Results 11 - 20
of
58
Enabling secure vm-vtpm migration in private clouds
- in ACSAC 2011
"... The integration of Trusted Computing technologies into vir-tualized computing environments enables the hardware-ba-sed protection of private information and the detection of malicious software. Their use in virtual platforms, however, requires appropriate virtualization of their main component, the ..."
Abstract
-
Cited by 7 (0 self)
- Add to MetaCart
(Show Context)
The integration of Trusted Computing technologies into vir-tualized computing environments enables the hardware-ba-sed protection of private information and the detection of malicious software. Their use in virtual platforms, however, requires appropriate virtualization of their main component, the Trusted Platform Module (TPM) by means of virtual TPMs (vTPM). The challenge here is that the use of TPM virtualization should not impede classical platform processes such as virtual machine (VM) migration. In this work, we consider the problem of enabling se-cure migration of vTPM-based virtual machines in private clouds. We detail the requirements that a secure VM-vTPM migration solution should satisfy in private virtualized en-vironments and propose a vTPM key structure suitable for VM-vTPM migration. We then leverage on this structure to construct a secure VM-vTPM migration protocol. We show that our protocol provides stronger security guarantees when compared to existing solutions for VM-vTPM migra-tion. We evaluate the feasibility of our scheme via an imple-mentation on the Xen hypervisor and we show that it can be directly integrated within existing hypervisors. Our Xen-based implementation can be downloaded as open-source software. Finally, we discuss how our scheme can be ex-tended to support live-migration of vTPM-based VMs. 1.
SPECTRE: A Dependable Introspection Framework via System Management Mode
"... Abstract—Virtual Machine Introspection (VMI) systems have been widely adopted for malware detection and analysis. VMI systems use hypervisor technology for system introspection and to expose malicious activity. However, recent malware can detect the presence of virtualization or corrupt the hypervis ..."
Abstract
-
Cited by 6 (4 self)
- Add to MetaCart
(Show Context)
Abstract—Virtual Machine Introspection (VMI) systems have been widely adopted for malware detection and analysis. VMI systems use hypervisor technology for system introspection and to expose malicious activity. However, recent malware can detect the presence of virtualization or corrupt the hypervisor state thus avoiding detection. We introduce SPECTRE, a hardware-assisted dependability framework that leverages System Management Mode (SMM) to inspect the state of a system. Contrary to VMI, our trusted code base is limited to BIOS and the SMM implementations. SPECTRE is capable of transparently and quickly examining all layers of running system code including a hypervisor, the OS, and user level applications. We demonstrate several use cases of SPECTRE including heap spray, heap overflow, and rootkit detection using real-world attacks on Windows and Linux platforms. In our experiments, full inspection with SPECTRE is 100 times faster than similar VMI systems because there is no performance overhead due to virtualization. Keywords—SMM, introspection, memory attacks. I.
B.: Vigilare: Toward Snoopbased Kernel Integrity Monitor
- In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS
, 2012
"... In this paper, we present Vigilare system, a kernel integrity monitor that is architected to snoop the bus traffic of the host system from a separate independent hardware. This snoop-based monitoring enabled by the Vigilare system, over-comes the limitations of the snapshot-based monitoring em-ploye ..."
Abstract
-
Cited by 6 (2 self)
- Add to MetaCart
(Show Context)
In this paper, we present Vigilare system, a kernel integrity monitor that is architected to snoop the bus traffic of the host system from a separate independent hardware. This snoop-based monitoring enabled by the Vigilare system, over-comes the limitations of the snapshot-based monitoring em-ployed in previous kernel integrity monitoring solutions. Be-ing based on inspecting snapshots collected over a certain interval, the previous hardware-based monitoring solutions cannot detect transient attacks that can occur in between snapshots. We implemented a prototype of the Vigilare system on Gaisler’s grlib-based system-on-a-chip (SoC) by adding Snooper hardware connections module to the host system for bus snooping. To evaluate the benefit of snoop-based monitoring, we also implemented similar SoC with a snapshot-based monitor to be compared with. The Vigi-lare system detected all the transient attacks without perfor-mance degradation while the snapshot-based monitor could not detect all the attacks and induced considerable perfor-mance degradation as much as 10 % in our tuned STREAM benchmark test.
New Results for Timing-Based Attestation
"... Abstract—In this paper we present a comprehensive timing-based attestation system suitable for typical enterprise use, and evidence of that system’s performance. This system, similar to Pioneer [20] but built with relaxed assumptions, successfully detects attacks on code integrity over 10 links of a ..."
