidents on virtual machine: real-time monitoring and semantic gap. First, current active monitoring methods need to be improved for real-time protection of virtual machine. Second, semantic gap between virtual machine and hypervisor poses a significant impediment on security analyst. In this paper, we propose an inter-domain communication protocol for real-time monitoring of virtual machine and bridging semantic gap. We have deployed the inter-domain communication module between a guest Windows OS and a hypervisor in two ways. While the one is a register based transfer using vCPU context, the other is a shared memory based communication. Our protocol is event driven, which makes the proposed system enable to monitor the file access of a guest Windows OS in real-time without suspending it. We have implemented our system on XEN virtual machine monitor and KVM (Kernel Virtual Machine). We have measured the resource utilization of these two systems in the case of decompressing files and receiving HTTP requests. On the guest OS, the KVM based system outperforms the processor idle time by about 30-50% in decompressing file and the memory usage by about 35% in receiving HTTP requests. We conclude that our system can monitor file access inside virtual machine without suspension and also with reasonable resource usage.

Computer Science

Xuan Yu,Qi Yong,Yuehua Dai,Jianbao Ren,Xiaoguang Wang,Shi Yi

DOI: https://doi.org/10.1109/WISA.2013.82

2013-01-01

Abstract:Commodity operating systems have already gained functionality of virtual machine monitor. Nested virtualization is needed to run these commodity operating systems as virtual machines. Furthermore, with nested virtualization technology, users can run a self-configured virtual machine monitor (VMM) in Infrastructure as a Service (IaaS) cloud computing model, and live migration of VMM can be realized with the help of nested virtualization. In this paper, we present a new VMM nOSV, based on OSV VMM. nOSV is a lightweight VMM and can host multiple Xen VMMs, with little runtime overhead. Compared to traditional nested virtualization VMM, i) its performance overhead is significant low, ii) and with verified interfaces provided by OSV, nOSV is more robust and secure. The performance overhead of nOSV is less than 4%. With dedicated devices allocation policy, guest Xen VMM has a comparable network performance to Xen on bare metal.

Weijie Liu,Ximeng Liu,Zhi Li,Bin Liu,Rongwei Yu,Lina Wang

DOI: https://doi.org/10.1109/tifs.2022.3183409

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Cloud attack provenance is a well-established industrial practice for assuring transparency and accountability for a service provider to tenants. However, the multi-tenancy and self-service nature coupled with the sheer size of a cloud implies many unique challenges to cloud forensics. Although Virtual Machine Introspection (VMI) is a powerful tool for attack provenance due to the privilege isolation, the stealthiness of state-of-the-art attacks and the lack of precise information make existing attack provenance solutions difficult to fulfill real-time forensics when tracking enormous suspicious behaviors. To this end, we propose an instruction-level tracing framework for inspecting the presence of attacks by dynamically tracking shared processor hardware event patterns and analyzing the attack traces. To overcome the challenges of real-time detection and provenance, we advocate Last Branch Record (LBR) profiling, to extract the suspicious execution flows. With the hardware assistance and software-based virtualization introspection, we show that the framework can provide an effective response to threats in different cases, thereby enabling a quick attack provenance with high fidelity. The evaluation shows that our prototype introduces negligible performance penalties.

Chaoyuan Cui,Yun Wu,Yonggang Li,Bingyu Sun

DOI: https://doi.org/10.3837/tiis.2017.03.026

2017-01-01

KSII Transactions on Internet and Information Systems

Abstract:Intrusion detection techniques based on virtual machine introspection (VMI) provide high temper-resistance in comparison with traditional in-host anti-virus tools. However, the presence of semantic gap also leads to the performance and compatibility problems. In order to map raw bits of hardware to meaningful information of virtual machine, detailed knowledge of different guest OS is required. In this work, we present VDSM, a lightweight and general approach based on driver separation mechanism: divide semantic view reconstruction into online driver of view generation and offline driver of semantics extraction. We have developed a prototype of VDSM and used it to do intrusion detection on 13 operation systems. The evaluation results show VDSM is effective and practical with a small performance overhead.

