|
|
Access Control Based Hypervisor Non-control Data Integrity Protection |
Chen Zhi-feng Li Qing-bao Zhang Ping Zeng Guang-yu |
(PLA Information Engineering University, Zhengzhou 450001, China)
(State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China) |
|
|
Abstract With the widely spread of virtualization technology, the security problems of virtual layer have attracted the close attention of domestic and foreign researchers at the same time. Existing virtual machine monitor (or Hypervisor) integrity protection methods mainly focus on code and control data integrity protection, and can not resist the non-control data attacks; using periodic monitoring can not provide real-time non-control data integrity protection. According to the deficiencies of the existing methods, Hypervisor non-control data integrity protection model UCONhi is proposed based on Usage CONtral (UCON). The model simplifies the UCON model according to the needs of the non-control data integrity protection, inheriting the continuity and mutability of UCON model to realize real-time access control of non-control data. The attacker and the attacked object are analyzed to determine the subjects and objects and reduce the security policies according to the attacking samples, and UCONhi security policies are described based on ECA, which can effectively decide the legality of non-control data access. A prototype system Xen-UCONhi is designed and implemented based on Xen system, and the effectiveness and performance overhead of Xen-UCONhi are evaluated by comprehensive experiments. The results show that Xen-UCONhi can effectively prevent attacks against Hypervisor with less than 10% performance overhead.
|
Received: 27 January 2015
Published: 27 July 2015
|
|
Fund: The National Science and Technology Major Project of China (2013JH00103); The National 863 Program of China (2009AA01Z434) |
Corresponding Authors:
Chen Zhi-feng
E-mail: xiaohouzi06@163.com
|
|
|
|
[1] |
Garfinkel T and Rosenblum M. A virtual machine introspection based architecture for intrusion detection[C]. Proceedings of the 10th Network and Distributed System Symposium, San Diego, USA, 2003: 191-206.
|
[2] |
Lanzi A, Sharif M I, and Lee W. K-Tracer: a system for extracting kernel malware behavior[C]. Proceedings of the 16th Network and Distributed System Security Symposium, San Diego, USA, 2009: 191-203.
|
[3] |
Baliga A, Ganapathy V, and Iftode L. Detecting kernel-level rootkits using data structure invariants[J]. IEEE Transactions on Dependable and Secure Computing, 2011, 8(5): 670-684.
|
[4] |
李博, 沃天宇, 胡春明, 等. 基于VMM的操作系统隐藏对象关联检测技术[J]. 软件学报, 2013, 24(2): 405-420.
|
|
Li Bo, Wo Tian-yu, Hu Chun-ming, et al.. Hidden OS objects correlated detection technology based on VMM[J]. Journal of Software, 2013, 24(2): 405-420.
|
[5] |
Criswell J, Dautenhahn N, and Adve V. KCoFI: complete control-flow integrity for commodity operating system kernels[C]. Proceedings of the 35th IEEE Symposium on Security and Privacy, Oakland, 2014: 14-29.
|
[6] |
殷波, 王颖, 邱雪松, 等. 一种面向云服务提供商的资源分配机制[J]. 电子与信息学报, 2014, 36(1): 15-21.
|
|
Yin Bo, Wang Ying, Qiu Xue-song, et al.. A resource provisioning mechanism for service providers in cloud[J]. Journal of Electronics & Information Technology, 2014, 36(1): 15-21.
|
[7] |
Barham P, Dragovic B, Fraser K, et al.. Xen and the art of virtualization[C]. Proceedings of the 19th ACM Symposium on Operating Systems Principles, New York, USA, 2003: 164-177.
|
[8] |
Wojtczuk R. Subverting the xen hypervisor[R]. Black Hat, USA, 2008.
|
[9] |
Rutkowska J and Tereshkin A. Bluepilling the xen hypervisor[R]. Black Hat, USA, 2008.
|
[10] |
Zovi D D. Hardware virtualization rootkits[R]. Black Hat Briefings, USA, 2006.
|
[11] |
National vulnerability database[OL]. http://nvd.nist.gov/. 2014-09-20.
|
[12] |
Klein G, Elphinstone K, Heiser G, et al.. SeL4: formal verification of an OS kernel[C]. Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, New York, USA, 2009: 207-220.
