Gemini: Guest-transparent honey files via hypervisor-level access redirection

Abstract Data safety has become a critical problem in the face of various cyber-attacks aiming at stealing or divulging sensitive information. In the event that adversaries have gained access to a system storing classified data, such crucial systems should actively protect the integrity of this data. To purposely deceive an attacker, we propose that accesses to sensitive data can be dynamically partitioned to prevent malicious tampering. In this paper, we present G emini , a virtualization-based system to transparently redirect accesses to classified files based on the context of the access (e.g., process, user, time-of-day, etc.). If an access violates preconfigured data-use policies then it will be rerouted to a honey version of the file, specifically crafted to be manipulated by the adversary. Thus, G emini transforms static, sensitive files into moving targets and provides strong transparency and tamper-resistance as it is located at the hypervisor level. Our evaluation shows that G emini effectively neutralizes several real-world attacks on various sensitive files and can be integrated seamlessly into current cloud environments.

[1]  Xuxian Jiang,et al.  Process Implanting: A New Active Introspection Framework for Virtualization , 2011, 2011 IEEE 30th International Symposium on Reliable Distributed Systems.

[2]  Junyuan Zeng,et al.  HYPERSHELL: A Practical Hypervisor Layer Guest OS Shell for Automated In-VM Management , 2014, USENIX Annual Technical Conference.

[3]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[4]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[5]  Salvatore J. Stolfo,et al.  Software decoys for insider threat , 2012, ASIACCS '12.

[6]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[7]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[8]  David Lie,et al.  Manitou: a layer-below approach to fighting malware , 2006, ASID '06.

[9]  Xuxian Jiang,et al.  "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots , 2007, RAID.

[10]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[11]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[12]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[13]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[14]  Andrea C. Arpaci-Dusseau,et al.  VMM-based hidden process detection and identification using Lycosid , 2008, VEE '08.

[15]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[16]  Yangchun Fu,et al.  Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection , 2012, IEEE Symposium on Security and Privacy.

[17]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[18]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[19]  Zhongshu Gu,et al.  FACE-CHANGE: Application-Driven Dynamic Kernel View Switching in a Virtual Machine , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[20]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[21]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.