Using OS Design Patterns to Provide Reliability and Security as-a-Service for VM-based Clouds

This paper extends the concepts behind cloud services to offer hypervisor-based reliability and security monitors for cloud virtual machines. Cloud VMs can be heterogeneous and as such guest OS parameters needed for monitoring can vary across different VMs and must be obtained in some way. Past work involves running code inside the VM, which is unacceptable for a cloud environment. We solve this problem by recognizing that there are common OS design patterns that can be used to infer monitoring parameters from the guest OS. We extract information about the cloud user's guest OS with the user's existing VM image and knowledge of OS design patterns as the only inputs to analysis. To demonstrate the range of monitoring functionality possible with this technique, we implemented four sample monitors: a guest OS process tracer, an OS hang detector, a return-to-user attack detector, and a process-based keylogger detector.

[1]  Jakob Nielsen,et al.  Chapter 4 – The Usability Engineering Lifecycle , 1993 .

[2]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[3]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[4]  R. Krishnakumar Kernel korner: kprobes-a kernel debugger , 2005 .

[5]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[6]  Hervé Rivano,et al.  Optimal positioning of active and passive monitoring devices , 2005, CoNEXT '05.

[7]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[8]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[9]  Clemens Kolbitsch,et al.  Kernel-mode exploits primer , 2007 .

[10]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[11]  W. Timothy Strayer,et al.  A Topological Analysis of Monitor Placement , 2007, Sixth IEEE International Symposium on Network Computing and Applications (NCA 2007).

[12]  Xuxian Jiang,et al.  "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots , 2007, RAID.

[13]  J. Mugler,et al.  Proceedings Formatting Team , 2002 .

[14]  Kuniyasu Suzaki,et al.  Xenprobus, a Lightweight User-Space Probing Framework for Xen Virtual Machine , 2007, USENIX Annual Technical Conference.

[15]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[16]  Andrea C. Arpaci-Dusseau,et al.  VMM-based hidden process detection and identification using Lycosid , 2008, VEE '08.

[17]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[18]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[19]  Muli Ben-Yehuda,et al.  The Turtles Project: Design and Implementation of Nested Virtualization , 2010, OSDI.

[20]  Cristiano Giuffrida,et al.  Bait Your Hook: A Novel Detection Technique for Keyloggers , 2010, RAID.

[21]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[22]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[23]  Bryan D. Payne,et al.  Simplifying virtual machine introspection using LibVMI. , 2012 .

[24]  Yangchun Fu,et al.  Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection , 2012, 2012 IEEE Symposium on Security and Privacy.

[25]  Xiangyu Zhang,et al.  SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization , 2013, ACSAC.

[26]  Zhongshu Gu,et al.  FACE-CHANGE: Application-Driven Dynamic Kernel View Switching in a Virtual Machine , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[27]  Heng Yin,et al.  Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform , 2014, ISSTA 2014.

[28]  Ravishankar K. Iyer,et al.  Reliability and Security Monitoring of Virtual Machines Using Hardware Architectural Invariants , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[29]  Trent Jaeger,et al.  Monitor placement for large-scale systems , 2014, SACMAT '14.

[30]  Ravishankar K. Iyer,et al.  Preemptive intrusion detection: theoretical framework and real-world measurements , 2015, HotSoS.

[31]  Eyal de Lara,et al.  Exploring VM Introspection: Techniques and Trade-offs , 2015, VEE.

[32]  Ravishankar K. Iyer,et al.  Dynamic VM Dependability Monitoring Using Hypervisor Probes , 2015, 2015 11th European Dependable Computing Conference (EDCC).

[33]  Nam Sung Kim,et al.  Bolt: Faster Reconfiguration in Operating Systems , 2015, USENIX Annual Technical Conference.

[34]  Jinpeng Wei,et al.  MOSE: Live Migration Based On-the-Fly Software Emulation , 2015, ACSAC.