Yao Wang,Yaqiang Mao,Yuan Luo

DOI: https://doi.org/10.1109/ICCT.2012.6511306

2012-01-01

Abstract:As we know, the biggest challenge for SaaS (software as a service) cloud computing systems is guaranteeing user-level security. For this end, some approaches and systems have been proposed for virtual machine in cloud platform. However, the integrity measurement methods used in virtual machine, cannot detect dynamic attacks, such as measuring applications periodically or statically (measuring before execution). This paper first presents an In-Out-VM dynamic measurement architecture (IODMA) especially for Xen virtual machine (VM), which aims at user's running applications rather than static executable files. By comparison, it has advantages in three aspects. Firstly, it detects dynamic attacks and has a better performance than the static ones. Secondly, the measurements are done at any time on demand rather than at specific time. Thirdly, it supports fine-grained protection such as measuring the code segment and the argument segment separately. In addition, it is implemented by a hybrid of In-VM method and Out-of-VM method. The In-VM part of the hybrid effectively reduces the switching overheads between privileged virtual machine and guest virtual machines, while the Out-of-VM part improves the security. Finally, an implementation of IODMA is given equipped with the Trusted Platform Module (TPM), which achieves above goals with good performance.

Yutao Liu,Yubin Xia,HaiBing Guan,Binyu Zang

DOI: https://doi.org/10.1109/HPCA.2014.6835951

2014-01-01

Abstract:Virtual machine introspection, which provides tamperresistant, high-fidelity “out of the box” monitoring of virtual machines, has many prominent security applications including VM-based intrusion detection, malware analysis and memory forensic analysis. However, prior approaches are either intrusive in stopping the world to avoid race conditions between introspection tools and the guest VM, or providing no guarantee of getting a consistent state of the guest VM. Further, there is currently no effective means for timely examining the VM states in question. In this paper, we propose a novel approach, called TxIntro, which retrofits hardware transactional memory (HTM) for concurrent, timely and consistent introspection of guest VMs. Specifically, TxIntro leverages the strong atomicity of HTM to actively monitor updates to critical kernel data structures. Then TxIntro can mount introspection to timely detect malicious tampering. To avoid fetching inconsistent kernel states for introspection, TxIntro uses HTM to add related synchronization states into the read set of the monitoring core and thus can easily detect potential inflight concurrent kernel updates. We have implemented and evaluated TxIntro based on Xen VMM on a commodity Intel Haswell machine that provides restricted transactional memory (RTM) support. To demonstrate the effectiveness of TxIntro, we implemented a set of kernel rootkit detectors using TxIntro. Evaluation results show that TxIntro is effective in detecting these rootkits, and is efficient in adding negligible performance overhead.

Jie Lin,Chuanyi Liu,Binxing Fang

DOI: https://doi.org/10.1145/2660267.2662377

2014-01-01

Abstract:Building a trustworthy cloud is critical for its practical use. Most current researches usually take integrity measurements using trusted computing to address trust issue, such as integrity measurement architecture (IMA) implemented in Linux kernel. However, some runtime attacks intrude the system while not tampering with the programs, which cannot be detected by integrity mechanism. We call them non-tampering attacks. This paper presents TraceVirt, a framework for detecting these non-tampering attacks, which combines the strong isolation and event-driven capacity to log runtime information. The logging data is processed by remote intrusion analysis cluster to analyze potential attacks. The experimental results show that TraceVirt can detect the real world non-tampering attacks and the performance overhead is acceptable.

guofeng wang,chuanyi liu,jie lin

DOI: https://doi.org/10.1007/978-3-662-43908-1_4

2014-01-01

Abstract:Modern malware attacks are designed intricately, transport data encrypted, so monitoring network traffic can't solve such attacks completely. Therefore, network monitoring and analysis need to be combined with system behavior monitoring and memory analysis, and the latter is more important. In this article we propose a hardware-based virtualization prototype system, combined with memory analysis tools to monitor and counterwork malicious attacks actively. The system is based on Xen virtualization platform, which monitoring virtual machine behavior by capturing specific events. The events are triggered by some specific behaviors associated with malicious software monitoring, such as executing privileged instruction, system calls, memory writing, etc. When necessary, we can dump the memory of the virtual machine, use memory analysis tools for detailed analysis, so as to achieve the purpose of monitoring and counterworking.

