NOR: Towards Non-intrusive, Real-Time and OS-agnostic Introspection for Virtual Machines in Cloud Environment

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10726)

Abstract

Cloud platforms of large enterprises are witnessing increasing adoption of the Virtual Machine Introspection (VMI) technology for building a wide range of VM monitoring applications including intrusion detection systems, virtual firewall, malware analysis, and live memory forensics. In our analysis and comparison of existing VMI systems, we found that most systems suffer one or more of the following problems: intrusiveness, time lag and OS-dependence, which are not well suited to clouds in practice. To address these problems, we present NOR, a non-intrusive, real-time and OS-agnostic introspection system for virtual machines in cloud environment. It employs event-driven monitoring and snapshot polling cooperatively to reconstruct the memory state of guest VMs. In our evaluation, we show NOR is capable of monitoring activities of guest VMs instantaneously with minor performance overhead. We also design some case studies to show that NOR is able to detect kernel rootkits and mitigate transient attacks for different Linux systems.

Keywords

Virtual machine introspection Malware detection Side-channel attacks Cloud security 

Notes

Acknowledgement

We would like to thank the anonymous reviewers for their insightful comments that greatly helped to improve this paper. This work is is a part of the project supported by Beijing Natural Science Foundation (Y720011101). Any opinions, findings, and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of these agencies.

