Cloud computing ushers in an era of consolidated information technology infrastructure that is elastic, available and scalable. Virtualization is a critical building block in this evolution and enables centralized, consistent, and policy-driven administration of the underlying computing resources and their protection. This paper presents a cloud-based application whitelisting system called CLAW, which leverages this centralized management flexibility to guarantee that only application binaries in a pre-approved set are allowed to run in each virtual machine under its management. In addition, by applying virtual machine introspection technology, CLAW performs this security policy enforcement without installing any agents inside the managed VMs. We describe the key techniques in the design and implementation of CLAW and compare them with previous hypervisor-based application whitelisting systems. Empirical measurements on a Xen-based CLAW prototype for Windows-based virtual machines show that the run-time performance overhead of out-of-VM application whitelisting is under 10%.
[1]
David Lie,et al.
Manitou: a layer-below approach to fighting malware
,
2006,
ASID '06.
[2]
Tzi-cker Chiueh,et al.
Automatic extraction of accurate application-specific sandboxing policy
,
2005,
MILCOM 2005 - 2005 IEEE Military Communications Conference.
[3]
Wenke Lee,et al.
Ether: malware analysis via hardware virtualization extensions
,
2008,
CCS.
[4]
Peng Ning,et al.
HIMA: A Hypervisor-Based Integrity Measurement Agent
,
2009,
2009 Annual Computer Security Applications Conference.
[5]
Tal Garfinkel,et al.
A Virtual Machine Introspection Based Architecture for Intrusion Detection
,
2003,
NDSS.
[6]
Stephen Fewer.
Reflective Dll Injection
,
2008
.
[7]
Tzi-cker Chiueh,et al.
Checking array bound violation using segmentation hardware
,
2005,
2005 International Conference on Dependable Systems and Networks (DSN'05).
[8]
David Lie,et al.
Hypervisor Support for Identifying Covertly Executing Binaries
,
2008,
USENIX Security Symposium.