Virtualizing system and ordinary services in Windows-based OS-level virtual machines

OS-level virtualization incurs smaller start-up and run-time overhead than HAL-based virtualization and thus forms an important building block for developing fault-tolerant and intrusion-tolerant applications. A complete implementation of OS-level virtualization on the Windows platform requires virtualization of Windows services, such as system services like the Remote Procedure Call Server Service (RPCSS), because they are essentially extensions of the kernel. As Windows system services work very differently from their counterparts on UNIX-style OS, i.e., daemons, and many of their implementation details are proprietary, virtualizing Windows system services turned out to be the most challenging technical barrier for OS-level virtualization for the Windows platform. In this paper, we describe a general technique to virtualize Windows services, and demonstrate its effectiveness by applying it to successfully virtualize a set of important Windows system services and ordinary services on different versions of Windows OS, including RPCSS, DcomLaunch, IIS service group, Tlntsvr, MySQL, Apache2.2, CiSvc, ImapiService, etc.

[1]  Xiaofeng Meng,et al.  An OS Security Protection Model for Defeating Attacks from Network , 2007, ICISS.

[2]  Shan Zhi-yong Design of an Architecture for Process Runtime Integrity Measurement , 2009 .

[3]  Tzi-cker Chiueh,et al.  Enforcing Mandatory Access Control in Commodity OS to Disable Malware , 2012, IEEE Transactions on Dependable and Secure Computing.

[4]  Zhiyong Shan,et al.  Compatible and Usable Mandatory Access Control for Good-enough OS Security , 2009, 2009 Second International Symposium on Electronic Commerce and Security.

[5]  Tzi-cker Chiueh,et al.  Malware Clearance for Secure Commitment of OS-Level Virtual Machines , 2013, IEEE Transactions on Dependable and Secure Computing.

[6]  Jeff Dike,et al.  A user-mode port of the Linux kernel , 2000, Annual Linux Showcase & Conference.

[7]  Hui Liu,et al.  Automatic detection of integer sign vulnerabilities , 2008, 2008 International Conference on Information and Automation.

[8]  Tzi-cker Chiueh,et al.  Tracer: enforcing mandatory access control in commodity OS with the support of light-weight intrusion detection and tracing , 2011, ASIACCS '11.

[9]  Yang Yu,et al.  A feather-weight virtual machine for windows applications , 2006, VEE '06.

[10]  Meng Xiaofeng Access control model for enhancing survivability , 2008 .

[11]  Shan Zhi A STUDY OF SECURITY ATTRIBUTES IMMEDIATE REVOCATION IN SECURE OS , 2002 .

[12]  Yang Yu,et al.  Applications of a feather-weight virtual machine , 2008, VEE '08.

[13]  吴自容 Process Explorer——超强任务管理器 , 2004 .

[14]  Shan Zhi A Study of Extending Generalized Framework for Access Control , 2003 .

[15]  Yang Yu,et al.  Confining windows inter-process communications for OS-level virtual machine , 2009, VDTS '09.

[16]  Xiao Li,et al.  Operating system mechanisms for TPM-based lifetime measurement of process integrity , 2009, 2009 IEEE 6th International Conference on Mobile Adhoc and Sensor Systems.

[17]  Shan Zhiyong and Shi Wenchang STBAC: A New Access Control Model for Operating System , 2008 .

[18]  ChiuehTzi-cker,et al.  Facilitating inter-application interactions for OS-level virtualization , 2012 .

[19]  Shi Wen DESIGN AND IMPLEMENTATION OF SECURE LINUX KERNEL SECURITY FUNCTIONS , 2001 .

[20]  Shan Zhiyong Research on Framework for Multi-policy , 2007 .

[21]  ともやん,et al.  Microsoft Virtual PC , 2009 .

[22]  Shan Zhi A Study of Generalized Environment-Adaptable Multi-Policies Supporting Framework , 2003 .

[23]  Shan Zhi An Operating System Oriented RBAC Model and Its Implementation , 2004 .

[24]  Xiaofeng Meng,et al.  Safe side effects commitment for OS-level virtualization , 2011, ICAC '11.