Haihe Ba,Huaizhe Zhou,Jiangchun Ren,Zhiying Wang

DOI: https://doi.org/10.1109/SRDS.2017.39

2017-01-01

Abstract:While Java Virtual Machine can provide applications with safety property to avoid memory corruption bugs, it continues to encounter some security flaws. Real world exploits show that the current sandbox model can be bypassed. In this paper, we focus our work on bytecode integrity measurement in clouds to identify malicious execution and propose J-IMA architecture to provide runtime measurement and remote attestation for bytecode integrity. To the best of our knowledge, our work is the first measurement approach for dynamically-generated bytecode integrity. Moreover, J-IMA has no need for any modification to host systems and any access to source code.

Rui Wu,Ping Chen,Bing Mao,Li Xie

DOI: https://doi.org/10.1109/ARES.2012.11

2012-01-01

Abstract:As a code reuse technique, JIT spraying attack becomes popular on the JITed VM (Virtual Machine) (e.g., Javascript Engine, Flash Engine). Using a bug in web applications, an attacker can reuse the code generated by the JIT (Just-In-Time) compiler, which is used to optimize the performance of web applications. JIT spraying attacks can circumvent DEP and ASLR -- protection mechanisms of modern operating systems. Based on the observation that JIT spraying attack mostly uses the immediate operand of the arithmetic instruction to build a shellcode, we propose RIM, a technique that obfuscates the arithmetic operations in the JITed code and prevents attackers from reusing the native code to construct a malicious code. We implement a prototype on Tamarin flash engine and demonstrate the effectiveness of RIM. Experimental results show that RIM's overhead is very low (less than 1%). And RIM greatly improves the security functionality of JIT compilers.

Wu Zhou,Zhi Wang,Yajin Zhou,Xuxian Jiang

DOI: https://doi.org/10.1145/2557547.2557558

2014-01-01

Abstract:App repackaging remains a serious threat to the emerging mobile app ecosystem. Previous solutions have mostly focused on the postmortem detection of repackaged apps by measuring similarity among apps. In this paper, we propose DIVILAR, a virtualization-based protection scheme to enable self-defense of Android apps against app repackaging. Specifically, it re-encodes an Android app in a diversified virtual instruction set and uses a specialized execute engine for these virtual instructions to run the protected app. However, this extra layer of execution may cause significant performance overhead, rendering the solution unacceptable for daily use. To address this challenge, we leverage a light-weight hooking mechanism to hook into Dalvik VM, the execution engine for Dalvik bytecode, and piggy-back the decoding of virtual instructions to that of Dalvik bytecode. By compositing virtual and Dalvik instruction execution, we can effectively eliminate this extra layer of execution and significantly reduce the performance overhead. We have implemented a prototype of DIVILAR. Our evaluation shows that DIVILAR is resilient against existing static and dynamic analysis, including these specific to VM-based protection. Further performance evaluation demonstrates its efficiency for daily use (an average of 16.2 and 8.9 increase to the start time and run time, respectively).

Haihe Ba,Songzhu Mei,Jiangchun Ren,Zhiying Wang

DOI: https://doi.org/10.2991/ccis-13.2013.113

2013-01-01

Abstract:While Cloud computing brings much convenience to companies; it also produces many a threat to information security. TEM is a Java-based architecture that gives strong safety guarantees to high-assurance Java applications in cloud computing. TEM advances the state of the art in Java Virtual Machine in both the design of its own fine-grained integrity measurement on demand and in the ability to ensure recoverability in the face of malicious attacks. In this paper, we introduce TEM, as a novel fine-grained measurement method for Java application, which takes advantages of the structural feature of Java class file. It not only satisfies users' necessary trust from the trusted platform module, or TPM, but also has less impact on running performance in cloud environment.

