Improving Xen security through disaggregation

Murray, Derek G.; Miłós, Grzegorz; Hand, Steven

doi:10.1145/1346256.1346278

Cited by 164 publications

(86 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This increasing attack trend has spurred research towards reducing the hypervisor Trusted Code Base (TCB) of current commercial hypervisors [26]. Others developed new specialized prototype hypervisors [36,24].…”

Section: Introductionmentioning

confidence: 99%

HyperCheck: A Hardware-Assisted Integrity Monitor

Jiang

Stavrou

Ghosh

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Over the past few years, virtualization has been employed to environments ranging from densely populated cloud computing clusters to home desktop computers. Security researchers embraced virtual machine monitors (VMMs) as a new mechanism to guarantee deep isolation of untrusted software components. Unfortunately, their widespread adoption promoted VMMs as a prime target for attackers. In this paper, we present HyperCheck, a hardware-assisted tampering detection framework designed to protect the integrity of VMMs and, for some classes of attacks, the underlying operating system (OS). HyperCheck leverages the CPU System Management Mode (SMM), present in x86 systems, to securely generate and transmit the full state of the protected machine to an external server. Using HyperCheck, we were able to ferret-out rootkits that targeted the integrity of both the Xen hypervisor and traditional OSes. Moreover, HyperCheck is robust against attacks that aim to disable or block its operation. Our experimental results show that HyperCheck can produce and communicate a scan of the state of the protected software in less than 40ms.

show abstract

Section: Introductionmentioning

confidence: 99%

HyperCheck: A Hardware-Assisted Integrity Monitor

Jiang

Stavrou

Ghosh

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In this case, R&R could be leveraged to resume the malware's execution from the point of detection, with the VMM code now adapted to avoid detection and resume the malware analysis. Similar to other VMM-based security research efforts [16,17,18,20,21], we assume a trustworthy VMM and this is supported with recent progress in improving the hypervisor security [25,27,38].…”

Section: Discussionmentioning

confidence: 99%

Time-Traveling Forensic Analysis of VM-Based High-Interaction Honeypots

Srinivasan

Jiang

2012

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. Honeypots have proven to be an effective tool to capture computer intrusions (or malware infections) and analyze their exploitation techniques. However, forensic analysis of compromised honeypots is largely an ad-hoc and manual process. In this paper, we propose Timescope, a system that applies and extends recent advances in deterministic record and replay to high-interaction honeypots for extensible, fine-grained forensic analysis. In particular, we propose and implement a number of systematic analysis modules in Timescope, including contamination graph generator, transient evidence recoverer, shellcode extractor and break-in reconstructor, to facilitate honeypot forensics. These analysis modules can "travel back in time" to investigate various aspects of computer intrusions or malware infections during different execution time windows. We have developed Timescope based on the open-source QEMU virtual machine monitor and the evaluation with a number of real malware infections shows the practicality and effectiveness of Timescope.

show abstract

“…In the meantime, our system assumes a trustworthy hypervisor as the necessary trusted computing base (TCB) to provide strict VM isolation. This assumption is shared by many other hypervisor-based security research efforts [13,14,17,25,43] and being hardened by existing hypervisorprotection solutions [26,41]. We will discuss possible attacks (e.g., VM escape) in Section 6.…”

Section: Designmentioning

confidence: 99%

Transparent Protection of Commodity OS Kernels Using Hardware Virtualization

Grace

Wang

Srinivasan

et al. 2010

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. Kernel rootkits are among the most insidious threats to computer security today. By employing various code injection techniques, they are able to maintain an omnipotent presence in the compromised OS kernels. Existing preventive countermeasures typically employ virtualization technology as part of their solutions. However, they are still limited in either (1) requiring modifying the OS kernel source code for the protection or (2) leveraging software-based virtualization techniques such as binary translation with a high overhead to implement a Harvard architecture (which is robust to various code injection techniques used by kernel rootkits). In this paper, we introduce hvmHarvard, a hardware virtualization-based Harvard architecture that transparently protects commodity OS kernels from kernel rootkit attacks and significantly reduces the performance overhead. Our evaluation with a Xen-based prototype shows that it can transparently protect legacy OS kernels with rootkit resistance while introducing < 5% performance overhead.

show abstract

Improving Xen security through disaggregation

Cited by 164 publications

References 22 publications

HyperCheck: A Hardware-Assisted Integrity Monitor

HyperCheck: A Hardware-Assisted Integrity Monitor

Time-Traveling Forensic Analysis of VM-Based High-Interaction Honeypots

Transparent Protection of Commodity OS Kernels Using Hardware Virtualization

Contact Info

Product

Resources

About