CHEN Xing-shu,ZHAOCheng,TAOShu-song

DOI: https://doi.org/10.3969/j.issn.1001-0548.2016.06.013

2016-01-01

Abstract:To protect the process memory and execution paths of system calls from the threat of malicious code on Windows virtual machine, a KVM-based virtual machine user process protection solution is proposed. Combined with hardware virtualization technologies, a shadow kernel is built for Windows virtual machine to protect the original kernel system call paths from being hooked by malicious code. Meanwhile, the process memory is secured through filtering out-of-process system calls in the monitoring agent, intercepting the switching behaviors of page tables, monitoring the exceptions of breakpoints, and debugging of the virtual machine. In addition, a shadow monitoring agent is built to safeguard the virtual machine’s monitor agent memory. A prototype system VMPPS was thus designed and implemented with its validity tests and analysis results showing that process memory and execution paths of system calls of the virtual machine are effectively protected within an acceptable performance loss range.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

Xueyuan Yin,Xingshu? Chen,Shusong Tao,Lin Chen

DOI: https://doi.org/10.13232/j.cnki.jnju.2019.02.007

2019-01-01

Abstract:To solve the problem of user virtual machine monitoring in cloud environment,a virtual machine security monitoring method based on real time online analysis of virtual machine memory was proposed.With high privilege of the virtualization layer,virtual machine memory could be obtained outside of virtual machines online transparently. By using the memory analysis mechanism derived from the field of internal forensics,the semantic knowledge of virtual machine memory can be revealed by analyzing some important kernel structures of the virtual machine memory online in the virtualization layer,which effectively solves the semantic gap between the virtual machine and the virtualization layer and leads to achieving fine granularity of information monitoring of virtual machines.Because the monitoring code is under the virtualization layer,outside of the monitored virtual machine and isolated from virtual machine internal codes by the virtualization mechanism,there is no need to deploy monitoring agents in the users’virtual machine.Therefore,any malicious code inside the virtual machine can not bypass and destroy the security monitoring code under the virtualization layer and the transparency and security of the method is improved. The experimental results show that the method can provide a cloud security monitoring service for virtual machines at lower performance cost with agentless.

Xiaoguang Wang,Yong Qi,Yuehua Dai,Jianbao Ren

DOI: https://doi.org/10.1109/compsacw.2013.38

2013-01-01

Abstract:Ensuring the correctness of security sensitive application running on a potentially malicious operating system is an open problem. Existing approaches for protecting a sensitive process are either losing deployment transparency or lack of the inter-process communication ability for the protected process. In this paper, we present a novel approach called shadow process execution (SPE), which can provide security sensitive applications with executing integrity. With the help of virtualization layer, SPE shadows the sensitive application in a separate virtual machine (VM), which significantly removes the complex and potentially malicious software stack from trusted computing base (TCB). At the same time, SPE maintains dynamic runtime protection without application source code. Finally we demonstrate the feasibility of SPE by designing and implementing a prototype system based on KVM hypervisor. And we show the transparent and dynamic feature of SPE by running and protecting a real world encryption utility program.

Ji-Ming Chen,Shi Chen,Xiang Wang,Lin,Li Wang

DOI: https://doi.org/10.1155/2021/2729949

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:With the rapid development of Internet of Things technology, a large amount of user information needs to be uploaded to the cloud server for computing and storage. Side-channel attacks steal the private information of other virtual machines by coresident virtual machines to bring huge security threats to edge computing. Virtual machine migration technology is currently the main way to defend against side-channel attacks. VM migration can effectively prevent attackers from realizing coresident virtual machines, thereby ensuring data security and privacy protection of edge computing based on the Internet of Things. This paper considers the relevance between application services and proposes a VM migration strategy based on service correlation. This strategy defines service relevance factors to quantify the degree of service relevance, build VM migration groups through service relevance factors, and effectively reduce communication overhead between servers during migration, design and implement the VM memory migration based on the post-copy method, effectively reduce the occurrence of page fault interruption, and improve the efficiency of VM migration.