References

  1. 1.
  2. 2.
    Arulraj, L., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Improving virtualized storage performance with sky. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 112–128 (2017)Google Scholar
  3. 3.
    Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 38–49 (2010)Google Scholar
  4. 4.
    Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: Proceedings of IEEE Symposium on Reliable Distributed Systems (SRDS), pp. 82–91 (2010)Google Scholar
  5. 5.
    Bauman, E., Ayoade, G., Lin, Z.: A survey on hypervisor-based monitoring: approaches, applications, and evolutions. ACM Comput. Surv. 48(1), 10:1–10:33 (2015)CrossRefGoogle Scholar
  6. 6.
    Carbone, M., Conover, M., Montague, B., Lee, W.: Secure and robust monitoring of virtual machines through guest-assisted introspection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 22–41. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-33338-5_2 CrossRefGoogle Scholar
  7. 7.
    Intel Corporation. Intel 64 and ia-32 architectures software developer manualsGoogle Scholar
  8. 8.
    Deng, Z., Zhang, X., Xu, D.: Spider: stealthy binary program instrumentation and debugging via hardware virtualization. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 289–298 (2013)Google Scholar
  9. 9.
    Denz, R., Taylor, S.: A survey on securing the virtual cloud. J. Cloud Comput. Adv. Syst. Appl. 2(1), 17 (2013)CrossRefGoogle Scholar
  10. 10.
    Dinaburg, A., Paul, P.R., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 51–62 (2008)Google Scholar
  11. 11.
    Dolan-Gavitt, B., Payneand, B., Lee, W.: Leveraging forensic tools for virtual machine introspection. In: Technical report GT-CS-11-05. Georgia Institute of Technology (2011)Google Scholar
  12. 12.
    Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 297–312 (2011)Google Scholar
  13. 13.
    Fu, Y., Lin, Z.: Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 586–600 (2012)Google Scholar
  14. 14.
    Fu, Y., Lin, Z.: Exterior: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 97–110 (2013)Google Scholar
  15. 15.
    Fu, Y., Zeng, J., Lin, Z.: Hypershell: a practical hypervisor layer guest OS shell for automated in-VM management. In: Proceedings of USENIX Annual Technical Conference (ATC), pp. 85–96 (2014)Google Scholar
  16. 16.
    Garfinkel, Z., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of Network and Distributed System Security Symposium (NDSS), pp. 191–206 (2003)Google Scholar
  17. 17.
    Gorobets, M., Bazhaniuk, M., Matrosov, A., Furtak, A., Bulygin, Y.: Attacking hypervisors via firmware and hardware. In: Black Hat USA (2015)Google Scholar
  18. 18.
    Gu, Z., Deng, Z., Xu, Z., Jiang, X.: Process implanting: a new active introspection framework for virtualization. In: Proceedings of IEEE Symposium on Reliable Distributed Systems (SRDS), pp. 147–156 (2011)Google Scholar
  19. 19.
    Hizver, X., Chiueh, T.: Real-time deep virtual machine introspection and its applications. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 3–14 (2014)Google Scholar
  20. 20.
    Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: Sok: introspections on trust and the semantic gap. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 605–620 (2014)Google Scholar
  21. 21.
    Jiang, X., Wang, X.: “Out-of-the-Box” monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74320-0_11 CrossRefGoogle Scholar
  22. 22.
    Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 128–138 (2007)Google Scholar
  23. 23.
    Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of USENIX Annual Technical Conference (ATC), pp. 1–14 (2006)Google Scholar
  24. 24.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_25 CrossRefGoogle Scholar
  25. 25.
    Liu, Y., Xia, Y., Guan, H., Zang, B., Chen, H.: Concurrent and consistent virtual machine introspection with hardware transactional memory. In: Proceedings of IEEE International Symposium on High Performance Computer Architectur(HPCA), pp. 416–427 (2014)Google Scholar
  26. 26.
    Michael, P., Sherali, Z., Ray, H.: Virtualization: issues, security threats, and solutions. ACM Comput. Survey. 45(2), 17:1–17:39 (2013)Google Scholar
  27. 27.
    Payne, B.D.: Simplifying virtual machine introspection using LibVMI. In: Technical report SAND 2012-7818, Sandia National Laboratories (2012)Google Scholar
  28. 28.
    Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: an architecture for secure active monitoring using virtualization. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 233–247 (2008)Google Scholar
  29. 29.
    Pfoh, J., Schneider, C., Eckert, C.: Nitro: hardware-based system call tracing for virtual machines. In: Iwata, T., Nishigaki, M. (eds.) IWSEC 2011. LNCS, vol. 7038, pp. 96–112. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25141-2_7 CrossRefGoogle Scholar
  30. 30.
    Rhee, J., Riley, R., Xu, D., Jiang, X.: Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 178–197. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-15512-3_10 CrossRefGoogle Scholar
  31. 31.
    Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-87403-4_1 CrossRefGoogle Scholar
  32. 32.
    Sharif, M.I., Lee, M.I., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 477–487 (2009)Google Scholar
  33. 33.
    Shi, L., Wu, Y., Xia, Y., Dautenhahn, N., Chen, H., Zang, B., Guan, H., Li, J.L.: Deconstructing Xen (2017)Google Scholar
  34. 34.
    Srinivasan, D., Wang, Z., Jiang, X., Xu, D.: Process out-grafting: An efficient “out-of-VM” approach for fine-grained process execution monitoring. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 363–374 (2011)Google Scholar
  35. 35.
    Srivastava, A., Giffin, J.: Efficient monitoring of untrusted kernel-mode execution. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2011)Google Scholar
  36. 36.
    Suneja, S., Isci, C., Lara, E., Bala, V.: Exploring Vm introspection: techniques and trade-offs. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 133–146 (2015)Google Scholar
  37. 37.
    Wang, C., Yun, X., Hao, Z., Cui, L., Han, Y., Zou, Q.: Exploring efficient and robust virtual machine introspection techniques. In: Wang, G., Zomaya, A., Perez, G.M., Li, K. (eds.) ICA3PP 2015, Part III. LNCS, vol. 9530, pp. 429–448. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-27137-8_32 CrossRefGoogle Scholar
  38. 38.
    Wang, G., Estrada, Z.J., Pham, C., Kalbarczyk, C., Iyer, R.K.: Hypervisor introspection: a technique for evading passive virtual machine monitoring. In: Proceedings of USENIX WOOT, pp. 12–19 (2015)Google Scholar
  39. 39.
    Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 380–395 (2010)Google Scholar
  40. 40.
    Weng, C., Liu, Q., Li, K., Zou, D.: Cloudmon: monitoring virtual machines in clouds. IEEE Trans. Comput. 65(12), 3787–3793 (2016)MathSciNetMATHGoogle Scholar
  41. 41.
    Wu, R., Chen, P., Liu, P., Mao, B.: System call redirection: a practical approach to meeting real-world virtual machine introspection needs. In: Proceedings of Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 574–585 (2014)Google Scholar
  42. 42.
    Yan, K.L., Yin, H.: Droidscope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: Proceedings of USENIX Security, p. 29 (2012)Google Scholar
  43. 43.
    Yan, L., Jayachandra, M., Zhang, M., Yin, H.: V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 227–238 (2012)Google Scholar
  44. 44.
    Yin, H., Song, D., Egele, D., Kruegel, D., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 116–127 (2007)Google Scholar
  45. 45.
    Zhang, Q., Reiter, M.K.: Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In: Proceedings of the 20th ACM SIGSAC Conference on Computer and Communications Security, pp. 827–838 (2013)Google Scholar
  46. 46.
    Zhao, S., Ding, X., Xu, W., Gu, D.: Seeing through the same lens: Introspecting guest address space at native speed. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 799–813 (2017)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina
  3. 3.National Computer Network Emergency Response Technical Team/Coordination Center of ChinaBeijingChina

Personalised recommendations