Yongzhi Wang,Yulong Shen,Xiaohong Jiang

DOI: https://doi.org/10.1109/tifs.2017.2787993

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Public cloud vendors have been offering a variety of big data computing services on their clouds. However, runtime integrity is one of the major security concerns that hinder the wide adoption of those services. In this paper, we focus on MapReduce, a popular big data computing framework, and propose the runtime integrity audition (RIA), a solution that remotely verifies the runtime integrity of MapReduce applications. RIA records the runtime variable values of the MapReduce application on the public cloud and checks those values against the application’s code on the private cloud. By doing so, RIA protects the runtime integrity of MapReduce applications. Based on the idea of RIA, we developed a prototype system, called MR Auditor, and tested its applicability and performance with several Hadoop applications. Our experimental results showed that MR Auditor is a general tool that can efficiently audit the runtime integrity of all the MapReduce applications that we tested. In addition, MR Auditor incurs a moderate performance overhead. For example, when verifying the Word Count application, a proper parameter setting of MR Auditor incurs 1% of extra execution time on the public cloud and 14% of extra execution time on the private cloud.

Brian Delgado,Karen L. Karavanic

DOI: https://doi.org/10.48550/arXiv.1805.03755

2018-05-09

Cryptography and Security

Abstract:Runtime integrity measurements identify unexpected changes in operating systems and hypervisors during operation, enabling early detection of persistent threats. System Management Mode, a privileged x86 CPU mode, has the potential to effectively perform such rootkit detection. Previously proposed SMM-based approaches demonstrated effective detection capabilities, but at a cost of performance degradation and software side effects. In this paper we introduce our solution to these problems, an SMM-based Extensible, Performance Aware Runtime Integrity Measurement Mechanism called EPA-RIMM. The EPA-RIMM architecture features a performance-sensitive design that decomposes large integrity measurements and schedules them to control perturbation and side effects. EPA-RIMM's decomposition of long-running measurements into shorter tasks, extensibility, and use of SMM complicates the efforts of malicious code to detect or avoid the integrity measurements. Using a Minnowboard-based prototype, we demonstrate its detection capabilities and performance impacts. Early results are promising, and suggest that EPA-RIMM will meet production-level performance constraints while continuously monitoring key OS and hypervisor data structures for signs of attack.

Haihe Ba,Zhiying Wang,Jiangchun Ren,Huaizhe Zhou

DOI: https://doi.org/10.1109/TrustCom.2014.123

2014-01-01

Abstract:Cloud computing has brought academic and industry tremendous benefits and improved computing efficiency compared with the traditional model, however, the adoption of this unique model also exacerbates security challenges and raises trust risks. And existing security solutions have less effectiveness and efficiency upon these unchartered cloud threats. We introduce trusted computing into current cloud platform to address the above issues and design JVM-based Dynamic Attestation Architecture, DTEM, to support application services with robust security guarantee. This framework gives trusted-degree estimate for the deployment and runtime status of an application as well as dynamically responds remote attestation with integrity proof of running applications.

Songzhu Mei,Jiangjiang Wu,Yong Cheng,Jun Ma,Jiangchun Ren,Xiaoxing Li

DOI: https://doi.org/10.1109/IPTC.2011.12

2011-01-01

Abstract:Cloud computing bring a tremendous complexity to information security. Many researches have been done to establish and maintain the trust relationship in cloud. Remote attestation is one of the most important feature of trusted computing. But conventional ways of remote attestation can only attest to the presence of a particular binary. They cannot measure program behavior. Existing dynamic remote attestation technologies can solve some of these problems. But they are not suitable for cloud computing when users lose their control over their critical data and business processes. In our opinion, cloud should give controls back to the users at some extent. So we propose TBVMM, a novel mechanism for cloud computing to fill the trust gap between the infrastructure and upper software stacks. TBVMM will pave a way for establishing better trust relationships in cloud environments.

