Towards High Assurance Networks of Virtual Machines

Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 30)


We propose a methodology to check software integrity based upon virtual machines (VMs) that integrates controls at distinct execution levels. The baseline of the proposed approach is the virtual machine monitor (VMM) capability to access the memory of a VM to apply a set of consistency checks to the VM operating system (OS). In turn, the OS can apply a different set of consistency checks to the application processes, and applications can also enforce a further set of security controls. The union of all the consistency checks forms a chain of trust, where each level controls the integrity of the one above it through the proper interface for that level. In this way, the proposed approach minimizes the semantic gap in-between two different levels, because each level only applies those security controls that are coherent with the view of the level. We apply this methodology to build a distributed intrusion detection system (IDS) to detect attacks against a network of VMs. According to the proposed methodology, the tool adopts VM introspection (VMI) to apply a set of consistency checks to the kernel of the OS of each VM. Then, we extend the kernel of each VM with a set of functions to check the integrity of the processes involved in the detection of intrusions.


Virtual Machine Consistency Check Intrusion Detection System Physical Node High Level View 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    A Baliga, X Chen, and L Iftode. Paladin: Automated detection and containment of rootkit attacks, Jan 2006. Rutgers University Department of Computer Science Technical Report DCS-TR-593.Google Scholar
  2. [2]
    T Ball, R Majumdar, T D Millstein, and S K Rajamani. Automatic predicate abstraction of c programs. In SIGPLAN Conference on Programming Language Design and Implementation, pp. 203–213, 2001.Google Scholar
  3. [3]
    F Bourdoncle. Abstract debugging of higher-order imperative languages. In PLDI ’93: Proceedings of the ACM SIGPLAN 1993 conference on Programming language design and implementation, pp. 46–55, New York, NY, USA, 1993. ACM Press.Google Scholar
  4. [4]
    R Bradshaw, N Desai, T Freeman, and K Keahey. A scalable approach to deploying and managing appliances. In TeraGrid 2007, June 2007.Google Scholar
  5. [5]
    chkrootkit – locally checks for signs of a rootkit.
  6. [6]
    P Cousot and R Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In POPL, pp. 238–252, 1977.Google Scholar
  7. [7]
    B Dragovic, K Fraser, S Hand, T Harris, A Ho, I Pratt, A Warfield, P Barham, and R Neugebauer. Xen and the art of virtualization. In Proceedings of the ACM Symposium on Operating Systems Principles, October 2003.Google Scholar
  8. [8]
    G W Dunlap, S T King, S Cinar, M A Basrai, and P M. Chen. ReVirt: enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation, pp. 211–224, New York, NY, USA, 2002. ACM Press.CrossRefGoogle Scholar
  9. [9]
    T Fraser. Automatic discovery of integrity constraints in binary kernel modules, Technical report, University of Maryland Institute for Advanced Computer Studies, December 2004Google Scholar
  10. [10]
  11. [11]
    FuSyS. Kstat. v1.1-2.tgz.
  12. [12]
    T Garfinkel and M Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium, February 2003.Google Scholar
  13. [13]
    R P Goldberg. Survey of virtual machine research. IEEE Computer, 7(6):34–45, 1974.Google Scholar
  14. [14]
    IOzone Filesystem Benchmark,
  15. [15]
    X Jiang and D Xu. Collapsar: A VM-based architecture for network attack detention center. In USENIX Security Symposium, pp. 15–28, 2004.Google Scholar
  16. [16]
    A Joshi, S T King, G W Dunlap, and P M Chen. Detecting past and present intrusions through vulnerability specific predicates. In SOSP ’05: Proceedings of the Twentieth ACM symposium on Operating systems principles, pp. 91–104, New York, NY, USA, 2005. ACM Press.CrossRefGoogle Scholar
  17. [17]
    kad. Handling Interrupt Descriptor Table for fun and profit. Phrack, 11(59), July 2002.Google Scholar
  18. [18]
    K Kourai and S Chiba. HyperSpector: virtual distributed monitoring environments for secure intrusion detection. In VEE ’05: Proceedings of the 1st ACM/USENIX international conference on Virtual execution environments, pp. 197–207, New York, USA, 2005. ACM Press.CrossRefGoogle Scholar
  19. [19]
    L Litty and D Lie. Manitou: a layer below approach to fighting malware. In ASID ’06: Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability, pp. 6–11, New York, USA, 2006. ACM Press.CrossRefGoogle Scholar
  20. [20]
    P Loscocco and S Smalley. Integrating flexible support for security policies into the linux operating system. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pp. 29–42, Berkeley, CA, USA, 2001. USENIX Association.Google Scholar
  21. [21]
    P A Loscocco and S D Smalley. Meeting critical security objectives with security enhanced linux. In Proceedings of the 2001 Ottawa Linux Symposium, 2001.Google Scholar
  22. [22]
    Netfilter/Iptables project.
  23. [23]
  24. [24]
    Openssl: The open source toolkit for ssl/tls.
  25. [25]
    OpenVPN - An Open Source SSL VPN Solution.
  26. [26]
    N L Petroni, T Fraser, J Molina, and W A Arbaugh. Copilot - a coprocessor-based kernel runtime integrity monitor. In USENIX Security Symposium, pp.179–194, 2004.Google Scholar
  27. [27]
    C Sapuntzakis, D Brumley, R Chandra, N Zeldovich, J Chow, M Lam, and M Rosenblum. Virtual appliances for deploying and maintaining software, 2003.Google Scholar
  28. [28]
    sd and devik. Linux on-the-fly kernel patching without LKM. Phrack, 10(58), December 2001.Google Scholar
  29. [29]
    S R Snapp, J Brentano, G V Dias, T L Goan, L T Heberlein, C Ho, K N Levitt, B Mukherjee, S E Smaha, T Grance, D M Teal, and D Mansur. DIDS (Distributed Intrusion Detection System) - motivation, architecture, and an early prototype. In Proceedings of the 14th National Computer Security Conference, pp. 167–176,Washington, DC, 1991.Google Scholar
  30. [30]
    Snort - the de facto standard for intrusion detection/prevention.
  31. [31]
    S Sparks and J Butler. Shadow Walker: Raising the bar for rootkit detection.
  32. [32]
    G Vigna and R A. Kemmerer. Netstat: A network-based intrusion detection system. Journal of Computer Security, 7(1), 1999.Google Scholar
  33. [33]
    VMTN - Virtual Appliance Marketplace.
  34. [34]
  35. [35]
    L Wang and P Dasgupta. Kernel and application integrity assurance: Ensuring freedom from rootkits and malware in a computer system. In AINAW ’07: Proceedings of the 21st International Conference on Advanced Information Networking and ApplicationsWorkshops, pp. 583–589,Washington, DC, USA, 2007. IEEE Computer Society.Google Scholar
  36. [36]

Copyright information

© Springer Science+Business Media, LLC 2009

Authors and Affiliations

  1. 1.Polo G. Marconi La SpeziaUniversità di PisaItaly
  2. 2.Dipartimento di InformaticaUniversità di PisaItaly

Personalised recommendations