Guang-lu YAN,Sen-lin LUO,Wang-tong LIU,Li-min PAN

DOI: https://doi.org/10.15918/j.tbit1001-0645.2018.03.014

2018-01-01

Abstract:Executing malicious code via hidden process is a major way to carry out information attack.At present,hidden process detection methods based on In-VM model of virtualization platform can be attacked by circumventing and tampering with the relative data.To solve this problem,a highly reliable In-VM hidden process detection method was proposed.Firstly,an In-VM model and the memory protection mechanism of virtualization were developed to protect its detection code and relative kernel data from being maliciously changed.Secondly,by hijacking the system transfer function exactly and detecting the hidden process with a cross-view method, the detection algorithm was ensured from being circumvented.Finally,several typical Rootkits were built and chosen in experiments.The results show that,the proposed method can detect all kinds of hidden processes.Its detection code and relative kernel data cannot be tampered with and its detection algorithm and memory protection mechanism cannot be circumvented.And the developed memory protection mechanism has better performance in the system,showing a higher reliability and stronger pragmatic value.

Jinan Shen,Deqing Zou,Hai Jin,Kai Yang,Bin Yuan,Weiming Li

DOI: https://doi.org/10.1109/cc.2016.7781724

2016-01-01

China Communications

Abstract:In traditional framework, mandatory access control (MAC) system and malicious software are run in kernel mode. Malicious software can stop MAC systems to be started and make it do invalid. This problem cannot be solved under the traditional framework if the operating system (OS) is comprised since malwares are running in ring0 level. In this paper, we propose a novel way to use hypervisors to protect kernel integrity and the access control system in commodity operating systems. We separate the access control system into three parts: policy management (PM), security server (SS) and policy enforcement (PE). Policy management and the security server reside in the security domain to protect them against malware and the isolation feather of the hypervisor can protect them from attacks. We add an access vector cache (AVC) between SS and PE in the guest OS, in order to speed up communication between the guest OS and the security domain. The policy enforcement module is retained in the guest OS for performance. The security of AVC and PE can be ensured by using a memory protection mechanism. The goal of protecting the OS kernel is to ensure the security of the execution path. We implement the system by a modified Xen hypervisor. The result shows that we can secure the security of the access control system in the guest OS with no overhead compared with modules in the latter. Our system offers a centralized security policy for virtual domains in virtual machine environments.

Xian Chen,Wenzhi Chen,Peng Long,Zhongyong Lu,Zonghui Wang

DOI: https://doi.org/10.1109/cbd.2013.32

2013-01-01

Abstract:For the ability to explore the memory's fullest potential, memory de-duplication has been widely experimented with in current main stream virtualization platforms. A lot of work has been done to improve the efficiency of memory de-duplication, while too little attention was paid to the introduced security issues which have been proved by prior work. To deal with this security risk and efficiently manage the memory we start our work in this paper. We first conduct extensive experiments on different OS platforms to study the realistic situation of page sharing. By analyzing the results we find: 1) Page sharing is contributed mostly by self-sharing (nearly 90%), and the self-sharing rate varies significantly between Linux and Windows OS platforms. Compared with self-sharing the inter-VM sharing rate is extremely low, under 1% in most cases. 2) Page size has a larger influence on Linux platform than Windows platform, so sub-page de-duplication proposed in prior work may achieve better performance on Linux platform. On the basis of above findings we propose a group-based secure page sharing model (or GSKSM), in which we consider both VM processes and normal processes. We have successfully implemented it in Linux kernel 3.6.6, and the experiment results show it works well with negligible overhead. Finally based on GSKSM we further present an efficient memory management approach (or SEMMA), which combines GSKSM and balloon technique to efficiently manage the memory, and the preliminary experiment result is satisfactory.