Haihe Ba,Huaizhe Zhou,Zhiying Wang,Jiangchun Ren,Tie Hong,Yiming Li

DOI: https://doi.org/10.1007/978-3-319-27161-3_63

2015-01-01

Abstract:In the recent years, cloud computing has expanded rapidly and improved the working efficiency for a number of cloud users, however, a few enterprises hesitate to move to the cloud because of the runtime security challenges of applications although cloud vendors promise to provide a trustworthy execution platform. In this paper, we propose Trusted Cloud Root Broker to give robust trustworthy guarantees to those JVM-Based applications. The broker as the application-root of the trust is to make the evaluation of the runtime trustworthiness and support dynamic attestation about the integrity state of an application with the assistance of Java virtual machine. It could not just prove the authenticity but also offer the availability for these targeting applications. What is more, our broker has less performance overheads.

Haihe Ba,Huaizhe Zhou,Shuai Bai,Jiangchun Ren,Zhiying Wang,Linlin Ci

DOI: https://doi.org/10.1109/icisce.2017.94

2017-01-01

Abstract:Cloud computing has expanded rapidly as a promising technology in the recent years and has drastically altered the majority of opinions about computing mode and application deployment. While the cloud has been proved to improve efficiency and earn benefit for a great number of various services providers, yet a good few enterprises still hesitate to move to the cloud because of security threats. In this paper, we present jMonAtt architecture to provide robust trustworthy guarantees for high-level cloud applications through the enforcement of the trustworthiness evaluation and dynamic attestation with the assistance of HotSpot virtual machine. Moreover, it has less impact on the execution of an attested target when our architecture is deployed in the cloud application system.

Haihe Ba,Jiangchun Ren,Zhiying Wang,Huaizhe Zhou,Yiming Li,Tie Hong

DOI: https://doi.org/10.1504/ijes.2016.073751

2016-01-01

International Journal of Embedded Systems

Abstract:As one of the most influential technologies, cloud computing brings users more benefits and improves the efficiency of computing in comparison to the traditional model. However, it also introduces a number of unknown risks and challenges, upon which effectiveness and efficiency of those traditional security protection solutions could have very little influence. We introduce DTEM into JVM, which gives robust trust guarantees to Java applications and makes a dynamic attestation about the integrity state of the current applications. DTEM advanced the state of the art in trusted computing and is designed to tackle the dynamic issues by verifying the runtime bytecode integrity of these applications in cloud environments. DTEM not only provides user-defined policy to determine the complexity of integrity checks and the frequency of their executions, but also enhances the availability to pledge the continuous business. What is more, it has less impact on execution performance of cloud applications.

Hao Sun,Xiaofeng Wang,Jinshu Su,Peixin Chen

DOI: https://doi.org/10.1007/978-3-319-28865-9_9

2015-01-01

Abstract:Cybercrime caused by malware becomes a persistent and damaging threat which makes the trusted security solution urgently demanded, especially for resource-constrained ends. The existing industry and academic approaches provide available anti-malware systems based on different perspectives. However, it is hard to achieve high performance detection and data privacy protection simultaneously. This paper proposes a cloud-based anti-malware system, called RScam, which provides fast and trusted security service for the resource-constrained ends. In RScam, we present suspicious bucket filtering, a novel signature-based detection mechanism based on the reversible sketch structure, which provides retrospective and accurate orientations of malicious signature fragments. Then we design a lightweight client which utilizes the digest of signature fragments to sharply reduce detection range. Finally, we design balanced interaction mechanism, which transmits sketch coordinates of suspicious file fragments and transformation of malicious signature fragments between the client and cloud server to protect data privacy and reduce traffic volume. We evaluate the performance of RScam with campus suspicious traffic and normal files. The results demonstrate validity and veracity of the proposed mechanism. Our system can outperform other existing systems with less time and traffic consumption.

