1 / 21

Study on “Secure In-VM Monitoring Using Hardware Virtualization”

This study explores the implementation of secure in-VM monitoring using hardware virtualization. It discusses the background and requirements, different approaches to monitoring, performance and security requirements, and evaluates the performance of in-VM monitoring compared to out-of-VM monitoring. The results show that secure in-VM monitoring using hardware virtualization is 10 times more efficient than traditional out-of-VM monitoring.

bowerse
Download Presentation

Study on “Secure In-VM Monitoring Using Hardware Virtualization”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Study on “Secure In-VM Monitoring Using Hardware Virtualization” Qiang.Guan Dependable Computing System Lab New Mexico Tech

  2. Contents • Background & Requirements • Secure In-VM monitoring • Implementation • Experiment evaluation • Overhead,….. 1

  3. Background • Rootkits vs security tools • Rootkit: a softwareprogram or coordinated set of programs designed to gain control over a computer system or network of computing systems without being detected. • Security tools: antivirus, intrusion detection system, security reference monitoring 2

  4. Two approaches • In-VM & Out-of-VM A: application Dp:system data Cp:system code Cm:monitor code Dm:monitor data K: event hook H; handler to event R: Response to event Dk: data about the event 3

  5. Two monitoring modes • Passive vs Active Passive: Cm analyze Cp+Dp Active: include hooks and handlers Monitoring component Dk R Event Hook Handler Sys Routine 4

  6. Out-of-VM vs In-VM • Out-of-VM • Pro: provides security (isolation system from monitor) • Con: cannot provides performance • In-VM • Pro: provides performance (low overhead) • Con: cannot provides security 5

  7. Performance requirements • The overhead (changing privilege between kernel level and hypervisor) • Fast invocation • Read/write in native speed. • In-VM support performance • Out-of VM cannot, why? • Hypervisor is invoked 6

  8. Security requirements • Requirements • Isolate Cm&Dm from Cp&Dp (integrity of Cm&Dm) • Designed point for switching into Cm (switch is neat) • K <-> H is one-to-one mapping • Monitor is not alterable (H is dependent) • Out-of-VM support performance • In-VM cannot, why? • In the same VM environment 7

  9. Secure In-VM • A In-VM to satisfy the security requirements 8

  10. Secure In-VM • A In-VM to satisfy the security requirements New elements 9

  11. Kernel-level Monitor Features of SIM • “One-way view” design of memory mapping. • Entry and Exit gate • Transferring execution between system address space and security monitoring space. • Invocation checker 10

  12. Virtual memory mapping 11

  13. Virtual memory mapping Code and data of SIM is invisible to user address space 12

  14. Virtual memory mapping The entry and exit gate is unchangeable for system space (1to1 policy) 13

  15. Virtual memory mapping Kernel code will not be executed while executing in security monitoring (to make sure all the code in monitoring space is trusted) 14

  16. Implementation • Initialization • To reserve the virtual address ranges for entry and exit gates • To create the SIM virtual space • To load security monitor application (as part of the kernel driver) • To create the link between two space (hook and handler) 15

  17. Experimental evaluation • Test objects • SIM vs Out-of VM (why? Why not In-VM) • Test routine • Monitor Invocation Overhead • Security Application case study • Process creation monitoring • System call tracing 16

  18. Monitor Invocation Overhead • Out-of-VM: null event handler that return immediately 17

  19. Monitor Invocation Overhead • Out-of-VM: null event handler that return immediately • SIM: handler only calls the corresponding exit gate. 18

  20. Result of overhead • 10 times faster in avg time • More centralized from std dev 19

  21. Summary • Contradiction • Security monitor vs untrusted guest vm • Basic mode • In-VM & out-of VM • SIM • Performance and security • Based on In-VM and appending security issues. • Result (overhead) • SIM is 10 times better than out-of-VM 20

More Related