Lares: An Architecture for Secure Active Monitoring Using Virtualization

Payne, Bryan D.; Carbone, Martim; Sharif, Muhammad; Lee, Wenke

doi:10.1109/sp.2008.24

Cited by 301 publications

(159 citation statements)

References 20 publications

Supporting

Mentioning

149

Contrasting

Unclassified

Order By: Relevance

“…sHype [43] proposes a hypervisor to secure VM interactions, VMGuard [21] is a technique for protecting the management VM in Xen. A number of efforts use introspection to identify the presence of malicious code [4,47,33,23,27,26,37,38]. Other works use the hypervisor to protect the guest OSes [45,29,40].…”

Section: Software Approachesmentioning

confidence: 99%

A Non-Inclusive Memory Permissions architecture for protection against cross-layer attacks

Elwell

Riley

Abu-Ghazaleh

et al. 2014

2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA)

View full text Add to dashboard Cite

Protecting modern computer systems and complex software stacks against the growing range of possible attacks is becoming increasingly difficult. The architecture of modern commodity systems allows attackers to subvert privileged system software often using a single exploit. Once the system is compromised, inclusive permissions used by current architectures and operating systems easily allow a compromised high-privileged software layer to perform arbitrary malicious activities, even on behalf of other software layers.This paper presents a hardware-supported page permission scheme for the physical pages that is based on the concept of non-inclusive sets of memory permissions for different layers of system software such as hypervisors, operating systems, and user-level applications. Instead of viewing privilege levels as an ordered hierarchy with each successive level being more privileged, we view them as distinct levels each with its own set of permissions. Such a permission mechanism, implemented as part of a processor architecture, provides a common framework for defending against a range of recent attacks. We demonstrate that such a protection can be achieved with negligible performance overhead, low hardware complexity and minimal changes to the commodity OS and hypervisor code.

show abstract

Section: Software Approachesmentioning

confidence: 99%

A Non-Inclusive Memory Permissions architecture for protection against cross-layer attacks

Elwell

Riley

Abu-Ghazaleh

et al. 2014

2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA)

View full text Add to dashboard Cite

show abstract

“…VM introspection for intrusion detection and prevention Over the last decade, there has been a significant push to move the security stack from VMs into regions protected by the hypervisor [23,30]. With the proliferation of kernelmode rootkits, this elevated protection has become ever more important [3,13].…”

Section: Intrusion Detection and Analysismentioning

confidence: 99%

CloudIDEA: A Malware Defense Architecture for Cloud Data Centers

Fischer

Kittel

Kolosnjaji

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Due to the proliferation of cloud computing, cloud-based systems are becoming an increasingly attractive target for malware. In an Infrastructure-as-a-Service (IaaS) cloud, malware located in a customer's virtual machine (VM) affects not only this customer, but may also attack the cloud infrastructure and other co-hosted customers directly. This paper presents CloudIDEA, an architecture that provides a security service for malware defense in cloud environments. It combines lightweight intrusion monitoring with on-demand isolation, evidence collection, and in-depth analysis of VMs on dedicated analysis hosts. A dynamic decision engine makes on-demand decisions on how to handle suspicious events considering cost-efficiency and quality-of-service constraints.

show abstract

“…A number of malware protection proposals ( [10,16,23,25,31,40]) address the issue by using virtualization, creating a trusted zone from which their monitoring programs can operate and relying on a hypervisor to moderate between the host system and the monitor. These proposals, however, fail to take the inherent resource constraints of embedded control systems into account.…”

Section: The Problem With Virtualizationmentioning

confidence: 99%

“…If desired, Autoscopy can be used in conjunction with other programs that alter the control flow of a system for security or other legitimate reasons (for example, Lares [23] from Payne et al, although it also uses a VM). Autoscopy will simply tag the program's behavior as trusted during the learning phase.…”

Section: Flexibility Across Multiple Architecturesmentioning

confidence: 99%

Lightweight Intrusion Detection for Resource-Constrained Embedded Control Systems

Reeves

Ramaswamy

Locasto

et al. 2011

Critical Infrastructure Protection V

View full text Add to dashboard Cite

Today's power grid depends on embedded control systems to function properly. Securing these systems presents a unique challenge, since on top of the resource restrictions inherent to embedded devices, SCADA systems must accommodate strict timing requirements that are nonnegotiable, and their massive scale greatly amplifies costs such as power consumption. Together, these constraints make the conventional approach to host intrusion detection-namely, using a hypervisor to create a safe environment from which a monitoring entity can operate-too costly or impractical for embedded control systems in such critical infrastructure.In this paper, we introduce Autoscopy, an experimental host intrusion detection mechanism that operates from within the kernel and leverages its built-in tracing framework to look for control-flow anomalies, which are most often caused by rootkits hijacking kernel hooks. In initial testing on a standard laptop system, our prototype was able to detect a representative selection of control-flow hijacking rootkit techniques while imposing less than 5% performance overhead for the majority of our benchmark tests. We argue that its design and effectiveness make it both feasible for and uniquely suited to intrusion detection for SCADA systems, and are currently porting Autoscopy to actual power hardware to test our hypothesis. Being situated in the kernel, Autoscopy needs some hardware (e.g., memory immutability) or software protection (i.e., kernel hardening) measures in place for its own protection; however, such protective measures would cost less than full-blown reference monitor isolation via hardware virtualization at the core of hypervisor-based proposals.

show abstract

Lares: An Architecture for Secure Active Monitoring Using Virtualization

Cited by 301 publications

References 20 publications

A Non-Inclusive Memory Permissions architecture for protection against cross-layer attacks

A Non-Inclusive Memory Permissions architecture for protection against cross-layer attacks

CloudIDEA: A Malware Defense Architecture for Cloud Data Centers

Lightweight Intrusion Detection for Resource-Constrained Embedded Control Systems

Contact Info

Product

Resources

About