|
[13] |
Barthe G, Betarte G, Campo J D, et al.. Formally verifying isolation and availability in an idealized model of virtualization[C]. Proceedings of the 17th International Symposium on Formal Methods, Limerick, Ireland, 2011: 231-245.
|
[14] |
Baumann C, Bormer T, Blasum H, et al.. Proving memory separation in a microkernel by code level verification[C]. Proceedings of the 14th IEEE International Symposium on/ Object/Component/Service-OrientedReal-Time Distributed Computing Workshops, Reno, NV, USA, 2011: 25-32.
|
[15] |
Shinagawa T, Eiraku H, Tanimoto K, et al.. Bitvisor: a thin hypervisor for enforcing I/O device security[C]. Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, New York, USA, 2009: 121-130.
|
[16] |
Steinberg U and Kauer B. NOVA: a microhypervisor-based secure virtualization architecture[C]. Proceedings of the 5th European Conference on Computer Systems, New York, USA, 2010: 209-222.
|
[17] |
Nguyen A, Raj H, Rayanchu S, et al.. Delusional boot: securing hypervisors without massive re-engineering[C]. Proceedings of the 7th ACM European Conference on Computer Systems, New York, USA, 2012: 141-154.
|
[18] |
Wang Z and Jiang X. HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity[C]. Proceedings of the 31st IEEE Symposium on Security and Privacy, Oakland, USA, 2010: 380-395.
|
[19] |
Azab A M, Ning P, Wang Z, et al.. HyperSentry: enabling stealthy in-context measurement of hypervisor integrity[C]. Proceedings of the 17th ACM Conference on Computer and Communications Security, Chicago, USA, 2010: 38-49.
|
[20] |
Wang J, Stavrou A, and Ghosh A. HyperCheck: a hardware-assisted integrity monitor[J]. IEEE Transactions on Dependable and Secure Computing, 2014, 11(4): 332-344.
|
[21] |
Ding B, He Y, Wu Y, et al.. HyperVerify: a vm-assisted architecture for monitoring hypervisor non-control data[C]. Proceedings of the IEEE 7th International Conference on Software Security and Reliability-Companion, Gaithersburg, MD, USA, 2013: 26-34.
|
[22] |
Liu Z, Lee J H, Zeng J, et al.. CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM[C]. Proceedings of the 40th Annual International Symposium on Computer Architecture, Tel-Aviv, Israel, 2013: 392-403.
|
[23] |
Chen S, Xu J, Sezer E C, et al.. Non-control-data attacks are realistic threats[C]. Proceedings of the 14th Usenix Security Symposium, Baltimore, MD, USA, 2005: 177-192.
|
[24] |
Ding B, He Y, Wu Y, et al.. Systemic threats to hypervisor non-control data[J]. IET Information Security, 2013, 7(4): 349-354.
|
[25] |
俞能海, 郝卓, 徐甲甲, 等. 云安全研究进展综述[J]. 电子学报, 2013, 41(2): 371-381.
|
|
Yu Neng-hai, Hao Zhuo, Xu Jia-jia, et al.. Review of cloud computing security[J]. Acta Electronica Sinica, 2013, 41(2): 371-381.
|
[26] |
Park J and Sandhu R. Towards usage control models: beyond traditional access control[C]. Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, New York, NY, USA, 2002: 57-64.
|
[27] |
熊厚仁, 陈性元, 张斌, 等. 基于双层角色和组织的可扩展访问控制模型[J]. 电子与信息学报, 2015, DOI: 10.11999/ JEIT141255.
|
|
Xiong Hou-ren, Chen Xing-yuan, Zhang Bin, et al.. Scalable access control model based on double-tier role and organization[J]. Journal of Electronics & Information Technology, 2015, DOI: 10.11999/JEIT141255.
|
[28] |
Alferes J J, Banti F, and Brogi A. An event-condition-action logic programming language[C]. Proceedings of the 10th European Conference on JELIA, Liverpool, 2006: 29-42.
|
[29] |
Kivity A, Kamay Y, Laor D, et al.. KVM: the linux virtual machine monitor[C]. Proceedings of the 2007 Linux Symposium, Ottawa, Canada, 2007: 225-230.
|
|
|
|