Safe side effects commitment for OS-level virtualization

A common application of virtual machines (VM) is to use and then throw away, basically treating a VM like a completely isolated and disposable entity. The disadvantage of this approach is that if there is no malicious activity, the user has to re-do all of the work in her actual workspace since there is no easy way to commit (i.e., merge) only the benign updates within the VM back to the host environment. In this work, we develop a VM commitment system called Secom to automatically eliminate malicious state changes when merging the contents of an OS-level VM to the host. Secom consists of three steps: grouping state changes into clusters, distinguishing between benign and malicious clusters, and committing benign clusters. Secom has three novel features. First, instead of relying on a huge volume of log data, it leverages OS-level information flow and malware behavior information to recognize malicious changes. As a result, the approach imposes a smaller performance overhead. Second, different from existing intrusion detection and recovery systems that detect compromised OS objects one by one, Secom classifies objects into clusters and then identifies malicious objects on a cluster by cluster basis. Third, to reduce the false positive rate when identifying malicious clusters, it simultaneously considers two malware behaviors that are of different types and the origin of the processes that exhibit these behaviors, rather than considers a single behavior alone as done by existing malware detection methods. We have successfully implemented Secom on the Feather-weight Virtual Machine (FVM) system, a Windows-based OS-level virtualization system. Experiments show that the prototype can effectively eliminate malicious state changes while committing a VM with small performance degradation. Moreover, compared with the commercial anti-malware tools, the Secom prototype has a smaller number of false negatives and thus can more thoroughly clean up malware side effects. In addition, the number of false positives of the Secom prototype is also lower than that achieved by the on-line behavior-based approach of the commercial tools.

[1]  Shan Lu,et al.  Flight data recorder: monitoring persistent-state interactions to improve systems management , 2006, OSDI '06.

[2]  Hong Chen,et al.  Usable Mandatory Integrity Protection for Operating Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[3]  H. S. Kim,et al.  Commercial Antivirus Software Effectiveness: An Empirical Study , 2011, Computer.

[4]  Hao Chen,et al.  Back to the Future: A Framework for Automatic Malware Removal and System Repair , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[5]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[6]  Jun Zhu,et al.  Optimizing the Performance of Virtual Machine Synchronization for Fault Tolerance , 2011, IEEE Transactions on Computers.

[7]  Tzi-cker Chiueh,et al.  Design, implementation, and evaluation of repairable file service , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[8]  Yang Yu,et al.  Applications of a feather-weight virtual machine , 2008, VEE '08.

[9]  Yang Yu Os-level virtualization and its applications , 2007 .

[10]  Bev Littlewood,et al.  Redundancy and Diversity in Security , 2004, ESORICS.

[11]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[12]  Christopher Krügel,et al.  Behavior-based Spyware Detection , 2006, USENIX Security Symposium.

[13]  Tzi-cker Chiueh,et al.  Tracer: enforcing mandatory access control in commodity OS with the support of light-weight intrusion detection and tracing , 2011, ASIACCS '11.

[14]  Yang Yu,et al.  A feather-weight virtual machine for windows applications , 2006, VEE '06.

[15]  Carsten Willems,et al.  Learning and Classification of Malware Behavior , 2008, DIMVA.

[16]  Zhenkai Liang,et al.  One-Way Isolation: An Effective Approach for Realizing Safe Execution Environments , 2005, NDSS.

[17]  Christopher Krügel,et al.  Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks , 2009, DIMVA.

[18]  Sy-Yen Kuo,et al.  Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management , 2004, LISA.

[19]  Robert N. M. Watson,et al.  Jails: confining the omnipotent root , 2000 .

[20]  Eric Totel,et al.  COTS Diversity Based Intrusion Detection and Application to Web Servers , 2005, RAID.

[21]  Larry L. Peterson,et al.  Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors , 2007, EuroSys '07.

[22]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[23]  Dutch T. Meyer,et al.  Remus: High Availability via Asynchronous Virtual Machine Replication. (Best Paper) , 2008, NSDI.

[24]  Somesh Jha,et al.  Automatic Generation of Remediation Procedures for Malware Infections , 2010, USENIX Security Symposium.

[25]  Daniel Price,et al.  Solaris Zones: Operating System Support for Consolidating Commercial Workloads , 2004, LISA.