LI Xun,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.12.015

2011-01-01

Computer Science

Abstract:Kernel-level attacks compromise operating system security by tampering with critical data and control flow in the kernel.Current approaches defend against these attacks by applying code integrity or control flow integrity control methods.However,they focus on only a certain aspect and cannot give a complete integrity monitoring solution.This paper analyzed the kernel integrity principle and got practical requirements to ensure kernel integrity.Critical data objects effect operating system function directly.Only certain code is able to modify critical data objects at certain conditions to ensure data integrity.All factors about code execution sequence are protected and monitored to ensure control flow integrity.Implementation in Xen VMM(Virtual Machine Monitor) using hardware virtualization,or referred to as HVM(Hardware Virtual Machine) is introduced to protect and monitor Linux kernel.Experiments show that the solution can detect and prevent attacks and bugs compromising the kernel.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

Zhi-Xian Chen,Jun Cui,Wei Liu,Hao Huang

2010-01-01

Abstract:Kernel-level attacks or rootkits typically leverage security exploits to gain initial unauthorized privileged access to an operating system. Current approaches defend against these attacks by enforcing data-flow integrity and control-flow integrity. However, only taking a certain aspect into account cannot provide a complete integrity monitoring solution. In this paper, we present a lightweight in-kernel hypervisor (IKH) utilizing Intel VT hardware virtualization, for insuring the kernel integrity, which can bridge the semantic gap between hypervisor and monitored OS, meanwhile offer small code size for formal verification. We have developed a primitive prototype on Linux as a kernel module, which can avoid being tampered by malicious code and detect kernel-level rootkits or attacks by four protection mechanisms based on the hardware-assisted virtualization. Experiment results show the effectiveness and feasibility of IKH and tolerable overhead imposed.

Donghai Tian,Deguang Kong,Changzhen Hu,Peng Liu

DOI: https://doi.org/10.1109/securware.2010.9

2010-01-01

Abstract:Operating system security (OS) is the basis for trust computing. As the kernel rootkits become popular and lots of kernel vulnerabilities are exposed, the OS kernel suffers a large number of attacks. It is difficult to protect the kernel by its own module because the kernel rootkits has the same ability to cripple the security module within the same kernel space. Recently, with the virtualization renaissance, virtualization technology provides many new ways to improve the system security. Utilizing this new technology, we present a kernel protection system called VMhuko. By monitoring the kernel data access actively, VMhuko can defend the kennel data attacks on the fly. The intensive experiment shows that VMhuko can protect the kernel with moderate performance.

Xi Xiong,Donghai Tian,Peng Liu

2011-01-01

Abstract:Kernel extensions are widely used by attackers to compromise the operating system kernel. With the presence of various untrusted extensions, it remains a challenging problem to comprehensively preserve the integrity of OS kernels in a practical and generic way. In this paper, we present HUKO, a hypervisor-based integrity protection system designed to protect commodity OS kernels from untrusted extensions. In HUKO system, untrusted kernel extensions can safely run to provide desired functionalities. The behaviors of untrusted extensions, however, are confined by mandatory access control policies, which significantly limit the attacker’s ability to compromise the integrity of the kernel. To guarantee multi-aspect protection and enforcement, HUKO leverages hardware assisted paging to transparently isolate untrusted extensions from the OS kernel. Moreover, HUKO overcomes the challenge of mediation overhead by introducing a novel design named subject-aware protection state transition to eliminate unnecessary privilege transitions caused by mediating allowed accesses. Our approach is practical because it requires little change for either OS kernel or extensions, and it can inherently support multiple commodity operating systems and legacy extensions. We have implemented a prototype of HUKO based on the open source Xen hypervisor. The evaluation results show that HUKO can comprehensively protect the integrity for both Linux and Windows kernel from various kinds of malicious extensions with an acceptable performance cost.

