Securing Virtualized System via Active Protection

Zhongshu Gu, Purdue University

Abstract

Virtualization is the predominant enabling technology of current cloud infrastructures and brings unique security benefits. Traditionally, researchers strive to include security components, such as intrusion detection, malware analysis, and integrity check, into underlying hypervisors. These hypervisor-based security approaches conduct only passive monitoring on the guest systems, but lack active protection mechanisms, i.e., patching the system vulnerabilities, eliminating the malicious logic, and shrinking the kernel attack surface, etc. In order to achieve the security goals that are missing in existing hypervisor-based research efforts, we aim to expand the reach of the hypervisor to support active protection mechanisms. In this dissertation, we present a hypervisor-based security framework that consists of three key components, PROCESS-IMPLANTING, DRIP, and FACE-CHANGE to provide active protection at the level of user processes, kernel drivers, and OS kernels respectively, within guest virtual machines (VM). In particular, PROCESS-IMPLANTING enables on-demand implantation of general-purpose security tools directly from a hypervisor into a guest VM. The dynamic and stealthy nature of such security tools makes them harder to be predicted and detected by malicious adversaries. DRIP targets in-VM trojaned kernel drivers, which carry both benign and malicious logic. We conduct purification on such trojaned drivers to systematically deactivate the malicious logic and keep the benign logic intact. FACE-CHANGE minimizes the kernel attack surface within guest VMs at fine time-granularity. We achieve such kernel minimalism through dynamic switching of multiple application-specific minimized kernels at runtime. From our evaluation results on both security and performance metrics, we demonstrate that PROCESS-IMPLANTING, DRIP, and FACE-CHANGE, can effectively provide active protection for the guest VM with minimum negative impact on the guest system execution. Furthermore, it is practical to deploy our security framework in the real-world cloud infrastructures considering its reasonable performance overhead.

Degree

Ph.D.

Advisors

Xu, Purdue University.

Subject Area

Computer science

Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server
.

Share

COinS