Bin Shi,Lei Cui,Bo Li,Xudong Liu,Zhiyu Hao,Haiying Shen

DOI: https://doi.org/10.1007/978-3-030-00470-5_31

2018-01-01

Abstract:Virtual machine introspection (VMI) is one compelling technique to enhance system security in clouds. It is able to provide strong isolation between untrusted guests and security tools placed in guests, thereby enabling dependability of the security tools even if the guest has been compromised. Due to this benefit, VMI has been widely used for cloud security such as intrusion detection, security monitoring, and tampering forensics. However, existing VMI solutions suffer significant performance degradation mainly due to the high overhead upon frequent memory address translations and context-switches. This drawback limits its usage in many real-world scenarios, especially when fine-grained monitoring is desired. In this paper, we present ShadowMonitor, an effective VMI framework that enables efficient in-VM monitoring without imposing significant overhead. ShadowMonitor decomposes the whole monitoring system into two compartments and then assigns each compartment with isolated address space. By placing the monitored components in the protected compartment, ShadowMonitor guarantees the safety of both monitoring tools and guests. In addition, ShadowMonitor employs hardware-enforced instructions to design the gates across two compartments, thereby providing efficient switching between compartments. We have implemented ShadowMonitor on QEMU/KVM exploiting several hardware virtualization features. The experimental results show that ShadowMonitor could prevent several types of attacks and achieves 10\(\times \) speedup over the existing method in terms of both event monitoring and overall application performance.

Zheyuan Liu,Dejun Mu

2012-01-01

Journal of Xidian University

Abstract:Computer malware has forced the transfer of the traditional in-host security tools to the development of VMM-based solutions which isolate the anti-malware software from untrusted systems.However,the inherent semantic gap poses a great challenge in supporting existing monitoring tools.In this paper,we present a process transferring method for fine-grained process execution monitoring to address both isolation and compatibility problems.Also by redirecting system calls invoked by the suspect process we guarantee the execution flow of the transferred process.Evaluation results show its effectiveness and feasibility with a tiny influence on the system.

Xianxian Li,Changhui Jiang,Jianxin Li,Bo Li

DOI: https://doi.org/10.1109/NCIS.2011.21

2011-01-01

Abstract:Malicious software is one of the primary threats to information system on Internet, while the traditional host-based and network-based monitoring systems are vulnerable to prevent the malicious behavior of software because most current malicious software is capable of resisting security monitoring. Virtualization technology gives an impactful approach to monitoring the behavior of malicious software since it can provide an abstraction layer between the operating system and the hardware. In this paper, we propose a hardware-virtualization-based security monitor system named VMInsight, which can provide load-time and run-time monitoring for processes. VMInsight intercepts system calls and process behaviors by monitoring changes in the virtual machine CPU register, and it is implemented in the hyper visor, thus is completely transparent to the software and operating system running in the virtual machine. The experimental results show that the performance overhead of VMInsight is less than 10%, and it can be easily applied to the third-party security monitoring system.

Jin YU,Hao HUANG

DOI: https://doi.org/10.11897/SP.J.1016.2017.00414

2017-01-01

Abstract:How to effectively ensure the operation security of the guest virtual machine on a cloud computing platform is a hot topic at present.The system function hook and control method is one of the key technologies that are used to monitor the client system.Although the function hook and control method adopted in the security monitoring program based on the kernel interface of the operation system and the introspection program of the virtual machine based on the virtualization technology can meet the requirements of the security monitoring,the system still has some defects:the function hook can be easily bypassed;the system call hook method is single and limited;the internal function of the client application can't be hooked;the executing process of the function cannot be controlled;the security mechanism may result in extra large performance overhead.In this paper,an automatic function hook and control program of the guest virtual machine system based on virtualization technology (VMSPY) is proposed.The main functions of the modules are realized in the VMM,the codes of the guest system are analyzed automatically and generated dynamically via the disassembly engine.Besides,the privileged instruction sequence designed is inserted in a proper position to realize the system call hook.The internal function of the application is intercepted under the condition that it is not affected by the address space layout randomization (ASLR) technology.The code instruction sequence of the hooked function is simulated and executed automatically in the VMM according to the strategy to realize the control of the executing process of the system call and the application function.The privileged instruction sequence inserted in the guest system is protected through the memory page authorization mechanism to prevent the impact of the guest system.A cache mechanism is used to reduce the extra performance overhead as much as possible.

