Towards High Assurance Networks of Virtual Machines
We propose a methodology to check software integrity based upon virtual machines (VMs) that integrates controls at distinct execution levels. The baseline of the proposed approach is the virtual machine monitor (VMM) capability to access the memory of a VM to apply a set of consistency checks to the VM operating system (OS). In turn, the OS can apply a different set of consistency checks to the application processes, and applications can also enforce a further set of security controls. The union of all the consistency checks forms a chain of trust, where each level controls the integrity of the one above it through the proper interface for that level. In this way, the proposed approach minimizes the semantic gap in-between two different levels, because each level only applies those security controls that are coherent with the view of the level. We apply this methodology to build a distributed intrusion detection system (IDS) to detect attacks against a network of VMs. According to the proposed methodology, the tool adopts VM introspection (VMI) to apply a set of consistency checks to the kernel of the OS of each VM. Then, we extend the kernel of each VM with a set of functions to check the integrity of the processes involved in the detection of intrusions.
KeywordsVirtual Machine Consistency Check Intrusion Detection System Physical Node High Level View
Unable to display preview. Download preview PDF.
- A Baliga, X Chen, and L Iftode. Paladin: Automated detection and containment of rootkit attacks, Jan 2006. Rutgers University Department of Computer Science Technical Report DCS-TR-593.Google Scholar
- T Ball, R Majumdar, T D Millstein, and S K Rajamani. Automatic predicate abstraction of c programs. In SIGPLAN Conference on Programming Language Design and Implementation, pp. 203–213, 2001.Google Scholar
- F Bourdoncle. Abstract debugging of higher-order imperative languages. In PLDI ’93: Proceedings of the ACM SIGPLAN 1993 conference on Programming language design and implementation, pp. 46–55, New York, NY, USA, 1993. ACM Press.Google Scholar
- R Bradshaw, N Desai, T Freeman, and K Keahey. A scalable approach to deploying and managing appliances. In TeraGrid 2007, June 2007.Google Scholar
- chkrootkit – locally checks for signs of a rootkit. http://www.chkrootkit.org/.
- P Cousot and R Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In POPL, pp. 238–252, 1977.Google Scholar
- B Dragovic, K Fraser, S Hand, T Harris, A Ho, I Pratt, A Warfield, P Barham, and R Neugebauer. Xen and the art of virtualization. In Proceedings of the ACM Symposium on Operating Systems Principles, October 2003.Google Scholar
- T Fraser. Automatic discovery of integrity constraints in binary kernel modules, Technical report, University of Maryland Institute for Advanced Computer Studies, December 2004Google Scholar
- The FU rootkit. http://www.rootkit.com/project.php?id=12.
- FuSyS. Kstat. http://www.s0ftpj.org/tools/kstat24 v1.1-2.tgz.
- T Garfinkel and M Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium, February 2003.Google Scholar
- R P Goldberg. Survey of virtual machine research. IEEE Computer, 7(6):34–45, 1974.Google Scholar
- IOzone Filesystem Benchmark, http://www.iozone.org/.
- X Jiang and D Xu. Collapsar: A VM-based architecture for network attack detention center. In USENIX Security Symposium, pp. 15–28, 2004.Google Scholar
- kad. Handling Interrupt Descriptor Table for fun and profit. Phrack, 11(59), July 2002.Google Scholar
- P Loscocco and S Smalley. Integrating flexible support for security policies into the linux operating system. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pp. 29–42, Berkeley, CA, USA, 2001. USENIX Association.Google Scholar
- P A Loscocco and S D Smalley. Meeting critical security objectives with security enhanced linux. In Proceedings of the 2001 Ottawa Linux Symposium, 2001.Google Scholar
- Netfilter/Iptables project. www.netfilter.org/.
- Open source tripwire. http://sourceforge.net/projects/tripwire/.
- Openssl: The open source toolkit for ssl/tls. http://www.openssl.org/.
- OpenVPN - An Open Source SSL VPN Solution. http://openvpn.net/.
- N L Petroni, T Fraser, J Molina, and W A Arbaugh. Copilot - a coprocessor-based kernel runtime integrity monitor. In USENIX Security Symposium, pp.179–194, 2004.Google Scholar
- C Sapuntzakis, D Brumley, R Chandra, N Zeldovich, J Chow, M Lam, and M Rosenblum. Virtual appliances for deploying and maintaining software, 2003.Google Scholar
- sd and devik. Linux on-the-fly kernel patching without LKM. Phrack, 10(58), December 2001.Google Scholar
- S R Snapp, J Brentano, G V Dias, T L Goan, L T Heberlein, C Ho, K N Levitt, B Mukherjee, S E Smaha, T Grance, D M Teal, and D Mansur. DIDS (Distributed Intrusion Detection System) - motivation, architecture, and an early prototype. In Proceedings of the 14th National Computer Security Conference, pp. 167–176,Washington, DC, 1991.Google Scholar
- Snort - the de facto standard for intrusion detection/prevention. http://www.snort.org/.
- S Sparks and J Butler. Shadow Walker: Raising the bar for rootkit detection. www.blackhat.com/presentations/bh-jp-05/bh-jp-05-sparks-butler.pdf.
- G Vigna and R A. Kemmerer. Netstat: A network-based intrusion detection system. Journal of Computer Security, 7(1), 1999.Google Scholar
- VMTN - Virtual Appliance Marketplace. http://www.vmware.com/vmtn/appliances/.
- VMware. http://www.vmware.com/.
- L Wang and P Dasgupta. Kernel and application integrity assurance: Ensuring freedom from rootkits and malware in a computer system. In AINAW ’07: Proceedings of the 21st International Conference on Advanced Information Networking and ApplicationsWorkshops, pp. 583–589,Washington, DC, USA, 2007. IEEE Computer Society.Google Scholar
- XenAccess Library. http://xenaccess.sourceforge.net/.