Michael Grace,Zhi Wang,Deepa Srinivasan,Jinku Li,Xuxian Jiang,Zhenkai Liang,Siarhei Liakh

DOI: https://doi.org/10.1007/978-3-642-16161-2_10

2010-01-01

Abstract:Kernel rootkits are among the most insidious threats to computer security today. By employing various code injection techniques, they are able to maintain an omnipotent presence in the compromised OS kernels. Existing preventive countermeasures typically employ virtualization technology as part of their solutions. However, they are still limited in either (1) requiring modifying the OS kernel source code for the protection or (2) leveraging software-based virtualization techniques such as binary translation with a high overhead to implement a Harvard architecture (which is robust to various code injection techniques used by kernel rootkits). In this paper, we introduce hvmHarvard, a hardware virtualization-based Harvard architecture that transparently protects commodity OS kernels from kernel rootkit attacks and significantly reduces the performance overhead. Our evaluation with a Xen-based prototype shows that it can transparently protect legacy OS kernels with rootkit resistance while introducing < 5% performance overhead.

Donghai Tian,Rui Ma,Xiaoqi Jia,Changzhen Hu

DOI: https://doi.org/10.1016/j.future.2019.05.008

IF: 7.307

2019-01-01

Future Generation Computer Systems

Abstract:Vulnerable kernel extensions are severe threats to the security of modern operating systems. Due to lack of protection mechanism in the kernel space, the kernel extension exploitation could take over the entire operating system’s control. To enhance security and reliability of kernel extensions, many solutions mainly rely on adding the kernel isolation mechanisms to confine the execution behaviors of kernel extensions. However, previous methods suffer from limitations in terms of compatibility and performance cost. To address these issues, we present KEcruiser, a novel control flow protection mechanism for kernel extensions. The basic idea of our approach is to monitor the control flow of a kernel extension and then identify the abnormal execution behavior during run-time. Based on the recent hardware feature, our system can collect the kernel control flow information efficiently. By leveraging the virtualization technology, our security monitor is deployed outside of the target VM so that the kernel control flow can be checked securely. To ensure the monitoring correctness and concurrency, we make use of Lamport’s ring buffer algorithm. Our system is compatible with the existing commodity operating system, and it can protect the running kernel extensions transparently. The experiments show that KEcruiser can effectively identify control flow violation occurred in kernel extensions with small performance cost.

Zihan Yang,Zeyu Mi,Yubin Xia

DOI: https://doi.org/10.1109/sose.2019.00044

2019-01-01

Abstract:The prevalence of Cloud Computing has appealed many users to put their business into low-cost and flexible cloud servers instead of bare-metal machines. Most virtual machines in the cloud run commodity operating system(e.g., linux), and the complexity of such operating systems makes them more bug-prone and easier to be compromised. To mitigate the security threats, previous works attempt to mediate and filter system calls, transform all unpopular paths into popular paths, or implement a nested kernel along with the untrusted outter kernel to enforce certain security policies. However, such solutions only enforce read-only protection or assume that popular paths in the kernel to contain almost no bug, which is not always the case in the real world. To overcome their shortcomings and combine their advantages as much as possible, we propose a hardware-assisted isolation mechanism that isolates untrusted part of the kernel. To achieve isolation, we prepare multiple restricted Extended Page Table (EPT) during boot time, each of which has certain critical data unmapped from it so that the code executing in the isolated environment could not access sensitive data. We leverage the VMFUNC instruction already available in recent Intel processors to directly switch to another pre-defined EPT inside guest virtual machine without trapping into the underlying hypervisor, which is faster than the traditional trap-and-emulate procedure. The semantic gap is minimized and real-time check is achieved by allowing EPT violations to be converted to Virtualization Exception (VE), which could be handled inside guest kernel in non-root mode. Our preliminary evaluation shows that with hardware virtualization feature, we are able to run the untrusted code in an isolated environment with negligible overhead.

Dan-dan ZHAO,Xing-shu CHEN,Xin JIN

DOI: https://doi.org/10.6040/j.issn.1671-9352.1.2016.083

2017-01-01

Abstract:To enhance the security capabilities of kernel-based virtual machine(KVM) Hypervisor, a multi-level security capabilities enhancement technology was proposed based on multi vulnerabilities, including Hypervisor type trick, VMX instructions monitoring, the ioctl system call interface protection, dynamical KVM code measurement and antiunloading technology, to enhance the security capabilities of the KVM Hypervisor and detect some unknown attacks base interfaces of KVM in time. Eventually a prototype system on the full-virtualization platform of KVM was implemented which was called (Security-KVM, Sec-KVM). The experimental result shows that the Sec-KVM is able to hide the virtualization type of the Hypervisor which enhanced the ability of anti-attack of Hypervisor, dynamically measure the integrity of the KVM and the ioctl system call interface which prevented spread of the attacks, and detect some unknown attacks based KVM service interfaces.

