Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
ATZ-Fachkongress

Chassis.tech plus 2024


4 Kongresse in einer Veranstaltung

Treffen Sie in München die Fachleute von Chassis, Lenkung, Bremsen sowie Reifen/Räder.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
Security and Privacy in the IoT Kapitel lesen Erstes Kapitel lesen

2018 | OriginalPaper | Buchkapitel

NOR: Towards Non-intrusive, Real-Time and OS-agnostic Introspection for Virtual Machines in Cloud Environment

verfasst von : Chonghua Wang, Zhiyu Hao, Xiaochun Yun

Erschienen in: Information Security and Cryptology

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Cloud platforms of large enterprises are witnessing increasing adoption of the Virtual Machine Introspection (VMI) technology for building a wide range of VM monitoring applications including intrusion detection systems, virtual firewall, malware analysis, and live memory forensics. In our analysis and comparison of existing VMI systems, we found that most systems suffer one or more of the following problems: intrusiveness, time lag and OS-dependence, which are not well suited to clouds in practice. To address these problems, we present NOR, a non-intrusive, real-time and OS-agnostic introspection system for virtual machines in cloud environment. It employs event-driven monitoring and snapshot polling cooperatively to reconstruct the memory state of guest VMs. In our evaluation, we show NOR is capable of monitoring activities of guest VMs instantaneously with minor performance overhead. We also design some case studies to show that NOR is able to detect kernel rootkits and mitigate transient attacks for different Linux systems.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel A Modified Fuzzy Fingerprint Vault Based on Pair-Polar Minutiae Structures
Nächstes Kapitel A Method to Enlarge the Design Distance of BCH Codes and Some Classes of Infinite Optimal Cyclic Codes
Literatur
1.
2.
Arulraj, L., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Improving virtualized storage performance with sky. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 112–128 (2017)
3.
Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 38–49 (2010)
4.
Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: Proceedings of IEEE Symposium on Reliable Distributed Systems (SRDS), pp. 82–91 (2010)
5.
Bauman, E., Ayoade, G., Lin, Z.: A survey on hypervisor-based monitoring: approaches, applications, and evolutions. ACM Comput. Surv. 48(1), 10:1–10:33 (2015)CrossRef
6.
7.
Intel Corporation. Intel 64 and ia-32 architectures software developer manuals
8.
Deng, Z., Zhang, X., Xu, D.: Spider: stealthy binary program instrumentation and debugging via hardware virtualization. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 289–298 (2013)
9.
Denz, R., Taylor, S.: A survey on securing the virtual cloud. J. Cloud Comput. Adv. Syst. Appl. 2(1), 17 (2013)CrossRef
10.
Dinaburg, A., Paul, P.R., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 51–62 (2008)
11.
Dolan-Gavitt, B., Payneand, B., Lee, W.: Leveraging forensic tools for virtual machine introspection. In: Technical report GT-CS-11-05. Georgia Institute of Technology (2011)
12.
Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 297–312 (2011)
13.
Fu, Y., Lin, Z.: Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 586–600 (2012)
14.
Fu, Y., Lin, Z.: Exterior: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 97–110 (2013)
15.
Fu, Y., Zeng, J., Lin, Z.: Hypershell: a practical hypervisor layer guest OS shell for automated in-VM management. In: Proceedings of USENIX Annual Technical Conference (ATC), pp. 85–96 (2014)
16.
Garfinkel, Z., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of Network and Distributed System Security Symposium (NDSS), pp. 191–206 (2003)
17.
Gorobets, M., Bazhaniuk, M., Matrosov, A., Furtak, A., Bulygin, Y.: Attacking hypervisors via firmware and hardware. In: Black Hat USA (2015)
18.
Gu, Z., Deng, Z., Xu, Z., Jiang, X.: Process implanting: a new active introspection framework for virtualization. In: Proceedings of IEEE Symposium on Reliable Distributed Systems (SRDS), pp. 147–156 (2011)
19.
Hizver, X., Chiueh, T.: Real-time deep virtual machine introspection and its applications. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 3–14 (2014)
20.
Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: Sok: introspections on trust and the semantic gap. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 605–620 (2014)
21.
22.
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 128–138 (2007)
23.
Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of USENIX Annual Technical Conference (ATC), pp. 1–14 (2006)
24.
25.
Liu, Y., Xia, Y., Guan, H., Zang, B., Chen, H.: Concurrent and consistent virtual machine introspection with hardware transactional memory. In: Proceedings of IEEE International Symposium on High Performance Computer Architectur(HPCA), pp. 416–427 (2014)
26.
Michael, P., Sherali, Z., Ray, H.: Virtualization: issues, security threats, and solutions. ACM Comput. Survey. 45(2), 17:1–17:39 (2013)
27.
Payne, B.D.: Simplifying virtual machine introspection using LibVMI. In: Technical report SAND 2012-7818, Sandia National Laboratories (2012)
28.
Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: an architecture for secure active monitoring using virtualization. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 233–247 (2008)
29.
30.
31.
32.
Sharif, M.I., Lee, M.I., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 477–487 (2009)
33.
Shi, L., Wu, Y., Xia, Y., Dautenhahn, N., Chen, H., Zang, B., Guan, H., Li, J.L.: Deconstructing Xen (2017)
34.
Srinivasan, D., Wang, Z., Jiang, X., Xu, D.: Process out-grafting: An efficient “out-of-VM” approach for fine-grained process execution monitoring. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 363–374 (2011)
35.
Srivastava, A., Giffin, J.: Efficient monitoring of untrusted kernel-mode execution. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2011)
36.
Suneja, S., Isci, C., Lara, E., Bala, V.: Exploring Vm introspection: techniques and trade-offs. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 133–146 (2015)
37.
38.
Wang, G., Estrada, Z.J., Pham, C., Kalbarczyk, C., Iyer, R.K.: Hypervisor introspection: a technique for evading passive virtual machine monitoring. In: Proceedings of USENIX WOOT, pp. 12–19 (2015)
39.
Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 380–395 (2010)
40.
Weng, C., Liu, Q., Li, K., Zou, D.: Cloudmon: monitoring virtual machines in clouds. IEEE Trans. Comput. 65(12), 3787–3793 (2016)MathSciNetMATH
41.
Wu, R., Chen, P., Liu, P., Mao, B.: System call redirection: a practical approach to meeting real-world virtual machine introspection needs. In: Proceedings of Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 574–585 (2014)
42.
Yan, K.L., Yin, H.: Droidscope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: Proceedings of USENIX Security, p. 29 (2012)
43.
Yan, L., Jayachandra, M., Zhang, M., Yin, H.: V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 227–238 (2012)
44.
Yin, H., Song, D., Egele, D., Kruegel, D., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 116–127 (2007)
45.
Zhang, Q., Reiter, M.K.: Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In: Proceedings of the 20th ACM SIGSAC Conference on Computer and Communications Security, pp. 827–838 (2013)
46.
Zhao, S., Ding, X., Xu, W., Gu, D.: Seeing through the same lens: Introspecting guest address space at native speed. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 799–813 (2017)
Metadaten
Titel
NOR: Towards Non-intrusive, Real-Time and OS-agnostic Introspection for Virtual Machines in Cloud Environment
verfasst von
Chonghua Wang
Zhiyu Hao
Xiaochun Yun
Copyright-Jahr
2018
Buch
Information Security and Cryptology

Print ISBN: 978-3-319-75159-7

Electronic ISBN: 978-3-319-75160-3

Copyright-Jahr: 2018

DOI
https://doi.org/10.1007/978-3-319-75160-3_29

Premium Partner

    Bildnachweise