Yuehua Dai,Yi Shi,Yong Qi,Jianbao Ren,Peijian Wang

DOI: https://doi.org/10.1007/s11704-012-2084-0

2013-01-01

Abstract:Virtual machine monitors (VMMs) play a central role in cloud computing. Their reliability and availability are critical for cloud computing. Virtualization and device emulation make the VMM code base large and the interface between OS and VMM complex. This results in a code base that is very hard to verify the security of the VMM. For example, a misuse of a VMM hyper-call by a malicious guest OS can corrupt the whole VMM. The complexity of the VMM also makes it hard to formally verify the correctness of the system's behavior. In this paper a new VMM, operating system virtualization (OSV), is proposed. The multiprocessor boot interface and memory configuration interface are virtualized in OSV at boot time in the Linux kernel. After booting, only inter-processor interrupt operations are intercepted by OSV, which makes the interface between OSV and OS simple. The interface is verified using formal model checking, which ensures a malicious OS cannot attack OSV through the interface. Currently, OSV is implemented based on the AMD Opteron multi-core server architecture. Evaluation results show that Linux running on OSV has a similar performance to native Linux. OSV has a performance improvement of 4%-13% over Xen.

Chao Su,Xuhua Ding,Qingkai Zeng

DOI: https://doi.org/10.1109/dsn48987.2021.00045

2021-01-01

Abstract:Out-of-VM introspection is an imperative part of security analysis. The legacy methods either modify the system, introducing enormous overhead, or rely heavily on hardware features, which are neither available nor practical in most cloud environments. In this paper, we propose a novel analysis method, named as Catcher, that utilizes CPU cache to perform out-of-VM introspection. Catcher does not make any modifications to the target program and its running environment, nor demands special hardware support. Implemented upon Linux KVM, it natively introspects the target's virtual memory. More importantly, it uses the cache-based side channel to infer the target control flow. To deal with the inherent limitations of the side channel, we propose several heuristics to improve the accuracy and stability of Catcher. Our experiments against various malware armored with packing techniques show that Catcher can recover the control flow in real time with around 67% to 97% accuracy scores. Catcher incurs a negligible overhead to the system and can be launched at anytime to monitor an ongoing attack inside a virtual machine.

Yuxia Cheng,Wenzhi Chen,Zonghui Wang,Xinjie Yu

DOI: https://doi.org/10.1109/jsyst.2015.2469652

IF: 4.802

2015-01-01

IEEE Systems Journal

Abstract:Virtualization technology enables multiple virtual machines (VMs) to share a single physical server. Commercial servers increasingly use the nonuniform memory access (NUMA) architecture due to its scalable memory performance. However, multiple VMs running on a NUMA physical server will cause performance overheads such as remote memory access latency and shared microarchitectural resource contention, which makes the VM performance less efficient and stable. These performance overheads are mainly caused by memory traffic from data-intensive workloads. In this paper, we propose a traffic-aware VM optimization (TAVO) scheme on NUMA systems. Based on the performance monitoring of the data traffic and CPU/memory resource usages in the system, TAVO addresses VM memory access locality and shared resource contention problems via automatic VM initial placement and NUMA-aware VM online scheduling. Our experimental results show that TAVO improves VM performance in terms of benchmark runtime by up to 22.6% compared with the default KVM CFS scheduler. TAVO also achieves a much stable performance with benchmark's average runtime variation under 3%.

