Secure and Robust Monitoring of Virtual Machines through Guest-Assisted Introspection

Current monitoring solutions for virtual machines do not incorporate both security and robustness. Out-of-guest applications achieve security by using virtual machine introspection and not relying on in-guest components, but do not achieve robustness due to the semantic gap. In-guest applications achieve robustness by utilizing guest OS code for monitoring, but not security, since an attacker can tamper with this code and the application itself. In this paper we propose SYRINGE, a secure and robust infrastructure for monitoring virtual machines. SYRINGE protects the monitoring application by placing it in a separate virtual machine (as with the out-of-guest approach) but at the same time allowing it to invoke guest functions (as with the in-guest approach), using a technique known as function-call injection. SYRINGE verifies the secure execution of the invoked guest OS code by using another technique, localized shepherding. The combination of these two techniques allows SYRINGE to incorporate the best of out-of-guest monitoring with that of in-guest monitoring. We implemented a prototype of SYRINGE as a Linux application to monitor a guest running Windows XP and have evaluated its performance and security. We also implemented a monitoring application built on top of SYRINGE to demonstrate its usefulness. Our results show that for a calling period of 1 second, the performance overhead created in the guest by this application is 8%.

[1]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[2]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[3]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[4]  Greg Hoglund,et al.  Rootkits: Subverting the Windows Kernel , 2005 .

[5]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[6]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[7]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[8]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[9]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[10]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[11]  David Lie,et al.  Hypervisor Support for Identifying Covertly Executing Binaries , 2008, USENIX Security Symposium.

[12]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[13]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[14]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[15]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[16]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[17]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[18]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[19]  Zhi Wang,et al.  Process out-grafting: an efficient "out-of-VM" approach for fine-grained process execution monitoring , 2011, CCS '11.

[20]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[21]  Vitaly Shmatikov,et al.  Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October 17-21, 2011 , 2011, CCS.