Abstract
-
Cited by 6 (0 self)
- Add to MetaCart
(Show Context)
Abstract—In this paper we present a comprehensive timing-based attestation system suitable for typical enterprise use, and evidence of that system’s performance. This system, similar to Pioneer [20] but built with relaxed assumptions, successfully detects attacks on code integrity over 10 links of an enterprise network, despite an average of just 1.7 % time overhead for the attacker. We also present the first implementation and evaluation of a Trusted Platform Module (TPM) hardware timing-based attestation protocol. We describe the design and results of a set of experiments showing the effectiveness of our timing-based system, thereby providing further evidence of the practicality of timing-based attestation in real-world settings. While system measurement itself is a worthwhile goal, and timing-based attestation systems can provide measurements that are equally as trustworthy as hardware-based attestation systems, we feel that Time Of Check, Time Of Use (TOCTOU) attacks have not received appropriate attention in the liter-ature. To address this topic, we present the three conditions required to execute such an attack, and how past attacks and defenses relate to these conditions. Keywords-remote attestation; software-based attestation; timing-based attestation; trusted platform module; TOCTOU attack I.
Firmware-assisted Memory Acquisition and Analysis Tools for Digital Forensics
"... Abstract—Being able to inspect and analyze the operational state of commodity machines is crucial for modern digital forensics. Indeed, volatile system state including memory data and CPU registers contain information that cannot be directly inferred or reconstructed by acquiring the contents of the ..."
Abstract
-
Cited by 5 (3 self)
- Add to MetaCart
(Show Context)
Abstract—Being able to inspect and analyze the operational state of commodity machines is crucial for modern digital forensics. Indeed, volatile system state including memory data and CPU registers contain information that cannot be directly inferred or reconstructed by acquiring the contents of the nonvolatile storage. Unfortunately, it still remains an open problem how to reliably and consistently retrieve the volatile machine state without disrupting its operation. In this paper, we propose to leverage commercial PCI network cards and the current x86 implementation of System Management Mode to reliably replicate the physical memory and critical CPU registers from commodity hardware. Furthermore, we demonstrate how remote state replication can be used for semantic reconstruction, where the analysis of memory structures enables us to interactively perform forensic analysis of the machine’s memory content.
A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks
"... Protecting modern computer systems and complex software stacks against the growing range of possible attacks is be-coming increasingly difficult. The architecture of modern commodity systems allows attackers to subvert privileged sys-tem software often using a single exploit. Once the system is comp ..."
Abstract
-
Cited by 5 (2 self)
- Add to MetaCart
(Show Context)
Protecting modern computer systems and complex software stacks against the growing range of possible attacks is be-coming increasingly difficult. The architecture of modern commodity systems allows attackers to subvert privileged sys-tem software often using a single exploit. Once the system is compromised, inclusive permissions used by current archi-tectures and operating systems easily allow a compromised high-privileged software layer to perform arbitrary malicious activities, even on behalf of other software layers. This paper presents a hardware-supported page permission scheme for the physical pages that is based on the concept of non-inclusive sets of memory permissions for different layers of system software such as hypervisors, operating systems, and user-level applications. Instead of viewing privilege lev-els as an ordered hierarchy with each successive level being more privileged, we view them as distinct levels each with its own set of permissions. Such a permission mechanism, imple-mented as part of a processor architecture, provides a common framework for defending against a range of recent attacks. We demonstrate that such a protection can be achieved with neg-ligible performance overhead, low hardware complexity and minimal changes to the commodity OS and hypervisor code. 1.
Adaptive data-driven service integrity attestation for multi-tenant cloud systems
- in International Workshop on Quality of Service (IWQoS
, 2011
"... Abstract—Cloud systems provide a cost-effective service hosting infrastructure for application service providers (ASPs). However, cloud systems are often shared by multiple tenants from different security domains, which makes them vulnerable to various malicious attacks. Moreover, cloud systems ofte ..."
Abstract
-
Cited by 4 (1 self)
- Add to MetaCart
(Show Context)
Abstract—Cloud systems provide a cost-effective service hosting infrastructure for application service providers (ASPs). However, cloud systems are often shared by multiple tenants from different security domains, which makes them vulnerable to various malicious attacks. Moreover, cloud systems often host long-running applications such as massive data processing, which provides more opportunities for attackers to exploit the system vulnerability and perform strategic attacks. In this paper, we present AdapTest, a novel adaptive data-driven runtime service integrity attestation framework for multi-tenant cloud systems. AdapTest can significantly reduce attestation overhead and shorten detection delay by adaptively selecting attested nodes based on dynamically derived trust scores. Our scheme treats attested services as black-boxes and does not impose any special hardware or software requirements on the cloud system or ASPs. We have implemented AdapTest on top of the IBM System S stream processing system and tested it within a virtualized computing cluster. Our experimental results show that AdapTest can reduce attestation overhead by up to 60 % and shorten the detection delay by up to 40 % compared to previous approaches. I.
