Hypervisor Integrity Measurement Assistant

Lars Rasmusson, Mazdak Rajabi Nasab

Abstract

An attacker who has gained access to a computer may want to run arbitrary programs of his choice, and upload or modify configuration files, etc. We can severely restrict the power of the attacker by having a white-list of approved file checksums and a mechanism that prevents the kernel from loading any file with a bad checksum. The check may be placed in the kernel, but that requires a kernel that is prepared for it. The check may also be placed in a hypervisor which intercepts the kernel and prevents the kernel from loading a bad file. Moving the integrity check out from the VM kernel makes it harder for the intruder to bypass the check. We describe the implementation of two systems and give performance results. In the first implementation the checksumming and decision is performed by the hypervisor instead of by the kernel. In the second implementation the kernel computes the checksum and only the final integrity decision is made by the hypervisor. We conclude that it is technically possible to put file integrity control into the hypervisor, both for kernels without and with pre-compiled support for integrity measurement.

References

  1. Bala, V., Duesterwald, E., and Banerjia, S. (2000). Dynamo: a transparent dynamic optimization system. In Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation, PLDI 7800, pages 1-12, New York, NY, USA. ACM. http://doi.acm.org/10.1145/349299.349303.
  2. Baldwin, A., Dalton, C., Shiu, S., Kostienko, K., and Rajpoot, Q. (2009). Providing secure services for a virtual infrastructure. SIGOPS Oper. Syst. Rev., 43:44- 51. http://doi.acm.org/10.1145/1496909.1496919.
  3. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., and Warfield, A. (2003). Xen and the art of virtualization. SIGOPS Oper. Syst. Rev., 37:164-177. http://doi.acm.org/ 10.1145/1165389.945462.
  4. Bruening, D. L. (2004). Efficient, transparent, and comprehensive runtime code manipulation. PhD thesis, Massachusetts Institute of Technology, Cambridge, MA, USA. http://citeseerx.ist.psu.edu/viewdoc/ summary?doi=10.1.1.68.7639.
  5. Christodorescu, M., Sailer, R., Schales, D. L., Sgandurra, D., and Zamboni, D. (2009). Cloud security is not (just) virtualization security: a short paper. In Proceedings of the 2009 ACM Workshop on Cloud Computing Security, CCSW 7809, pages 97-102, New York, NY, USA. ACM. http:// doi.acm.org/10.1145/1655008.1655022.
  6. Constandache, I., Yumerefendi, A., and Chase, J. (2008). Secure control of portable images in a virtual computing utility. In Proceedings of the 1st ACM workshop on Virtual machine security, VMSec 7808, pages 1-8, New York, NY, USA. ACM. http://doi.acm.org/10.1145/1456482.1456484.
  7. Descher, M., Masser, P., Feilhauer, T., Tjoa, A. M., and Huemer, D. (2009). Retaining data control to the client in infrastructure clouds. Availability, Reliability and Security, International Conference on, 0:9-16. http:// doi.ieeecomputersociety.org/10.1109/ARES.2009.78.
  8. Dunlap, G. W., King, S. T., Cinar, S., Basrai, M. A., and Chen, P. M. (2002). Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Culler, D. E. and Druschel, P., editors, OSDI. USENIX Association. http:// www.usenix.org/events/osdi02/tech/dunlap.html.
  9. Garfinkel, T. and Rosenblum, M. (2003). A virtual machine introspection based architecture for intrusion detection. In In Proc. Network and Distributed Systems Security Symposium, pages 191-206. http:// suif.stanford.edu/papers/vmi-ndss03.pdf.
  10. Lattner, C. and Adve, V. (2004). LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization, CGO 7804, pages 75-, Washington, DC, USA. IEEE Computer Society. http://llvm.org/pubs/2003-09-30- LifelongOptimizationTR.pdf.
  11. Litty, L. and Lie, D. (2006). Manitou: a layerbelow approach to fighting malware. In Torrellas, J., editor, ASID, pages 6-11. ACM. http:// doi.acm.org/10.1145/1181309.1181311.
  12. Mihocka, D. and Shwartsman, S. (2008). Virtualization without direct execution or jitting - designing a portable vm. In 1st Workshop on Architectural and Microarchitectural Support for Binary Translation. http://bochs.sourceforge.net/ Virtualization Without Hardware Final.pdf.
  13. Nasab, M. R. (2012). Security functions for virtual machines via introspection. Master's thesis, Chalmers University, Sweden. http://publications.lib. chalmers.se/records/fulltext/160810.pdf.
  14. Payne, B. D., Carbone, M., and Lee, W. (2007). Secure and Flexible Monitoring of Virtual Machines. Computer Security Applications Conference, Annual, 0:385- 397. http://doi.ieeecomputersociety.org/10.1109/ ACSAC.2007.10.
  15. Reddi, V. J., Settle, A., Connors, D. A., and Cohn, R. S. (2004). PIN: A Binary Instrumentation Tool for Computer Architecture Research and Education. In Proceedings of the 2004 workshop on Computer Architecture Education: held in conjunction with the 31st International Symposium on Computer Architecture, WCAE 7804, New York, NY, USA. ACM.
  16. http://doi.acm.org/10.1145/1275571.1275600.
  17. Riley, R., Jiang, X., and Xu, D. (2008). Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In Lippmann, R., Kirda, E., and Trachtenberg, A., editors, RAID, volume 5230 of Lecture Notes in Computer Science, pages 1-20. Springer.
  18. Rodero-Merino, L., Vaquero, L. M., Caron, E., Muresan, A., and Desprez, F. (2012). Building safe paas clouds: A survey on security in multitenant software platforms. Computers & Security, 31(1):96 - 108. http://dx.doi.org/10.1016/j.cose.2011.10.006.
  19. Seshadri, A., Luk, M., Qu, N., and Perrig, A. (2007). Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In Bressoud, T. C. and Kaashoek, M. F., editors, SOSP, pages 335-350. ACM. http://doi.acm.org/10.1145/1294261.1294294.
  20. Vaquero, L. M., Rodero-Merino, L., and MorĂ¡n, D. (2011). Locking the sky: a survey on IaaS cloud security. Computing, 91:93-118. http://dx.doi.org/10.1007/ s00607-010-0140-x.
  21. Wan, M., Moore, R., and Rajasekar, A. (2009). Integration of cloud storage with data grids. Computing, (October). https://www.irods.org/pubs/ DICE icvci3 mainpaper pub-0910.pdf.
Download


Paper Citation


in Harvard Style

Rasmusson L. and Rajabi Nasab M. (2013). Hypervisor Integrity Measurement Assistant . In Proceedings of the 3rd International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-8565-52-5, pages 26-35. DOI: 10.5220/0004370500260035


in Bibtex Style

@conference{closer13,
author={Lars Rasmusson and Mazdak Rajabi Nasab},
title={Hypervisor Integrity Measurement Assistant},
booktitle={Proceedings of the 3rd International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},
year={2013},
pages={26-35},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004370500260035},
isbn={978-989-8565-52-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
TI - Hypervisor Integrity Measurement Assistant
SN - 978-989-8565-52-5
AU - Rasmusson L.
AU - Rajabi Nasab M.
PY - 2013
SP - 26
EP - 35
DO - 10.5220/0004370500260035