Hypervisor-based background encryption

To prevent data breaches, many organizations deploy full disk encryption to their computers. While OS-based encryption is widely accepted in practical situations, hypervisor-based encryption offers significant advantages such as OS independence and providing more secure environments. Unfortunately, the initial deployment cost of hypervisor-based encryption systems is rarely discussed. In this paper, we present a hypervisor-based encryption scheme that allows instant deployment of full disk encryption into existing systems without disturbing user's activities. To avoid waiting for encryption to be completed, hypervisors perform background encryption that does not incur significant performance penalty on guest OSs by carefully watching guest OS activities and moderating the degree of encryption speed. Our scheme does not require conversion of disk images or modification of OS configurations to install hypervisors by exploiting BitVisor, a thin hypervisor for enforcing security, that can be easily injected to existing systems. Our experimental results on Windows 7 show that application benchmark scores are not significantly affected by the background encryption and the overhead on sequential disk access throughput is at most 24%. The throughput of our background encryption is comparable to that of existing OS-based background encryption systems.

[1]  Poul-Henning Kamp GBDE-GEOM Based Disk Encryption , 2003, BSDCon.

[2]  Irfan Habib,et al.  Virtualization with KVM , 2008 .

[3]  Min Liang,et al.  Research and design of full disk encryption based on virtual machine , 2010, 2010 3rd International Conference on Computer Science and Information Technology.

[4]  Peng Ning,et al.  HIMA: A Hypervisor-Based Integrity Measurement Agent , 2009, 2009 Annual Computer Security Applications Conference.

[5]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[6]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[7]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[8]  Zhi Wang,et al.  Process out-grafting: an efficient "out-of-VM" approach for fine-grained process execution monitoring , 2011, CCS '11.

[9]  Jon Watson,et al.  VirtualBox: bits and bytes masquerading as machines , 2008 .

[10]  Reza Azmi,et al.  TCvisor: A hypervisor level secure storage , 2010, 2010 International Conference for Internet Technology and Secured Transactions.

[11]  Cameron Laird Taking a Hard-Line Approach to Encryption , 2007, Computer.

[12]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[13]  Books Llc Network Booting: Preboot Execution Environment, Bootstrap Protocol, Netboot, Gpxe, Remote Initial Program Load , 2010 .

[14]  Shigeru Chiba,et al.  BitVisor: a thin hypervisor for enforcing i/o device security , 2009, VEE '09.

[15]  Julian Satran,et al.  Internet Small Computer Systems Interface (iSCSI) , 2004, RFC.

[16]  James P. Hughes,et al.  Architecture of the Secure File System , 2001, 2001 Eighteenth IEEE Symposium on Mass Storage Systems and Technologies.

[17]  Giuseppe Cattaneo,et al.  Design and Implementation of a Transparent Cryptographic File System for Unix , 2007 .

[18]  Laszlo Hars Discryption: Internal Hard-Disk Encryption for Secure Storage , 2007, Computer.

[19]  Mike Petullo Encrypt your root filesystem , 2005 .

[20]  Jinzhu Kong A Practical Approach to Improve the Data Privacy of Virtual Machines , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[21]  Xuxian Jiang,et al.  Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction , 2010, TSEC.