1 / 17

Secure In-VM Monitoring Using Hardware Virtualization

Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’. Secure In-VM Monitoring Using Hardware Virtualization. Outline. Introduction Secure In-VM Monitoring Implementation Experimental Evaluation Conclusion. Introduction.

katina
Download Presentation

Secure In-VM Monitoring Using Hardware Virtualization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’ Secure In-VM Monitoring Using Hardware Virtualization

  2. Outline • Introduction • Secure In-VM Monitoring • Implementation • Experimental Evaluation • Conclusion

  3. Introduction • Malicious programs compromise the kernel of an operating system. • Many security approaches require the ability to monitor frequently executing events. • Secure In-VM Monitoring (SIM), a general-purpose framework based on hardware virtualization features.

  4. contributions: • hardware virtualization and memory protection features. • implemented a prototype of the SIM framework based on KVM and Windows guest OS. • systematic security analysis of SIM against a number of possible threats, and show that SIM provides no less security guarantees than what can be achieved by out-of-VM monitors.

  5. In-VM monitoring A Adversary program DP Program data CP Program code K Hook DK Hook data H Handler CM Monitor code DM Monitor data R Response

  6. Out-of-VM monitoring A Adversary program DP Program data CP Program code K Hook DK Hook data H Handler CM Monitor code DM Monitor data R Response

  7. performance requirements (P1) Fast invocation: • not involve any privilege level changes. (P2) Data read/write at native speed: • without any hypervisorintervention

  8. security requirements: • (S1) Isolation of the monitor’s code (CM) and data (DM) • (S2) Designated point for switching into CM • (S3) A handler (hi) is called if and only if the corresponding hook (ki) executes • (S4) The behavior of Monitor is not maliciously alterable

  9. Secure In-VM Monitoring

  10. The SIM address space SIM Data/Code • The monitor itself • Visible only within SIM address space Invocation checker • Verifies call chain is legit • Visible only in SIM space Entry/exit gates • Visible in both • Writable only in SIM space • Tiny, well crafted Kernel code/data • Not executable in SIM space(can't accidentally run insecure code)

  11. Entry/exit gates • Entry: • Disable interrupts (Untrusted VM) • Save CPU state to the stack • Switch address space • Re-disable interrupts (SIM VM) • Switch stack to a SIM-restricted one • Run invocation checker • Exit: • Restore stack, page table, CPU state • Re-enable interrupts • Jump to return point

  12. security requirements • Isolation of the monitor’s code and data • hypervisor to not allow the monitor code and data to be mappable to any untrusted address space in the guest VM. • Designated point for switching into CM : • only method to enter the trusted address space from the untrusted one is via the entry gates. • A handler is called if and only if the corresponding hook executes • each hook invokes a corresponding entry gate, which eventually calls a corresponding handler, and each invoker of the entry gate is checked by the invocation checking routine • The behavior of Monitor is not maliciously alterable: • not allow any code from the untrusted domain to be executable in the trusted address space, not allow the monitor to call into the untrusted kernel

  13. Implementation • Host: Linux distribution • guest OS : Windows XP SP2 • Initialization • reserve virtual address ranges in the system address space for use in entry and exit gate creation • creation of the SIM virtual address space by the hypervisor component • loading a security monitor application into the SIM address space • relevant routines to perform switching into the SIM address space

  14. Experimental Evaluation

  15. System call tracing macrobenchmarks

  16. Conclusion • a general-purpose SIM framework • provides the same security guarantees of out-of-VM monitoring low performance overhead of in-VM monitoring. • the SIM framework reduce monitoring overhead by 11 times if only monitor invocation time is considered. • SIM introduces an overhead of to 13.7% • out-of-VM approach compared 690.5%. • SIM overall overhead below 10% • out-of-VM approach overhead : 128%.

  17. Thank You

More Related