Efficiently tracking application interactions using lightweight virtualization

In this paper, we propose a general-purpose framework that harnesses the power of lightweight virtualization to track applications interactions in a scalable an efficient manner. Our goal is to use our framework for application auditing, intrusion detection, analysis, and system recovery from both malicious attacks and programmatic faults. In our framework, we construct each virtualized environment (VE) in a novel way that limits the scope and type of application events that need to be monitored. Our approach maintains the VE and system integrity, having as primarily focused on the interactions among VEs and system resources including the file system, memory, and network. Only events that are pertinent to the integrity of an application and its interactions with the operating system are recorded. We attempt to minimize the system overhead both in terms of system events we have to store and the resources required. Even though we cannot provide application replay, we keep enough information for a wide range of other uses including system recovery and information tracking among others. As a proof of concept, we have implemented a prototype based on OpenVZ[35], a lightweight virtualization tool. Our preliminary results show that, compared to state-of-the-art event recording systems, we can reduce the amount of event recorded per application by almost an order of magnitude.

[1]  Subbarayan Venkatesan,et al.  Forensic analysis of file system intrusions using improved backtracking , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[2]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[3]  Stefan Berger,et al.  Building a MAC-based security architecture for the Xen open-source hypervisor , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[4]  Damien Deville,et al.  SpyProxy: Execution-based Detection of Malicious Web Content , 2007, USENIX Security Symposium.

[5]  Giovanni Vigna,et al.  Exploiting Execution Context for the Detection of Anomalous System Calls , 2007, RAID.

[6]  Jon Watson,et al.  VirtualBox: bits and bytes masquerading as machines , 2008 .

[7]  Eyal de Lara,et al.  The taser intrusion recovery system , 2005, SOSP '05.

[8]  Wu-chi Feng,et al.  Automatic high-performance reconstruction and recovery , 2007, Comput. Networks.

[9]  Erez Zadok,et al.  Versatility and Unix semantics in namespace unification , 2006, TOS.

[10]  Somesh Jha,et al.  Efficient Context-Sensitive Intrusion Detection , 2004, NDSS.

[11]  David Lie,et al.  Using VMM-based sensors to monitor honeypots , 2006, VEE '06.

[12]  Robert N. M. Watson,et al.  Jails: confining the omnipotent root , 2000 .

[13]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[14]  Larry L. Peterson,et al.  Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors , 2007, EuroSys '07.

[15]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[16]  Samuel T. King,et al.  Debugging Operating Systems with Time-Traveling Virtual Machines (Awarded General Track Best Paper Award!) , 2005, USENIX Annual Technical Conference, General Track.

[17]  Yuanyuan Zhou,et al.  Rx: treating bugs as allergies---a safe method to survive software failures , 2005, SOSP '05.

[18]  Iain D. Craig,et al.  Virtual machines , 2005 .

[19]  Jeff Dike,et al.  A user-mode port of the Linux kernel , 2000, Annual Linux Showcase & Conference.

[20]  Jason Nieh,et al.  Proceedings of the 5th Symposium on Operating Systems Design and Implementation , 2022 .

[21]  Jason Nieh,et al.  DejaView: a personal virtual computer recorder , 2007, SOSP.

[22]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[23]  ともやん KVM (Kernel-based Virtual Machine) - 仮想化 , 2009 .

[24]  Xuxian Jiang,et al.  "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots , 2007, RAID.

[25]  Wu-chi Feng,et al.  Forensix: a robust, high-performance reconstruction system , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[26]  Daniel Price,et al.  Solaris Zones: Operating System Support for Consolidating Commercial Workloads , 2004, LISA.

[27]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[28]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[29]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[30]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[31]  Robert J. Creasy,et al.  The Origin of the VM/370 Time-Sharing System , 1981, IBM J. Res. Dev..

[32]  A HofmeyrSteven,et al.  Intrusion detection using sequences of system calls , 1998 .

[33]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[34]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[35]  Andrea C. Arpaci-Dusseau,et al.  VMM-based hidden process detection and identification using Lycosid , 2008, VEE '08.

[36]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.