Fengzhe Zhang,Haibo Chen

DOI: https://doi.org/10.1007/s10922-012-9253-1

2012-01-01

Journal of Network and Systems Management

Abstract:Hypervisor-based process protection is a novel approach that provides isolated execution environments for applications running on untrusted commodity operating systems. It is based on off-the-shelf hardware and trusted hypervisors while it meets the requirement of security and trust for many cloud computing models, especially third-party data centers and a multi-tenant public cloud, in which sensitive data are out of the control of the users. However, as the hypervisor extends semantic protection to the process granularity, such a mechanism also breaks the platform independency of virtual machines and thus prohibits live migration of virtual machines, which is another highly desirable feature in the cloud. In this paper, we extend hypervisor-based process protection systems with live migration capabilities by migrating the protection-related metadata maintained in the hypervisor together with virtual machines and protecting sensitive user contents using encryption and hashing. We also propose a security-preserving live migration protocol that addresses several security threats during live migration procedures including timing-related attacks, replay attacks and resumption order attacks. We implement a prototype system base on Xen and Linux. Evaluation results show that performance degradation in terms of both total migration time and downtime are reasonably low compared to the unmodified Xen live migration system.

Menglong Jiang,Zhengwei Qi,Haibing Guan,Anil Kumar Karna

DOI: https://doi.org/10.1109/FCST.2009.26

2009-01-01

Abstract:With the development of network malicious code, the existing security holes in present systems facilitate data loss. Though protection methods and software are updated day by day, some recent rootkits, that can still invisibly access kernel, make new challenges for the system security. The focal point on system security is how to protect a chosen process on the infected operating system. Process protection and monitoring are becoming more and more important for emerging networks and systems. In this paper, we present a new technique, Croth, which is based on hardware virtualization technology. It introduces a novel mechanism, Cape, that is located in virtual machine monitor (VMM). The main work of Cape is to emulate most of the operations originally done by operating system. This primitive offers an additional dimension of protection beyond the hierarchical protection domains, implemented by traditional operating systems and processor architectures. The design and implementation of hiding sensitive data is also presented in this paper. Our design has been fully implemented and used to protect a wide range of legacy process without any modification on Windows operating system. Our experimental result shows that the operating system could not get accurate data while the chosen process is controlled by Croth. It has provided a little performance overhead, however, performance is still acceptable.

Siqin Zhao,Kang Chen,Weimin Zheng

DOI: https://doi.org/10.1109/ChinaGrid.2009.45

2009-01-01

Abstract:It is very important to protect critical resources such as private data and code in computer systems. It is promising to protect private data and to improve the system security by leveraging the isolation attribute of virtual machine(VM). The isolation attribute of VM is provided by Virtual Machine Monitor (VMM) that runs in higher priority than guest OSes. If the critical components are isolated in VMs,access control can be enforced or attestation can be made when the subject is accessing via VMs. In this way, VMs can improve the security level of critical components such as OS, kernel, data, and applications. For computer system security, VMs can be used to detect malware intrusions and to protect critical components, which can be implemented by integrating detection or protection mechanism in either VMM or VMs. Authentication is required to create trustful VMs. This paper surveys technologies related of using virtual machines to enhance system security.

Mengjuan CAI,Xingshu CHEN,Xin JIN,Cheng ZHAO,Mingyong YIN

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017082167

2018-01-01

Journal of Computer Applications

Abstract:In cloud environment,the code of pivotal business in Virtual Machine (VM) can be modified by malicious software in many ways,which can pose a threat to its stable operation.Traditional measurement systems based on host are liable to be bypassed or attacked.To solve the problem that it is difficult to obtain a complete virtual machine running process code and verify its integrity at Virtual Machine Monitor (VMM) layer,a paging-measurement method based on hardware virtualization was proposed.The Kernel-based Virtual Machine (KVM) was used as the VMM to capture the system calls of virtual machine process in VMM and regarde it as the trigger point of the measurement process;the semantic differences of different virtual machine versions were solved by using relative address offset,then the paging-measurement method could verify the code integrity of running process in virtual machine transparently at VMM layer.The implemented prototype system of VMPMS (Virtual Machine Paging-Measurement System) can effectively measure the virtual machine process code with acceptable performance loss.

