Secure Observation of Kernel Behavior

Operating system kernels are difficult to understand and monitor. Hardware virtualization provides a layer where security tools can observe a kernel, but the gap between operating system abstractions and hardware accesses limits the ability of tools to comprehend the kernel’s activity. Virtual machine introspection (VMI) builds knowledge of high-level kernel state by directly accessing the memory of an executing kernel. We show that implementations of introspection-based tools unsafely rely on operating system level data structures to provide meaningful information about a guest. We evade XenAccess, an open source implementation of introspection developed for Xen. We then develop Wizard, a Xen-based kernel monitor cognizant of the semantic correlation between events at a high-level kernel service interface and events at a low-level hardware device interface. In contrast to VMI, Wizard trusts no guest OS data, but its semantic understanding still identifies kernel-level attacks that alter the kernel’s execution behavior. Wizard’s monitoring imposes modest overheads of 0%–25% on guest applications.

[1]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[2]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[3]  Xuxian Jiang,et al.  "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots , 2007, RAID.

[4]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[5]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[6]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[7]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[8]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[9]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[10]  Stefan Berger,et al.  Building a MAC-based security architecture for the Xen open-source hypervisor , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[11]  Carlos Maziero,et al.  Intrusion detection in virtual machine environments , 2004 .

[12]  Paul C. van Oorschot,et al.  A generic attack on checksumming-based software tamper resistance , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[13]  Yoshiyasu Takefuji,et al.  Towards a tamper-resistant kernel rootkit detector , 2007, SAC '07.

[14]  Kymie M. C. Tan,et al.  Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits , 2002, RAID.

[15]  Arati Baliga,et al.  Lurking in the Shadows: Identifying Systemic Threats to Kernel Data , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[16]  Kevin Borders,et al.  Towards protecting sensitive files in a compromised system , 2005, Third IEEE International Security in Storage Workshop (SISW'05).

[17]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[18]  Xuxian Jiang,et al.  Towards a VMM-based usage control framework for OS kernel integrity protection , 2007, SACMAT '07.

[19]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[20]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[21]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[22]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[23]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[24]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.