Checking Function-Level Kernel Control Flow Integrity for Cloud Computing

With the advancement of cloud computing, the control flow integrity (CFI) of virtual machines’ kernel becomes more and more important for the security of cloud services. Many CFI checking and protecting approaches have been proposed. Among them, dynamic analysis approaches have the best detection capability, but they are rarely used because of the high overhead introduced to the virtual machines to be monitored. In this paper, we propose a function-level kernel CFI checking approach to meet the performance requirements in the cloud. By combining the static memory analysis and the dynamic tracing, our system can achieve high detection capability with low overhead. Since the analysis and tracing targets of our system are kernel functions, our system incurs lower overhead to the monitored virtual machines than the instruction-level monitors. We propose two models to describe the kernel control flows. After building the secure control flow database by learning the normal behaviors, we can detect abnormal control flows in real time. With the help of virtualization and virtual machine introspection techniques, we implement a prototype system in the hardware virtualization environment. From the evaluation, our system has high detection capability with reasonable overhead.

[1]  Sylvain Guilley,et al.  HCODE: Hardware-Enhanced Real-Time CFI , 2014, PPREW-4.

[2]  Rajasekhar Mungara,et al.  A Routing-Driven Elliptic Curve Cryptography based Key Management Scheme for Heterogeneous Sensor Networks , 2014 .

[3]  Ramesh Karri,et al.  Are hardware performance counters a cost effective way for integrity checking of programs , 2011, STC '11.

[4]  Xiaojiang Du,et al.  Biometric-based two-level secure access control for Implantable Medical Devices during emergencies , 2011, 2011 Proceedings IEEE INFOCOM.

[5]  Zhenkai Liang,et al.  Enforcing system-wide control flow integrity for exploit detection and diagnosis , 2013, ASIA CCS '13.

[6]  Emmett Witchel,et al.  Ensuring operating system kernel integrity with OSck , 2011, ASPLOS XVI.

[7]  Mohsen Guizani,et al.  Transactions papers a routing-driven Elliptic Curve Cryptography based key management scheme for Heterogeneous Sensor Networks , 2009, IEEE Transactions on Wireless Communications.

[8]  Jennia Hizver,et al.  Cloud-Based Application Whitelisting , 2013, 2013 IEEE Sixth International Conference on Cloud Computing.

[9]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[10]  Mohsen Guizani,et al.  An effective key management scheme for heterogeneous sensor networks , 2007, Ad Hoc Networks.

[11]  Junyuan Zeng,et al.  PEMU: A Pin Highly Compatible Out-of-VM Dynamic Binary Instrumentation Framework , 2015, VEE.

[12]  Zhi Wang,et al.  Comprehensive and Efficient Protection of Kernel Control Data , 2011, IEEE Transactions on Information Forensics and Security.

[13]  Shi Wenchang,et al.  DCFI-Checker: Checking kernel dynamic control flow integrity with performance monitoring counter , 2014, China Communications.

[14]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[15]  Ramesh Karri,et al.  NumChecker: Detecting kernel control-flow modifying rootkits by using Hardware Performance Counters , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[16]  Abhinav Srivastava,et al.  CloudVMI: Virtual Machine Introspection as a Cloud Service , 2014, 2014 IEEE International Conference on Cloud Engineering.

[17]  Xiaojiang Du,et al.  A survey of key management schemes in wireless sensor networks , 2007, Comput. Commun..

[18]  Jinhui Yuan,et al.  DCFI-Checker: Checking Kernel Dynamic Control Flow Integrity with Performance Monitoring Counter , 2014 .

[19]  Xuxian Jiang,et al.  Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory , 2010, RAID.

[20]  Xiaojiang Du,et al.  Security in wireless sensor networks , 2008, IEEE Wireless Communications.

[21]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[22]  Zhi Wang,et al.  HyperSentry: enabling stealthy in-context measurement of hypervisor integrity , 2010, CCS '10.

[23]  Yuan Luo,et al.  A stack-based lightweight approach to detect kernel-level rookits , 2015, 2015 IEEE International Conference on Progress in Informatics and Computing (PIC).