VIRTUAL MACHINE SECURITY SYSTEMS

Kumiko Ogawa

Virtual Machine Security Systems

by Xin Zhao, Kevin Borders, Atul Prakash

Department of EECS, University of Michigan

VM-Based Security

Isolation

Intruder cannot tamper with the security system, even if he or she subverted a

guest VM.

Inspection

Virtual machine monitor can access to the entire state of each guest VM

Interposition

Preiviledged instruction is present

Architecture of VM-based Security Services

While VM-based security systems have different

features, they usually share a similar architecture.

Host based IDS/Network based IDS

Software, log,

history HIDS

NIDS

Excellent view what is happening inside

Highly susceptible to attack

More resistant to attack

Poor view of what happening inside

Livewire (VM-based IDS)

OS interface Library

Providing OS-level view of the target virtual machine by interpreting the

hardware state on the VMM

Policy Engine

Obtaining from VMM interface events and deciding whether or not the

system has been compromised

=Example=

Signature Detector

(in memory)

Siren (VM-based IDS)

Detecting malicious software operating within a

guest virtual machine that attempts to send out

information over the network

keyboard

Mouse etc.

Network traffic

“Siren: Catching Evasive Malware (Short Paper)” by Kevin Borders, Xin Zhao, Atul Prakash

SVFS(Secure Virtual File System)

To protect sensitive files

All access to sensitive files by applications must first

be approved by DVM.

(Data Virtual Machine)

VRPC(Virtual Remote Procedure Calls) are much faster than normal PRCs with using memory sharing

Hey, You, Get Off of My Cloud: Exploring Information Leakage

in Third-Party Compute Clouds (2009) by Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage

Amazon EC2

Placement

- Placing a malicious VM on the same physical machine which

hosts the victim’s VM

- Proving co-residence

Cross-VM information leakage

- via manipulation of shared physical resource

- Side-channel attack

sHype (Secure Hypervisor)

Developed by IBM

Implemented for Xen

(Access Control Module)

Ref: sHype Hypervisor Security Architecture – A Layered Approach Towards Trusted Virtual Domains

by Dr.-Ing. Reiner Sailer IBM T. J. Watson Research Center, NY

VM-Based Honeypots

A honeypot is a computer system that is set up with

the sole intention of luring attackers.

Honeypots

Low-interaction

- accepting packets, but only giving a minimal response

- cost effective

High-interaction

- behaving more like a normal computer

- providing more information about attacks

VM-based Honeypots

Advantage

- providing resource multiplexing, which allows more

high-interaction honeypots on the same hardware

Disadvantage

- Hackers can detect VM and avoid honeypots

Potemkin Virtual Honeyfarm(1)

High-interaction Honeypot system

VMM Requirement

INTERNET

Virtual Honeyfarm

Gateway

(1) Packet received by gateway

(2) VM created on demand (VM creatinon must be fast enough to maintain illusion)

Potemkin Virtual Honeyfarm(2)

Traffic Reflection

INTERNET

Virtual Honeyfarm

Gateway

(1) If packets are tried to sent out to third parties…

(2) The traffic is redirected back into honeyfarm

Collapsar Honeypot Center

Traffic are redirected to Collapsar Honeypot Center

Disadvantage: if redirected traffic is detected…

Collapsar Honeypot Center

Redirector

Redirector

Redirector

Virtual Machine Security Systems

by Xin Zhao, Kevin Borders, Atul Prakash

Department of EECS, University of Michigan