210 likes | 231 Views
This study explores the implementation of secure in-VM monitoring using hardware virtualization. It discusses the background and requirements, different approaches to monitoring, performance and security requirements, and evaluates the performance of in-VM monitoring compared to out-of-VM monitoring. The results show that secure in-VM monitoring using hardware virtualization is 10 times more efficient than traditional out-of-VM monitoring.
E N D
Study on “Secure In-VM Monitoring Using Hardware Virtualization” Qiang.Guan Dependable Computing System Lab New Mexico Tech
Contents • Background & Requirements • Secure In-VM monitoring • Implementation • Experiment evaluation • Overhead,….. 1
Background • Rootkits vs security tools • Rootkit: a softwareprogram or coordinated set of programs designed to gain control over a computer system or network of computing systems without being detected. • Security tools: antivirus, intrusion detection system, security reference monitoring 2
Two approaches • In-VM & Out-of-VM A: application Dp:system data Cp:system code Cm:monitor code Dm:monitor data K: event hook H; handler to event R: Response to event Dk: data about the event 3
Two monitoring modes • Passive vs Active Passive: Cm analyze Cp+Dp Active: include hooks and handlers Monitoring component Dk R Event Hook Handler Sys Routine 4
Out-of-VM vs In-VM • Out-of-VM • Pro: provides security (isolation system from monitor) • Con: cannot provides performance • In-VM • Pro: provides performance (low overhead) • Con: cannot provides security 5
Performance requirements • The overhead (changing privilege between kernel level and hypervisor) • Fast invocation • Read/write in native speed. • In-VM support performance • Out-of VM cannot, why? • Hypervisor is invoked 6
Security requirements • Requirements • Isolate Cm&Dm from Cp&Dp (integrity of Cm&Dm) • Designed point for switching into Cm (switch is neat) • K <-> H is one-to-one mapping • Monitor is not alterable (H is dependent) • Out-of-VM support performance • In-VM cannot, why? • In the same VM environment 7
Secure In-VM • A In-VM to satisfy the security requirements 8
Secure In-VM • A In-VM to satisfy the security requirements New elements 9
Kernel-level Monitor Features of SIM • “One-way view” design of memory mapping. • Entry and Exit gate • Transferring execution between system address space and security monitoring space. • Invocation checker 10
Virtual memory mapping Code and data of SIM is invisible to user address space 12
Virtual memory mapping The entry and exit gate is unchangeable for system space (1to1 policy) 13
Virtual memory mapping Kernel code will not be executed while executing in security monitoring (to make sure all the code in monitoring space is trusted) 14
Implementation • Initialization • To reserve the virtual address ranges for entry and exit gates • To create the SIM virtual space • To load security monitor application (as part of the kernel driver) • To create the link between two space (hook and handler) 15
Experimental evaluation • Test objects • SIM vs Out-of VM (why? Why not In-VM) • Test routine • Monitor Invocation Overhead • Security Application case study • Process creation monitoring • System call tracing 16
Monitor Invocation Overhead • Out-of-VM: null event handler that return immediately 17
Monitor Invocation Overhead • Out-of-VM: null event handler that return immediately • SIM: handler only calls the corresponding exit gate. 18
Result of overhead • 10 times faster in avg time • More centralized from std dev 19
Summary • Contradiction • Security monitor vs untrusted guest vm • Basic mode • In-VM & out-of VM • SIM • Performance and security • Based on In-VM and appending security issues. • Result (overhead) • SIM is 10 times better than out-of-VM 20