Donghai Tian,Rui Ma,Xiaoqi Jia,Changzhen Hu

DOI: https://doi.org/10.1109/access.2019.2928060

IF: 3.9

2019-01-01

IEEE Access

Abstract:OS kernel is the core part of the operating system, and it plays an important role for OS resource management. A popular way to compromise OS kernel is through a kernel rootkit (i.e., malicious kernel module). Once a rootkit is loaded into the kernel space, it can carry out arbitrary malicious operations with high privilege. To defeat kernel rootkits, many approaches have been proposed in the past few years. However, existing methods suffer from some limitations: 1) most methods focus on user-mode rootkit detection; 2) some methods are limited to detect obfuscated kernel modules; and 3) some methods introduce significant performance overhead. To address these problems, we propose VKRD, a kernel rootkit detection system based on the hardware assisted virtualization technology. Compared with previous methods, VKRD can provide a transparent and an efficient execution environment for the target kernel module to reveal its run-time behavior. To select the important run-time features for training our detection models, we utilize the TF-IDF method. By combining the hardware assisted virtualization and machine learning techniques, our kernel rootkit detection solution could be potentially applied in the cloud environment. The experiments show that our system can detect windows kernel rootkits with high accuracy and moderate performance cost.

Jianhua Sun,Hao Chen,Cheng Chang,Xingbang Li

2013-01-01

Computing and Informatics

Abstract:Kernel rootkits pose significant challenges on defensive techniques as they run at the highest privilege level along with the protection systems. Modern architectural approaches such as the NX protection have been used in mitigating attacks, however determined attackers can still bypass these defenses with specifically crafted payloads. In this paper, we propose a virtualized Harvard memory architecture to address the kernel code integrity problem, which virtually separates the code fetch and data access on the kernel code to prevent kernel from code modifications. We have implemented the proposed mechanism in commodity operating system, and the experimental results show that our approach is effective and incurs very low overhead.

Yong-Gang Li,Yeh-Ching Chung,Kai Hwang,Yue-Jin Li

DOI: https://doi.org/10.1109/tc.2020.3022023

2021-01-01

Abstract:Linux servers are being used in almost all clouds, datacenters and supercomputers today. Linux Kernel functions are facing a kind of malware attacks, known as rootkits with root-access capability. The rootkits appear as loadable kernel modules (LKM) in today's Linux servers. These modules hide from other kernel objects, and can redirect the kernel control flow by tampering with the metadata needed in kernel service functions. The kernel rootkits are invisible to users after loading, which may bypass most security shields. Both spatial and temporal appearance of rootkits are randomly distributed, which makes it difficult to detect or removal. To deal with rootkit threats, we propose a novel Virtual Wall (VTW) approach to filtering out the rootkit-embedded LKMs by tracing the incurred kernel activities. This VTW is essentially a lightweight hypervisor built with rootkit detection and event tracing capabilities. Normally, the Linux runs in a guest mode. When a LKM execution violates the security policy set by the VTW, the OS control will switch to a host mode. The VTW at host mode enables the detection and tracing of rootkit events timely. In other words, potential rootkit attacks are detected, traced and classified to make meaningful filtering decisions. The whole detection and tracing process is based on memory access control and event injection mechanisms. Experimental results show that the VTW defense system is effective to detect and defend against kernel rootkits timely. The CPU overhead for executing VTW is less than 2 percent. Compared with other defense schemes (such as DIKernel, etc.), our vs is easier to implement with low performance degradation on Linux servers. We will demonstrate the advantages of VTW through its simplicity in implementation and potential performance gains. We will also compare our system with seven other rootkit defense systems.

