ABSTRACT
File-system integrity tools (FIT) are commonly deployed host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. While FIT are widely used, this kind of HIDS has many drawbacks: the intrusion detection is not done in real-time manner, which might render the whole scheme useless if the attacker can somehow take over the system with privileged access in the time between. The administrator also has a lot of problems to keep the base-line database updating. Besides, the database and the FIT itself are vulnerable if the attacker gains local privileged access.This paper presents a novel approach to address the outstanding problems of the current FIT. We propose a design and implementation of a tool named XenFIT for Xen virtual machines. XenFIT can monitor and fires alarms on intrusion in real-time manner, and our approach does not require to create and update the database like in the legacy methods. XenFIT works by dynamically patching memory of the protected machine, so it is not necessary to install any kernel code or user-space application into the protected machines. As a result, XenFIT is almost effortless to deploy and maintain. In addition, thanks to the advantage introduced by Xen, the security polices as well as the detection process are put in a secure machine, so XenFIT is tamper-resistant with attack, even in case the attacker takes over the whole VM he is penetrating in. Finally, if deploying strictly, XenFIT is able to function very stealthily to avoid the suspect of the intruder.
- N. A. Kamble, J. Nakajima, and A. K. Mallick. Evolution in kernel debugging using hardware virtualization with xen. In Proceedings of the 2006 Ottawa Linux Symposium, Ottawa, Canada, July 2006.Google Scholar
- K. Asrigo, L. Litty, and D. Lie. Virtual machine-based honeypot monitoring. In Proceedings of the 2nd international conference on Virtual Execution Environments, New York, NY, USA, June 2006. ACM Press. Google ScholarDigital Library
- T. Atkins. SWATCH: The Simple WATCHer of Logfiles. http://swatch.sourceforge.net/, July 2004.Google Scholar
- CERT Coordination Center. CERT/CC Overview Incident and Vulnerability Trends. Technical report, Carnegie Mellon Software Engineering Institute, May 2003.Google Scholar
- CMN. SAdoor: A non listening remote shell and execution server. http://cmn.listprojects.darklab.org/, 2002.Google Scholar
- B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer. Xen and the art of virtualization. In Proceedings of the ACM Symposium on Operating Systems Principles, October 2003. Google ScholarDigital Library
- DWARF Workgroup. DWARF Debugging Format Standard. http://dwarf.freestandards.org/Home.php, January 2006.Google Scholar
- R. Hock. Dica rootkit. http://packetstormsecurity.nl/UNIX/penetration/rootkits/dica.tgz, 2002.Google Scholar
- Intersect Alliance. System iNtrusion Analysis and Reporting Environment. http://www.intersectalliance.com/projects/Snare/, January 2005.Google Scholar
- G. H. Kim and E. H. Spafford. The Design and Implementation of Tripwire: A File System Integrity Checker. In ACM Conference on Computer and Communications Security, pages 18--29, 1994. Google ScholarDigital Library
- T. Miller. Analysis of the Knark rootkit. www.ossec.net/rootkits/studies/knark.txt, 2001.Google Scholar
- T. Miller. Analysis of the T0rn rootkit. http://www.sans.org/y2k/t0rn.htm, 2002.Google Scholar
- S. Patil, A. Kashyap, G. Sivathanu, and E. Zadok. I3FS: An In-Kernel Integrity Checker and Intrusion Detection File System. In Proceedings of the 18th USENIX Large Installation System Administration Conference (LISA 2004), pages 69--79, Atlanta, GA, November 2004. Google ScholarDigital Library
- H. Pomeranz. File Integrity Assessment via SSH. http://www.samag.com/documents/s=9950/sam0 602a/0 602a.htm, February 2006.Google Scholar
- I. Pratt, K. Fraser, S. Hand, C. Limpach, A. Warfield, D. Magenheimer, J. Nakajima, and A. Mallick. Xen 3.0 and the art of virtualization. In Proceedings of the 2005 Ottawa Linux Symposium, Ottawa, Canada, July 2005.Google Scholar
- sd. Linux on-the-fly kernel patching. http://www.phrack.org/show.php?p=58&a=7, July 2002.Google Scholar
- SGI Inc. LKCD - Linux Kernel Crash Dump. http://lked.sf.net, April 2006.Google Scholar
- L. Somer. Linux Rootkit 5. http://packetstormsecurity.nl/UNIX/penetration/rootkits/lrk5.src.tar.gz, 2000.Google Scholar
- The AIDE team. AIDE: Advanced Intrusion Detection Environment. http://sourceforge.net/projects/aide, November 2005.Google Scholar
- The Osiris team. Osiris host integrity monitoring. http://www.hostintegrity.com/osiris/, September 2005.Google Scholar
- The Samhain Labs. Samhain manual. http://la-samhna.de/samhain/manual/index.html, 2004.Google Scholar
- The Samhain Labs. The SAMHAIN file integrity/intrusion detection system. http://la-samhna.de/samhain/, January 2006.Google Scholar
- The Snort team. Snort - the de-facto standard for intrusion detection/prevention. http://www.snort.org, January 2006.Google Scholar
- Xen project. Xen interface manual. http://www.cl.cam.ac.uk/Research/SRG/netos/xen/readmes/interface/interface.html, August 2006.Google Scholar
Index Terms
- A novel approach for a file-system integrity monitor tool of Xen virtual machine
Recommendations
A practical and light-weight data capture tool for Xen virtual machine
ACOS'06: Proceedings of the 5th WSEAS international conference on Applied computer scienceHoneypot is a common solution to investigate attacker's activities, but the data capture tool, one of the key components of high-interaction honeypot architecture, faces a major difficulty: it is very hard to hide its presence. For example Sebek, the de-...
Virtual machine monitor-based lightweight intrusion detection
As virtualization technology gains in popularity, so do attempts to compromise the security and integrity of virtualized computing resources. Anti-virus software and firewall programs are typically deployed in the guest virtual machine to detect ...
Towards a tamper-resistant kernel rootkit detector
SAC '07: Proceedings of the 2007 ACM symposium on Applied computingA variety of tools and architectures have been developed to detect security violations to Operating System kernels. However, they all have fundamental flaw in the design so that they fail to discover kernel-level attack. Few hardware solutions have been ...
Comments