Sina Bahram,Xuxian Jiang,Zhi Wang,Mike Grace,Jinku Li,Deepa Srinivasan,Junghwan Rhee,Dongyan Xu

DOI: https://doi.org/10.1109/srds.2010.39

2010-01-01

Abstract:Virtual machine (VM) introspection is a powerful technique for determining the specific aspects of guest VM execution from outside the VM. Unfortunately, existing introspection solutions share a common questionable assumption. This assumption is embodied in the expectation that original kernel data structures are respected by the untrusted guest and thus can be directly used to bridge the well-known semantic gap. In this paper, we assume the perspective of the attacker, and exploit this questionable assumption to subvert VM introspection. In particular, we present an attack called DKSM (Direct Kernel Structure Manipulation), and show that it can effectively foil existing VM introspection solutions into providing false information. By assuming this perspective, we hope to better understand the challenges and opportunities for the development of future reliable VM introspection solutions that are not vulnerable to the proposed attack.

CHEN Zhu-Hong,CUI Chao-Yuan,WANG Ru-Jing,ZHOU Ji-Dong

DOI: https://doi.org/10.3969/j.issn.1003-3254.2013.07.015

2013-01-01

Abstract:As the foundation of cloud computing,virtualization technology’s security problems are gained more and more attention of the specialists with the development of cloud computing.This paper presents a virtual machine system kernel intrusion detection system,which use the introspection technology provided by Xen hypervisor to get internal states of kernel of the virtual machine.To achieve the goal of monitoring the kernel and preventing it from being compromised.This system can effectively defend the case of attack that dynamically modifies the kernel code and kernel unchanged data structure.

Fengzhe Zhang,Jin Chen,Haibo Chen,Binyu Zang

DOI: https://doi.org/10.1145/2043556.2043576

2011-01-01

Abstract:Multi-tenant cloud, which usually leases resources in the form of virtual machines, has been commercially available for years. Unfortunately, with the adoption of commodity virtualized infrastructures, software stacks in typical multi-tenant clouds are non-trivially large and complex, and thus are prone to compromise or abuse from adversaries including the cloud operators, which may lead to leakage of security-sensitive data.In this paper, we propose a transparent, backward-compatible approach that protects the privacy and integrity of customers' virtual machines on commodity virtualized infrastructures, even facing a total compromise of the virtual machine monitor (VMM) and the management VM. The key of our approach is the separation of the resource management from security protection in the virtualization layer. A tiny security monitor is introduced underneath the commodity VMM using nested virtualization and provides protection to the hosted VMs. As a result, our approach allows virtualization software (e.g., VMM, management VM and tools) to handle complex tasks of managing leased VMs for the cloud, without breaking security of users' data inside the VMs.We have implemented a prototype by leveraging commercially-available hardware support for virtualization. The prototype system, called Cloud Visor, comprises only 5.5K LOCs and supports the Xen VMM with multiple Linux and Windows as the guest OSes. Performance evaluation shows that Cloud Visor incurs moderate slow-down for I/O intensive applications and very small slowdown for other applications.

Dongyang Zhan,Huhua Li,Lin Ye,Hongli Zhang,Binxing Fang,Xiaojiang Du

DOI: https://doi.org/10.1109/icc.2019.8761433

2019-05-01

Abstract:Monitoring kernel object modification of virtual machine is widely used by virtual-machine-introspection-based security monitors to protect virtual machines in cloud computing, such as monitoring dentry objects to intercept file operations, etc. However, most of the current virtual machine monitors, such as KVM and Xen, only support page-level monitoring, because the Intel EPT technology can only monitor page privilege. If the out-of-virtual-machine security tools want to monitor some kernel objects, they need to intercept the operation of the whole memory page. Since there are some other objects stored in the monitored pages, the modification of them will also trigger the monitor. Therefore, page-level memory monitor usually introduces overhead to related kernel services of the target virtual machine. In this paper, we propose a low-overhead kernel object monitoring approach to reduce the overhead caused by page-level monitor. The core idea is to migrate the target kernel objects to a protected memory area and then to monitor the corresponding new memory pages. Since the new pages only contain the kernel objects to be monitored, other kernel objects will not trigger our monitor. Therefore, our monitor will not introduce runtime overhead to the related kernel service. The experimental results show that our system can monitor target kernel objects effectively only with very low overhead.