Secure IDS Offloading with Nested Virtualization and Deep VM Introspection

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10493)

Abstract

To securely execute intrusion detection systems (IDSes) for virtual machines (VMs), IDS offloading with VM introspection (VMI) is used. In semi-trusted clouds, however, IDS offloading inside an untrusted virtualized system does not guarantee that offloaded IDSes run correctly. Assuming a trusted hypervisor, secure IDS offloading has been proposed, but there are several drawbacks because the hypervisor is tightly coupled with untrusted management components. In this paper, we propose a system called V-Met, which offloads IDSes outside the virtualized system using nested virtualization. Since V-Met runs an untrusted virtualized system in a VM, the trusted computing base (TCB) is separated more clearly and strictly. V-Met can prevent IDSes from being compromised by untrusted virtualized systems and allows untrusted administrators to manage even the hypervisor. Furthermore, V-Met provides deep VMI for offloaded IDSes to obtain the internal state of target VMs inside the VM for running a virtualized system. We have implemented V-Met in Xen and confirmed that the performance of offloaded legacy IDSes was comparable to that in traditional IDS offloading.

Keywords

VM introspection Nested virtualization Insider attacks IDS Clouds 

Notes

Acknowledgment

This work was partially supported by JSPS KAKENHI Grant Number JP16K00101.

