Abstract
Hardware/server virtualization is commonly employed in cloud computing to enable ubiquitous access to shared system resources and provide sophisticated services. The virtualization is typically performed by a hypervisor, which provides mechanisms that abstract hardware and system resources from the operating system. However, hypervisors are complex software systems with many vulnerabilities. This chapter analyzes recently-discovered vulnerabilities associated with the Xen and KVM open-source hypervisors, and develops their attack profiles in terms of hypervisor functionality (attack vectors), attack types and attack sources. Based on the large number of vulnerabilities related to hypervisor functionality, two sample attacks leveraging key attack vectors are investigated. The investigation clarifies the evidence coverage for detecting attacks and the missing evidence needed to reconstruct attacks.
Chapter PDF
References
A. Belay, A. Bittau, A. Mashtizadeh, D. Terei, D. Mazieres and C. Kozyrakis, Dune: Safe user-level access to privileged CPU features, Proceedings of the Tenth USENIX Symposium on Operating Systems Design and Implementation, pp. 335–348, 2012.
J. Boutoille and G. Campana, Xen Exploitation Part 3: XSA-182, Qubes escape, Quarkslab’s Blog (blog.quarkslab.com/xen-exploitation-part-3-xsa-182-qubes-escape.html), August 4, 2016.
B. Dolan-Gavitt, B. Payne and W. Lee, Leveraging Forensic Tools for Virtual Machine Introspection, School of Computer Science, Georgia Institute of Technology, Atlanta, Georgia, 2011.
H. Fayyad-Kazan, L. Perneel and M. Timmerman, Full and para-virtualization with Xen: A performance comparison, Journal of Emerging Trends in Computing and Information Sciences, vol. 4(9), pp. 719–727, 2013.
T. Garfinkel and M. Rosenblum, A virtual machine introspection based architecture for intrusion detection, Proceedings of the Network and Distributed System Security Symposium, pp. 191–206, 2003.
R. Goldberg, Survey of virtual machine research, IEEE Computer, vol. 7(9), pp. 34–45, 1974.
M. Graziano, A. Lanzi and D. Balzarotti, Hypervisor memory forensics, Proceedings of the Sixteenth International Symposium on Research in Attacks, Intrusions and Defenses, pp. 21–40, 2013.
J. Horn, Pandavirtualization: Exploiting the Xen Hypervisor, Project Zero, Google, Mountain View, California (googleprojectzero.blogspot.com/2017/04/pandavirtualization-exploiting-xen.html), April 7, 2017.
L. Joshi, M. Kumar and R. Bharti, Understanding threats to hypervisor, its forensics mechanism and its research challenges, International Journal of Computer Applications, vol. 119(1), pp. 1–5, 2015.
J. Kloster, J. Kristensen and A. Mejlholm, Efficient Memory Sharing in the Xen Virtual Machine Monitor, DAT5 Semester Thesis Report, Department of Computer Science, Aalborg University, Aalborg, Denmark, 2006.
KVM Contributors, Kernel Virtual Machine, KVM (www.linux-kvm.org/page/Main_Page), 2019.
LibVMI Community, LibVMI: LibVMI Virtual Machine Introspection, LibVMI (libvmi.com), 2019.
C. Liu, A. Singhal and D. Wijesekera, A layered graphical model for cloud forensic mission attack impact analysis, in Advances in Digital Forensics XIV, G. Peterson and S. Shenoi (Eds.), Springer, Cham, Switzerland, pp. 263–289, 2018.
S. Lowe, 2015 State of Hyperconverged Infrastructure Market Report, ActualTech Media, Bluffton, South Carolina, 2015.
P. Mell and T. Grance, Sidebar: The NIST definition of cloud computing, Communications of the ACM, vol. 53(6), p. 50, 2010.
A. Moser, C. Kruegel and E. Kirda, Exploring multiple execution paths for malware analysis, Proceedings of the IEEE Symposium on Security and Privacy, pp. 231–245, 2007.
National Institute of Standards and Technology, NIST National Vulnerability Database, Gaithersburg, Maryland (nvd.nist.gov), 2019.
B. Pariseau, KVM reignites Type 1 vs. Type 2 hypervisor debate, TechTarget, Newton, Massachusetts (searchservervirtualization.techtarget.com/news/2240034817/KVM-reignites-Type-1-vs-Type-2-hypervisor-debate), April 15, 2011.
B. Payne, Simplifying Virtual Machine Introspection Using LibVMI, Sandia Report SAND2012-7818, Sandia National Laboratories, Albuquerque, New Mexico, 2012.
D. Perez-Botero, J. Szefer and R. Lee, Characterizing hypervisor vulnerabilities in cloud computing servers, Proceedings of the International Workshop on Security in Cloud Computing, pp. 3–10, 2013.
G. Popek and R. Goldberg, Formal requirements for virtualizable third generation architectures, Communications of the ACM, vol. 17(7), pp. 412–421, 1974.
QEMU, QEMU – The FAST! Processor Emulator (www.qemu.org), 2019.
J. Satran, L. Shalev, M. Ben-Yehuda and Z. Machulsky, Scalable I/O – A well-architected way to do scalable, secure and virtualized I/O, Proceedings of the Workshop on I/O Virtualization, 2008.
J. Shi, Y. Yang and C. Tang, Hardware assisted hypervisor introspection, SpringerPlus, vol. 5(647), 2016.
Y. Song, H. Wang and T. Soyata, Hardware and software aspects of VM-based mobile-cloud offloading, in Enabling Real-Time Mobile Cloud Computing through Emerging Technologies, T. Soyata (Ed.), IGI Global, Hershey, Pennsylvania, pp. 247–271, 2015.
J. Szefer, E. Keller, R. Lee and J. Rexford, Eliminating the hypervisor attack surface for a more secure cloud, Proceedings of the Eighteenth ACM Conference on Computer and Communications Security, pp. 401–412, 2011.
A. Thongthua and S. Ngamsuriyaroj, Assessment of hypervisor vulnerabilities, Proceedings of the International Conference on Cloud Computing Research and Innovations, pp. 71–77, 2016.
R. Uhlig, G. Neiger, D. Rodgers, A. Santoni, F. Martins, A. Anderson, S. Bennett, A. Kagi, F. Leung and L. Smith, Intel virtualization technology, IEEE Computer, vol. 38(5), pp. 48–56, 2005.
G. Wang, Z. Estrada, C. Pham, Z. Kalbarczyk and R. Iyer, Hypervisor introspection: A technique for evading passive virtual machine monitoring, Proceedings of the Ninth USENIX Workshop on Offensive Technologies, 2015.
Xen Project, x86 Paravirtualized Memory Management (http://www.wiki.xen.org/wiki/X86_Paravirtualised_Memory_Management), 2019.
Xen Project, Xen Project Software Overview (http://www.wiki.xen.org/wiki/Xen_Project_Software_Overview), 2019.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 IFIP International Federation for Information Processing
About this paper
Cite this paper
Liu, C., Singhal, A., Chandramouli, R., Wijesekera, D. (2019). DETERMINING THE FORENSIC DATA REQUIREMENTS FOR INVESTIGATING HYPERVISOR ATTACKS . In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XV. DigitalForensics 2019. IFIP Advances in Information and Communication Technology, vol 569. Springer, Cham. https://doi.org/10.1007/978-3-030-28752-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-28752-8_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-28751-1
Online ISBN: 978-3-030-28752-8
eBook Packages: Computer ScienceComputer Science (R0)