HyperSpector

Kourai, Kenichi; Chiba, Shigeru

doi:10.1145/1064979.1065006

Cited by 70 publications

(1 citation statement)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Through VMI, a system developed to detect and prevent attacks is capable of observing the protected target from an external perspective that is protected against attacks through the extra isolation provided by VM abstraction. Intrusion Detection Systems (IDS) [159] based on VMI (VMI-IDS) were proposed by researchers [63,80,93,95,186] as a more robust solution for monitoring systems in opposition to previously proposed network-based or host-based IDSs [160]. Also, VMs were used [62] as enablers for Trusted Computing [69,157].…”

Section: Hypervisor-based Defensesmentioning

confidence: 99%

Protection mechanisms against control-flow hijacking attacks

Moreira¹

View full text Add to dashboard Cite

Control-flow hijacking attacks have been a known threat to computer systems since the 80s. These attacks typically take place through wrongly implemented memory operations that allow arbitrary corruption of values used to point targets in indirect branches. By modifying these values, attackers redirect control-flow as desired, forcing the execution of malicious routines. Although many solutions have been proposed to disable these threats, attackers have been able to bypass these mechanisms, developing new techniques to launch exploits and compromise systems successfully. From these techniques, Return-Oriented Programming (ROP) attacks stand as the most relevant, as they manage to perform arbitrary Turing-complete computation without the need of code injection in the memory space of the attacked software.Kernel software is also targetable by ROP attacks. Since the introduction of W^X policies and the later mitigation of return-to-user attacks, ROP became the most prominent form of kernel control-flow corruption. As kernel runs with higher privileges that allow full system compromise upon exploitation, hardening this software component against these forms of attack became a valuable asset. In this thesis, we propose, analyze and optimize solutions for control-flow assertion in kernel software.First, we propose kCFI, a fine-grained compiler-based Control-Flow Integrity solution for operating system kernels. This protection computes a kernel control-flow graph and instruments its binary with control-flow assertions to ensure that all indirect branches happen through paths foreseen in the graph. To the best of our knowledge, kCFI is the first fine-grained implementation capable of supporting the Linux kernel, presenting an average performance cost of 8% on micro-benchmarks and 2% on macro-benchmarks, which are the smaller observed overheads for a kernel Control-Flow Integrity solution.Given that Control-Flow Integrity solutions can benefit from dynamic context information to create even more restrictive policies, we finish our work presenting a feasibility analysis for a shadow stack implementation to be used on function return validation, in the kernel. In this study, we first propose a shadow stack architecture design that is compliant with kernel requirements and that can be built on top of kCFI. We also explore two different x86-64 architecture extensions to assess their efficiency on selectively protecting the memory regions used by the shadow stack.

show abstract

Section: Hypervisor-based Defensesmentioning

confidence: 99%

Protection mechanisms against control-flow hijacking attacks

Moreira¹

View full text Add to dashboard Cite

show abstract

CloudMon: a resource‐efficient IaaS cloud monitoring system based on networked intrusion detection system virtual appliances

Liu

2013

Concurrency and Computation

View full text Add to dashboard Cite

The networked intrusion detection system virtual appliance (NIDS-VA), also known as virtualized NIDS, plays an important role in the protection and safeguard of IaaS cloud environments. However, it is nontrivial to guarantee both of the performance of NIDS-VA and the resource efficiency of cloud applications because both are sharing computing resources in the same cloud environment. To overcome this challenge and trade-off, we propose a novel system, named CloudMon, which enables dynamic resource provision and live placement for NIDS-VAs in IaaS cloud environments. CloudMon provides two techniques to maintain high resource efficiency of IaaS cloud environments without degrading the performance of NIDS-VAs and other virtual machines (VMs). The first technique is a virtual machine monitor based resource provision mechanism, which can minimize the resource usage of a NIDS-VA with given performance guarantee. It uses a fuzzy model to characterize the complex relationship between performance and resource demands of a NIDS-VA and develops an online fuzzy controller to adaptively control the resource allocation for NIDS-VAs under varying network traffic. The second one is a global resource scheduling approach for optimizing the resource efficiency of the entire cloud environments. It leverages VM migration to dynamically place NIDS-VAs and VMs. An online VM mapping algorithm is designed to maximize the resource utilization of the entire cloud environment. Our virtual machine monitor based resource provision mechanism has been evaluated by conducting comprehensive experiments based on Xen hypervisor and Snort NIDS in a real cloud environment. The results show that the proposed mechanism can allocate resources for a NIDS-VA on demand while still satisfying its performance requirements. We also verify the effectiveness of our global resource scheduling approach by comparing it with two classic vector packing algorithms, and the results show that our approach improved the resource utilization of cloud environments and reduced the number of in-use NIDS-VAs and physical hosts

show abstract

Alamut: a high‐performance network intrusion detection system in support of virtualized environments

Sharifi

Salimi

Asadi

2013

Security Comm Networks

View full text Add to dashboard Cite

One of the benefits of virtualization technology is the provision of secure and isolated computing environments on a single physical machine. However, the use of virtual machines for this purpose often degrades the overall system performance that is due to emulation costs, for example, packet filtering on every virtual machine. To allow virtual machines to be favorably used as before for the provision of secure environments but with comparably less performance degradation, we propose a new architecture called Alamut in this paper for restructuring any typical network intrusion detection system (NIDS) to run in a Xen‐based virtual execution environment. In the proposed architecture, primitive mechanisms for implementing the security concerns of typical NIDSs such as signature matching are placed at the kernel level of driver domain (dom0), whereas security policies and management modules are kept in user space of that domain. Separation of mechanisms from policies allows network packets to be verified at the kernel level first hand more efficiently without requiring costly context switches to push them to user space for validation. In addition, system administrators can easily define new policies at user level and determine on which virtual machines these policies should be enforced. A proof‐of‐concept implementation of Alamut has been prototyped on the Xen hypervisor using Bro open‐source NIDS. Experimental results show approximately 3.5‐fold increase in the overall system performance when our prototype is run compared with when Bro is run. Results also show 19% improvement in network throughput. The comparison of Alamut with Snort with the same set of signatures and attacks shows that our prototyped NIDS has lower processor utilization and has captured more packets in heavy network loads. Copyright © 2013 John Wiley & Sons, Ltd.

show abstract

HyperSpector

Cited by 70 publications

References 11 publications

Protection mechanisms against control-flow hijacking attacks

Protection mechanisms against control-flow hijacking attacks

CloudMon: a resource‐efficient IaaS cloud monitoring system based on networked intrusion detection system virtual appliances

Alamut: a high‐performance network intrusion detection system in support of virtualized environments

Contact Info

Product

Resources

About