Yao Wang,Yaqiang Mao,Yuan Luo

DOI: https://doi.org/10.1109/ICCT.2012.6511306

2012-01-01

Abstract:As we know, the biggest challenge for SaaS (software as a service) cloud computing systems is guaranteeing user-level security. For this end, some approaches and systems have been proposed for virtual machine in cloud platform. However, the integrity measurement methods used in virtual machine, cannot detect dynamic attacks, such as measuring applications periodically or statically (measuring before execution). This paper first presents an In-Out-VM dynamic measurement architecture (IODMA) especially for Xen virtual machine (VM), which aims at user's running applications rather than static executable files. By comparison, it has advantages in three aspects. Firstly, it detects dynamic attacks and has a better performance than the static ones. Secondly, the measurements are done at any time on demand rather than at specific time. Thirdly, it supports fine-grained protection such as measuring the code segment and the argument segment separately. In addition, it is implemented by a hybrid of In-VM method and Out-of-VM method. The In-VM part of the hybrid effectively reduces the switching overheads between privileged virtual machine and guest virtual machines, while the Out-of-VM part improves the security. Finally, an implementation of IODMA is given equipped with the Trusted Platform Module (TPM), which achieves above goals with good performance.

Songzhu Mei,Zhiying Wang,Yong Cheng,Jiangchun Ren,Jiangjiang Wu,Jie Zhou

DOI: https://doi.org/10.1080/18756891.2012.733231

IF: 2.259

2012-01-01

International Journal of Computational Intelligence Systems

Abstract:Cloud computing bring a tremendous complexity to information security. Remote attestation can be used to establish trust relationship in cloud. TBVMM is designed to extend the existing chain of trust into the software layers to support dynamic remote attestation for cloud computing. TBVMM uses Bayesian network and Kalman filter to solve the dynamicity of the trusted relationship. It is proposed to fill the trust gap between the infrastructure and upper software stacks.

Yongzhi Wang,Yulong Shen

DOI: https://doi.org/10.1145/2976749.2989042

2016-01-01

Abstract:Public cloud vendors have been offering varies big data computing services. However, runtime integrity is one of the major concerns that hinders the adoption of those services. In this paper, we focus on MapReduce, a popular big data computing framework, propose the runtime integrity audition (RIA), a solution to verify the runtime integrity of MapReduce applications. Based on the idea of RIA, we developed a prototype system, called MR Auditor, and tested its applicability and the performance with multiple Hadoop applications. Our experimental results showed that MR Auditor is an efficient tool to detect runtime integrity violation and incurs a moderate performance overhead.

Qian Liu,Chuliang Weng,Minglu Li,Yuan Luo

DOI: https://doi.org/10.1109/MSP.2010.143

IF: 3.105

2010-01-01

IEEE Security & Privacy

Abstract:Cloud computing relies heavily on virtualization. Virtualization technology has developed rapidly because of the rapid decrease in hardware cost and concurrent increase in hardware computing power. A virtual machine monitor (VMM, also called a hγpervisor) between the hardware and the OS enables multiple virtual machines (VMs) to run on top of a single physical machine. The VMM manages scheduling and dispatching the physical resources to the individual VMs as needed, and the VMs appear to users as separate computers. Widely used virtualization technologies include VMWare, Xen, Denali, and the Kernel-Based Virtual Machine (KVM). In this framework, a module measures executables running in virtual machines (VMs) and transfers the values to a trusted VM. Comparing those values to a reference table containing the trusted measurement values of running executables verifies the executable/s status.

Junning Fu,Chaokun Wang,Zhiwei Yu,Jianmin Wang,Jia-Guang Sun

DOI: https://doi.org/10.1109/chinagrid.2010.15

2010-01-01

Abstract:A software cloud is ready-made for software delivery or Software as a Service (SaaS). As it becomes more and more popular, security problems of software running in the cloud also become an important issue. The threats, such as destroying system softwares and access violation, are frequently emerging in the field of software cloud. In this paper, we propose a watermark-aware trusted running environment to protect the softwares running in the cloud. We implement the scheme which mainly contains two parts: 1) embedding watermark into the Java programs running in the cloud; 2) generating customized JVMs for recognizing the watermarked programs. Experimental results within a real private software cloud to demonstrate that our approach can provide a large-scale protection with a small overhead.