Verifying system integrity by proxy
- In TRUST
, 2012
"... Abstract. Users are increasingly turning to online services, but are concerned for the safety of their personal data and critical business tasks. While secure communication protocols like TLS authenticate and protect connections to these services, they cannot guarantee the correctness of the endpoin ..."
Abstract
-
Cited by 4 (2 self)
- Add to MetaCart
(Show Context)
Abstract. Users are increasingly turning to online services, but are concerned for the safety of their personal data and critical business tasks. While secure communication protocols like TLS authenticate and protect connections to these services, they cannot guarantee the correctness of the endpoint system. Users would like assurance that all the remote data they receive is from systems that satisfy the users’ integrity requirements. Hardware-based integrity measurement (IM) protocols have long promised such guarantees, but have failed to deliver them in practice. Their reliance on non-performant devices to generate timely attestations and ad hoc measurement frameworks limits the efficiency and completeness of remote integrity verification. In this paper, we introduce the integrity verification proxy (IVP), a service that enforces integrity requirements over connections to remote systems. The IVP monitors changes to the unmodified system and immediately terminates connections to clients whose specific integrity requirements are not satisfied while eliminating the attestation reporting bottleneck imposed by current IM protocols. We implemented a proof-of-concept IVP that detects several classes of integrity violations on a Linux KVM system, while imposing less than 1.5 % overhead on two application benchmarks and no more than 8 % on I/O-bound micro-benchmarks. 1
SoK: Introspections on Trust and the Semantic Gap
"... (VMI) is assuring security policy enforcement and overall functionality in the presence of an untrustworthy OS. A fundamental obstacle to this goal is the difficulty in accurately extracting semantic meaning from the hypervisor’s hardwarelevel view of a guest OS, called the semantic gap. Over the tw ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
(Show Context)
(VMI) is assuring security policy enforcement and overall functionality in the presence of an untrustworthy OS. A fundamental obstacle to this goal is the difficulty in accurately extracting semantic meaning from the hypervisor’s hardwarelevel view of a guest OS, called the semantic gap. Over the twelve years since the semantic gap was identified, immense progress has been made in developing powerful VMI tools. Unfortunately, much of this progress has been made at the cost of reintroducing trust into the guest OS, often in direct contradiction to the underlying threat model motivating the introspection. Although this choice is reasonable in some contexts and has facilitated progress, the ultimate goal of reducing the trusted computing base of software systems is best served by a fresh look at the VMI design space. This paper organizes previous work based on the essential design considerations when building a VMI system, and then explains how these design choices dictate the trust model and security properties of the overall system. The paper then observes portions of the VMI design space which have been under-explored, as well as potential adaptations of existing techniques to bridge the semantic gap without trusting the guest OS. Overall, this paper aims to create an essential checkpoint in the broader quest for meaningful trust in virtualized environments through VM introspection. Keywords-VM Introspection, semantic gap, trust. I.
Trustdump: Reliable memory acquisition on smartphones
- In Proc. European Symposium on Research in Computer Security
, 2014
"... Abstract. With the wide usage of smartphones in our daily life, new malware is emerging to compromise the mobile OS and steal the sensitive data from the mo-bile applications. Anti-malware tools should be continuously updated via static and dynamic malware analysis to detect and prevent the newest m ..."
Abstract
-
Cited by 3 (1 self)
- Add to MetaCart
Abstract. With the wide usage of smartphones in our daily life, new malware is emerging to compromise the mobile OS and steal the sensitive data from the mo-bile applications. Anti-malware tools should be continuously updated via static and dynamic malware analysis to detect and prevent the newest malware. Dy-namic malware analysis depends on a reliable memory acquisition of the OS and the applications running on the smartphones. In this paper, we develop a TrustZone-based memory acquisition mechanism called TrustDump that is capa-ble of reliably obtaining the RAM memory and CPU registers of the mobile OS even if the OS has crashed or has been compromised. The mobile OS is running in the TrustZone’s normal domain, and the memory acquisition tool is running in the TrustZone’s secure domain, which has the access privilege to the memory in the normal domain. Instead of using a hypervisor to ensure an isolation between the OS and the memory acquisition tool, we rely on ARM TrustZone to achieve a hardware-assisted isolation with a small trusted computing base (TCB) of about 450 lines of code. We build a TrustDump prototype on Freescale i.MX53 QSB.