Dongyang Zhan,Huhua Li,Lin Ye,Hongli Zhang,Binxing Fang,Xiaojiang Du

DOI: https://doi.org/10.1109/icc.2019.8761433

2019-05-01

Abstract:Monitoring kernel object modification of virtual machine is widely used by virtual-machine-introspection-based security monitors to protect virtual machines in cloud computing, such as monitoring dentry objects to intercept file operations, etc. However, most of the current virtual machine monitors, such as KVM and Xen, only support page-level monitoring, because the Intel EPT technology can only monitor page privilege. If the out-of-virtual-machine security tools want to monitor some kernel objects, they need to intercept the operation of the whole memory page. Since there are some other objects stored in the monitored pages, the modification of them will also trigger the monitor. Therefore, page-level memory monitor usually introduces overhead to related kernel services of the target virtual machine. In this paper, we propose a low-overhead kernel object monitoring approach to reduce the overhead caused by page-level monitor. The core idea is to migrate the target kernel objects to a protected memory area and then to monitor the corresponding new memory pages. Since the new pages only contain the kernel objects to be monitored, other kernel objects will not trigger our monitor. Therefore, our monitor will not introduce runtime overhead to the related kernel service. The experimental results show that our system can monitor target kernel objects effectively only with very low overhead.

ZHANG Lei,CHEN Xing-shu,LIU Liang,LI Hui

DOI: https://doi.org/10.3969/j.issn.1001-0548.2015.01.020

2015-01-01

Abstract:For the kernel integrity threats of virtual machine in cloud computing environment, an integrity protecting technology of virtual machine kernel, cloud trusted virtual machine(CTVM ), is proposed. In the CTVM, the virtual trusted execution environment in kernel-based virtual machine(KVM) is created, the multiple virtual machines are endowed with a trusted computing function at the same time, and the guest virtual machines are provided with integrity measurement ability. By utilizing hardware virtualization technology, the untrusted kernel modules are isolated from operating system kernel through constructing isolated address space in guest virtual machines, so as to protect the booting integrity and runtime integrity of guest virtual machines. Finally, with a domestic server as the experimental platform, CTVM prototype system is presented. System test and analysis show that the system performance loss is within the acceptable range.

Dongyang Zhan,Lin Ye,Binxing Fang,Hongli Zhang,Xiaojiang Du

DOI: https://doi.org/10.1007/s00500-017-2745-x

2017-01-01

Abstract:Kernel control-flow integrity (CFI) of virtual machines is very important to cloud security. VMI-based dynamic tracing and analyzing methods are promising options for checking kernel CFI in cloud. However, the CFI monitors based on tracing always work at instruction or branch level and result in serious virtual machine performance degradation. To meet the performance requirements in the cloud, we present a page-level dynamic VMI-based kernel CFI checking solution. We trace VM kernel execution at page level, which means that the in-page instruction execution cannot trigger our monitor. As a result, the tracing overhead can be greatly reduced. Based on page-level execution information, we propose two policies to describe the kernel control-flow so as to build the secure kernel control-flow database in the learning stage. In the monitoring stage, we compare runtime execution information with the secure database to check kernel CFI. To further reduce the monitoring overhead, we propose two performance optimization strategies. We implement the prototype on Xen and leverage hardware events to trace VM memory page execution. Then, we evaluate the effectiveness and performance of the prototype. The experimental results prove that our system has enough detection capability and the overhead is acceptable.

Lei ZHANG,Xing-shu CHEN,Yi REN,Hui LI

DOI: https://doi.org/10.3969/j.issn.1671-1122.2015.04.010

2015-01-01

Abstract:Kernel-level Rootkits of virtual machine in cloud can destroy the integrity of virtual machine of tenant. This paper presents a kind of kernel-level Rootkit detection technology based on Virtual Machine Monitor (VMM). This technology establishes True Module List (TML) by critical path breakpoint and obtains the virtual machine''s kernel module view, the user mode view was established by bottom-up calls from VMM, and the reconstructed kernel mode view of virtual machine was get in the VMM layer, then by cross-referencing these three views to detect Rootkit hidden in a virtual machine. Finally, a prototype system was realized based on the Kernel-based Virtual Machine (KVM), experimental results showed that Rootkits in Virtual Machine could be quickly and ac-curately detected in the prototype system, details of Rootkit could be reported according to TML, the overall per-formance loss of the prototype system was in acceptable range.

