HIMA: A Hypervisor-Based Integrity Measurement Agent

Integrity measurement is a key issue in building trust in distributed systems. A good solution to integrity measurement has to provide both strong isolation between the measurement agent and the measurement target and Time of Check to Time of Use (TOCTTOU) consistency (i.e., the consistency between measured version and executed version throughout the lifetime of the target). Unfortunately, none of the previous approaches provide (or can be easily modified to provide) both capabilities. This paper presents HIMA, a hypervisor-based agent that measures the integrity of Virtual Machines (VMs) running on top of the hypervisor, which provides both capabilities identified above. HIMA performs two complementary tasks: (1) active monitoring of critical guest events and (2) guest memory protection. The former guarantees that the integrity measures are refreshed whenever the guest VM memory layout changes (e.g., upon creation of processes), while the latter ensures that integrity measurement of user programs cannot be bypassed without HIMA's knowledge. This paper also reports the experimental evaluation of a HIMA prototype using both micro-benchmark and application benchmark; the experimental results indicate that HIMA is a practical solution for real world applications.

[1]  Shigeru Chiba,et al.  HyperSpector: virtual distributed monitoring environments for secure intrusion detection , 2005, VEE '05.

[2]  Sergey Bratus,et al.  TOCTOU, Traps, and Trusted Computing , 2008, TRUST.

[3]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[4]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[5]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[6]  Xuxian Jiang,et al.  "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots , 2007, RAID.

[7]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[8]  Andy Oram,et al.  Understanding the Linux Kernel, Second Edition , 2002 .

[9]  David Lie,et al.  Hypervisor Support for Identifying Covertly Executing Binaries , 2008, USENIX Security Symposium.

[10]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[11]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[12]  Kuniyasu Suzaki,et al.  Xenprobus, a Lightweight User-Space Probing Framework for Xen Virtual Machine , 2007, USENIX Annual Technical Conference.

[13]  Xuxian Jiang,et al.  Towards a VMM-based usage control framework for OS kernel integrity protection , 2007, SACMAT '07.

[14]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[15]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[16]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[17]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[18]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[19]  Marco Cesati,et al.  Understanding the Linux Kernel, Third Edition , 2005 .

[20]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[21]  Daniel Pierre Bovet,et al.  Understanding the Linux Kernel , 2000 .

[22]  Xuxian Jiang,et al.  Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing , 2008, RAID.

[23]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[24]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[25]  Andrea C. Arpaci-Dusseau,et al.  VMM-based hidden process detection and identification using Lycosid , 2008, VEE '08.