Hai Jin,Ge Cheng,Deqing Zou,Xinwen Zhang

DOI: https://doi.org/10.1016/j.camwa.2012.02.001

IF: 3.218

2013-01-01

Computers & Mathematics with Applications

Abstract:Cherub is an on-demand virtualization mechanism aiming to provide fine-grained application protection in untrusted environments. By leveraging late launch technology, Cherub dynamically inserts a lightweight virtual machine monitor (VMM) under a commodity operating system (OS) when critical pieces of an application code or data are to be processed. The novel design of Cherub with a double-shadowed page table extends VMM level memory protection into application level, such that it can isolate selected memory pages of a target process from the rest and other processes in the same OS environment. With this, Cherub enables fine-grained memory access control and therefore flexible security objectives. Compared to existing approaches, Cherub has the benefits of small code size, low performance overhead, no change to existing applications and commodity OS, and selective protection capability within a single application space. We implement Cherub in Linux and our analysis and evaluation demonstrate its effectiveness and practicality.

De-qing ZOU,Kai YANG,Xiao-xu ZHANG,Bo-yang YUAN,Ming-lu FENG

DOI: https://doi.org/10.6040/j.issn.1671-9352.2.2014.438

2014-01-01

Abstract:In order to improve the safety level of the system effectively,a kind of mechanism scheme of access control system in virtual domain that uses hypervisors to protect kernel integrity and access control system in commodity operat-ing systems was put forward.Access control system was separated into three parts:Policy Management (PM),Securi-ty Server (SS)and Policy Enforcement (PE).Prototype system SEVD (security-enhanced virtual domain)was imple-mented and evaluated by modified Xen hypervisor.Test results show that SEVD can secure the security of access con-trol system in Guest OS and avoid popular rootkits attacks while it have no overhead comparing with SELinux.Our sys-tem also can centralized security policy for virtual domains in virtual machine environment.

Jianhua Sun,Hao Chen,Cheng Chang,Xingbang Li

2013-01-01

Computing and Informatics

Abstract:Kernel rootkits pose significant challenges on defensive techniques as they run at the highest privilege level along with the protection systems. Modern architectural approaches such as the NX protection have been used in mitigating attacks, however determined attackers can still bypass these defenses with specifically crafted payloads. In this paper, we propose a virtualized Harvard memory architecture to address the kernel code integrity problem, which virtually separates the code fetch and data access on the kernel code to prevent kernel from code modifications. We have implemented the proposed mechanism in commodity operating system, and the experimental results show that our approach is effective and incurs very low overhead.

Yan Wen,Jinjing Zhao,Huaimin Wang

DOI: https://doi.org/10.1145/1460877.1460904

2008-01-01

Abstract:With security researchers relying on the virtual machine (VM) in their analysis work, malware has a significant stake in detecting the presence of a VM to avoid executing its vicious behavior. But hiding a VM from malware by building a transparent virtual machine monitor (VMM) is fundamentally infeasible, as well as impractical from a performance and engineering standpoint. This paper proposes a new idea from another perspective: hiding the "real" machine from the VMM-aware malware. We propose a minimal VMM called MiniVMM which can migrate a booted OS, our protecting concern, to this VMM on demand. In our protection model, all the untrusted code, although having been verified by VMM-based malware detectors, should be executed in this migrated OS. Instead of building a transparent VMM, MiniVMM advisedly exposes the VMM fingerprints to prevent the computer against VMM-aware malicious programs by deceiving them into deactivating their destructive behavior by themselves. MiniVMM has two key features: dynamic OS migration and commodity VMM fingerprints emulation. Unlike existing VMM solutions, MiniVMM can make the protected OS transfer between VMM mode and native mode dynamically. MiniVMM can also emulate the fingerprints of prevalent VMMs to make the protected computer more like a "real" VM. MiniVMM might be deployed as a considerable complement of the existing VMM-based security approaches to make the native OSes immune to the VMM-aware malware.