Xianxian Li,Changhui Jiang,Jianxin Li,Bo Li

DOI: https://doi.org/10.1109/NCIS.2011.21

2011-01-01

Abstract:Malicious software is one of the primary threats to information system on Internet, while the traditional host-based and network-based monitoring systems are vulnerable to prevent the malicious behavior of software because most current malicious software is capable of resisting security monitoring. Virtualization technology gives an impactful approach to monitoring the behavior of malicious software since it can provide an abstraction layer between the operating system and the hardware. In this paper, we propose a hardware-virtualization-based security monitor system named VMInsight, which can provide load-time and run-time monitoring for processes. VMInsight intercepts system calls and process behaviors by monitoring changes in the virtual machine CPU register, and it is implemented in the hyper visor, thus is completely transparent to the software and operating system running in the virtual machine. The experimental results show that the performance overhead of VMInsight is less than 10%, and it can be easily applied to the third-party security monitoring system.

Xingjun Zhang,Endong Wang,Long Xin,Zhongyuan Wu,Weiqing Dong,Xiaoshe Dong

DOI: https://doi.org/10.1109/INCoS.2011.111

2011-01-01

Abstract:The kernel-level Root kit brings operating system mortal security risk. The existing detection methods, which are based on host environment, have limitations such as high Root kit privileges, weak isolation capacity. If the detected system, which may includes Root kit, and the detection system are resided on guest and host environment respectively, those limitations can be resolved. The paper proposed a method of Root kit detection based on KVM (Kernel-based Virtual Machine) by using virtualization technology. This method adopts guest memory protection mechanism, which is based on protection of host page tables and trusted code segments, for static kernel code and data. As for dynamically allocated code and data in heap space, this method introduces integrity checking mechanism, which is based on threshold triggering of calling sequences of monitored functions. The experimental results showed that this method can prevent static code or data from Root kit attacking effectively, and also detect attacks to dynamically allocated code or data quickly.

Cheng ZHAO,Xingshu CHEN,Xin JIN

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017.02.0388

2017-01-01

Abstract:In order to protect the integrity of the Virtual Machine (VM) sensitive files and make up for the shortcomings such as high performance overhead,low compatibility and poor flexibility in out-of-box monitoring based on the instruction monitoring methods,OFM (Out-of-box File Monitoring) based on hardware virtualization was proposed.In OFM,Kernelbased Virtual Machine (KVM) was used as the virtual machine monitor to dynamically configure sensitive file access control strategy in real-time;in addition,OFM could modify the call table entries related to file operations of virtual machine system to determine the legitimacy of the VM process operation files,and deal with the illegal processes.Unixbench was deployed in a virtual machine to test the performance of OFM.The experimental results demonstrate that OFM outperforms to instruction monitoring methods in file monitoring and has no affect on other types of system calls for virtual machines.Meanwhile,OFM can effectively monitor the integrity of the virtual machine files and provide better compatibility,flexibility and lower performance losses.

Chuliang Weng,Qian Liu,Kenli Li,Deqing Zou

DOI: https://doi.org/10.1109/tc.2016.2560809

2016-01-01

Abstract:In the cloud platform, the startup security of guest virtual machines (VMs) can be guaranteed by existing techniques such as TBoot, however, how to monitor and guarantee their runtime security seems to be a non-trivial challenge, when they are exposed to the Internet. For a practical cloud system, security and performance are two important issues. In this paper, we propose a dynamic framework called CloudMon to detect kernel rootkits and guarantee the runtime security of guest VMs. CloudMon is transparent to a guest VM, neither requires its specific system information, nor has to one-on-one run with it. Meanwhile, CloudMon detects kernel rootkits through self-adjusting monitoring on memory with an acceptable overhead. A working prototype of CloudMon is implemented based on Xen. The case studies on security show that CloudMon is effective to detect kernel rootkits in guest VMs, while the performance experiments demonstrate that it brings a low performance overhead.