Weijie Liu,Ximeng Liu,Zhi Li,Bin Liu,Rongwei Yu,Lina Wang

DOI: https://doi.org/10.1109/tifs.2022.3183409

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Cloud attack provenance is a well-established industrial practice for assuring transparency and accountability for a service provider to tenants. However, the multi-tenancy and self-service nature coupled with the sheer size of a cloud implies many unique challenges to cloud forensics. Although Virtual Machine Introspection (VMI) is a powerful tool for attack provenance due to the privilege isolation, the stealthiness of state-of-the-art attacks and the lack of precise information make existing attack provenance solutions difficult to fulfill real-time forensics when tracking enormous suspicious behaviors. To this end, we propose an instruction-level tracing framework for inspecting the presence of attacks by dynamically tracking shared processor hardware event patterns and analyzing the attack traces. To overcome the challenges of real-time detection and provenance, we advocate Last Branch Record (LBR) profiling, to extract the suspicious execution flows. With the hardware assistance and software-based virtualization introspection, we show that the framework can provide an effective response to threats in different cases, thereby enabling a quick attack provenance with high fidelity. The evaluation shows that our prototype introduces negligible performance penalties.

Pasquale Caporaso,Giuseppe Bianchi,Francesco Quaglia

2024-04-26

Abstract:Modern malware poses a severe threat to cybersecurity, continually evolving in sophistication. To combat this threat, researchers and security professionals continuously explore advanced techniques for malware detection and analysis. Dynamic analysis, a prevalent approach, offers advantages over static analysis by enabling observation of runtime behavior and detecting obfuscated or encrypted code used to evade detection. However, executing programs within a controlled environment can be resource-intensive, often necessitating compromises, such as limiting sandboxing to an initial period. In our article, we propose an alternative method for dynamic executable analysis: examining the presence of malicious signatures within executable virtual pages precisely when their current content, including any updates over time, is accessed for instruction fetching. Our solution, named JITScanner, is developed as a Linux-oriented package built upon a Loadable Kernel Module (LKM). It integrates a user-level component that communicates efficiently with the LKM using scalable multi-processor/core technology. JITScanner's effectiveness in detecting malware programs and its minimal intrusion in normal runtime scenarios have been extensively tested, with the experiment results detailed in this article. These experiments affirm the viability of our approach, showcasing JITScanner's capability to effectively identify malware while minimizing runtime overhead.

Cryptography and Security

Lei Yu,Yucong Duan

DOI: https://doi.org/10.32604/cmc.2023.038970

2023-01-01

Abstract:Cloud computing and edge computing brought more software, which also brought a new danger of malicious software attacks. Data synchronization mechanisms of software can further help reverse data modifications. Based on the mechanisms, attackers can cover themselves behind the network and modify data undetected. Related knowledge of software reverse engineering can be organized as rules to accelerate the attacks, when attackers intrude cloud server to access the source or binary codes. Therefore, we proposed a novel method to resist this kind of reverse engineering by breaking these rules. Our method is based on software obfuscations and encryptions to enhance the security of distributed software and cloud services in the 5G era. Our method is capable of (1) replacing the original assembly codes of the protected program with equivalent assembly instructions in an iteration way, (2) obfuscating the control flow of the protected program to confuse attackers meanwhile keeps the program producing the same outputs, (3) encrypting data to confuse attackers. In addition, the approach can periodically and automatically modify the protected software binary codes, and the binary codes of the protected software are encrypted to resist static analysis and dynamic analysis. Furthermore, a simplified virtual machine is implemented to make the protected codes unreadable to attackers. Cloud game is one of the specific scenarios which needs low latency and strong data consistency. Cheat engine, Ollydbg, and Interactive Disassembler Professional (IDA) are used prevalently for games. Our improved methods can protect the software from the most vulnerable aspects. The improved dynamic code swapping and the simplified virtual machine technologies for cloud games are the main innovations. We inductively learned that our methods have been working well according to the security mechanisms and time complexity analysis. Experiments show that hidden dangers can be eliminated with efficient methods: Execution time and file sizes of the target codes can be multiple times than that of the original program codes which depend on specific program functions.