Modeling the Runtime Integrity of Cloud Servers: A Scoped Invariant Perspective

One of the underpinnings of Cloud Computing security is the runtime integrity of individual Cloud servers. Due to the on-going discovery of runtime software vulnerabilities like buffer overflows, it is critical to be able to gauge the integrity of a Cloud server as it operates. In this paper, we propose scoped invariants as a primitive for analyzing the software system for its integrity properties. We report our experience with the modeling and detection of scoped invariants. The Xen Virtual Machine Manager is used for a case study. Our research detects a set of essential scoped invariants that are critical to the runtime integrity of Xen. One such property, that the addressable memory limit of a guest OS must not include Xen’s code and data, is indispensable for Xen’s guest isolation mechanism. The violation of this property demonstrates that the attacker only needs to modify a single byte in the Global Descriptor Table to achieve his goal.

[1]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[2]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[3]  Joshua D. Guttman,et al.  Attestation: Evidence and Trust , 2008, ICICS.

[4]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[5]  Arati Baliga,et al.  Lurking in the Shadows: Identifying Systemic Threats to Kernel Data , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[6]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[7]  Stephen McCamant,et al.  The Daikon system for dynamic detection of likely invariants , 2007, Sci. Comput. Program..

[8]  Peng Ning,et al.  Remote attestation to dynamic system properties: Towards providing complete system integrity evidence , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[9]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[10]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[11]  J.B. Grizzard,et al.  Towards a trusted immutable kernel extension (TIKE) for self-healing systems: a virtual machine approach , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[12]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[13]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[14]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[15]  Andreas Haeberlen,et al.  A case for the accountable cloud , 2010, OPSR.

[16]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[17]  J. Aaron Pendergrass,et al.  Linux kernel integrity measurement using contextual inspection , 2007, STC '07.

[18]  Trent Jaeger,et al.  Secure coprocessor-based intrusion detection , 2002, EW 10.

[19]  Jeffrey S. Chase,et al.  Trusted platform-as-a-service: a foundation for trustworthy cloud-hosted applications , 2011, CCSW '11.

[20]  Henry L. Owen,et al.  Re-establishing Trust in Compromised Systems: Recovering from Rootkits That Trojan the System Call Table , 2004, ESORICS.

[21]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[22]  Calton Pu,et al.  Reducing TCB complexity for security-sensitive applications: three case studies , 2006, EuroSys.

[23]  Ahmad-Reza Sadeghi,et al.  Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks , 2009, STC '09.