References

  1. 1.
    Azab, A., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.: HyperSentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of ACM Conference Computer and Communications Security, pp. 38–49 (2010)Google Scholar
  2. 2.
    Ben-Yehuda, M., Day, M.D., Dubitzky, Z., Factor, M., Har’El, N., Gordon, A., Liguori, A., Wasserman, O., Yassour, B.A.: The turtles project: design and implementation of nested virtualization. In: Proceedings of USENIX Symposium Operating Systems Design and Implementation, pp. 423–436 (2010)Google Scholar
  3. 3.
    Butt, S., Lagar-Cavilla, H.A., Srivastava, A., Ganapathy, V.: Self-service cloud computing. In: Proceedings of ACM Conference Computer and Communications Security, pp. 253–264 (2012)Google Scholar
  4. 4.
    Chen, H., Chen, R., Zhang, F., Zang, B., Yew, P.C.: Mercury: combining performance with dependability using self-virtualization. In: Proceedings of IEEE International Conference Parallel Processing (2007)Google Scholar
  5. 5.
    CyberArk Software: Global IT Security Service (2009)Google Scholar
  6. 6.
    Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of IEEE Symposium Security and Privacy, pp. 297–312 (2011)Google Scholar
  7. 7.
    Fu, Y., Lin, Z.: Space traveling across VM: automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: Proceedings of IEEE Symposium Security and Privacy, pp. 586–600 (2012)Google Scholar
  8. 8.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of Network and Distributed Systems Security Symposium, pp. 191–206 (2003)Google Scholar
  9. 9.
    Gates, M., Warshavsky, A.: iperf2. https://sourceforge.net/projects/iperf2/
  10. 10.
    Iida, T., Kourai, K.: Transcall. http://www.ksl.ci.kyutech.ac.jp/oss/transcall/
  11. 11.
    Intel Corp: 4th Generation Intel Core vPro Processors with Intel VMCS Shadowing (2013)Google Scholar
  12. 12.
    Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based “out-of-the-box” semantic view reconstruction. In: Proceedings of ACM Conference Computer and Communications Security, pp. 128–138 (2007)Google Scholar
  13. 13.
    Keller, E., Szefer, J., Rexford, J., Lee, R.B.: NoHype: virtualized cloud infrastructure without the virtualization. In: Proceedings of ACM/IEEE International Symposium Computer Architecture, pp. 350–361 (2010)Google Scholar
  14. 14.
    Kim, G., Spafford, E.: The design and implementation of tripwire: a file system integrity checker. In: Proceedings of ACM Conference Computer and Communications Security, pp. 18–29 (1994)Google Scholar
  15. 15.
    Kooburat, T., Swift, M.: The best of both worlds with on-demand virtualization. In: Proceedings of USENIX Workshop on Hot Topics in Operating Systems (2011)Google Scholar
  16. 16.
    Kourai, K., Juda, K.: Secure offloading of legacy IDSes using remote VM introspection in semi-trusted clouds. In: Proc. IEEE Int. Conf. Cloud Computing, pp. 43–50 (2016)Google Scholar
  17. 17.
    Li, C., Raghunathan, A., Jha, N.K.: Secure virtual machine execution under an untrusted management OS. In: Proceedings of IEEE International Conference Cloud Computing, pp. 172–179 (2010)Google Scholar
  18. 18.
    Lowell, D.E., Saito, Y., Samberg, E.J.: Devirtualizable virtual machines enabling general, single-node, online maintenance. In: Proceedings of ACM International Conference Architectural Support for Programming Languages and Operating Systems, pp. 211–223 (2004)Google Scholar
  19. 19.
  20. 20.
    Lyon, G.: Nmap - Free Security Scanner for Network Exploration & Security Audits. http://nmap.org/
  21. 21.
    McCune, J., Parno, B., Perrig, A., Reiter, M., Isozaki, H.: Flicker: an execution infrastructure for TCB minimization. In: Proceedings of European Conference Computer Systems, pp. 315–328 (2008)Google Scholar
  22. 22.
    Murilo, N., Steding-Jessen, K.: chkrootkit - Locally Checks for Signs of a Rootkit. http://www.chkrootkit.org/
  23. 23.
    Norcott, W.D.: IOzone Filesystem Benchmark. http://www.iozone.org/
  24. 24.
    Omote, Y., Shinagawa, T., Kato, K.: Improving agility and elasticity in bare-metal clouds. In: Proceedings of ACM International Conference Architectural Support for Programming Languages and Operating Systems, pp. 145–159 (2015)Google Scholar
  25. 25.
    Oyama, Y., Giang, T., Chubachi, Y., Shinagawa, T., Kato, K.: Detecting malware signatures in a thin hypervisor. In: Proceedings of ACM Symposium on Applied Computing, pp. 1807–1814 (2012)Google Scholar
  26. 26.
    Petroni Jr., N., Fraser, T., Molina, J., Arbaugh, W.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of USENIX Security Symposium (2004)Google Scholar
  27. 27.
    PwC: US Cybercrime: Rising Risks, Reduced Readiness (2014)Google Scholar
  28. 28.
    Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of USENIX System Administration Conference (1999)Google Scholar
  29. 29.
    Rutkowska, J., Wojtczuk, R.: Preventing and detecting Xen hypervisor subversions. Black Hat USA (2008)Google Scholar
  30. 30.
    Santos, N., Gummadi, K.P., Rodrigues, R.: Towards trusted cloud computing. In: Proceedings of Workshop on Hot Topics in Cloud Computing (2009)Google Scholar
  31. 31.
    Tadokoro, H., Kourai, K., Chiba, S.: Preventing information leakage from virtual machines’ memory in IaaS clouds. IPSJ Online Trans. 5, 156–166 (2012)CrossRefGoogle Scholar
  32. 32.
    Tan, C., Xia, Y., Chen, H., Zang, B.: TinyChecker: transparent protection of VMs against hypervisor failures with nested virtualization. In: Proceedings of IEEE/IFIP International Workshop on Dependability of Clouds, Data Centers and Virtual Machine Technology (2012)Google Scholar
  33. 33.
    TechSpot News: Google Fired Employees for Breaching User Privacy (2010). http://www.techspot.com/news/40280-google-fired-employees-for-breaching-user-privacy.html
  34. 34.
    Wang, J., Stavrou, A., Ghosh, A.: HyperCheck: a hardware-assisted integrity monitor. In: Proceedings of International Symposium on Recent Advances in Intrusion Detection, pp. 158–177 (2010)Google Scholar
  35. 35.
    Zhang, F., Chen, J., Chen, H., Zang, B.: CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: Proceedings of ACM Symposium Operating Systems Principles, pp. 203–216 (2011)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Kyushu Institute of TechnologyIizuka, FukuokaJapan

Personalised recommendations