Abstract
Wingman is a run-time monitoring system that aims to detect and mitigate anomalies, including malware infections, within virtual appliances (VAs). It observes the kernel state of a VA and uses an expert system to determine when that state is anomalous. Wingman does not simply restart a compromised VA; instead, it attempts to repair the VA, thereby minimizing potential downtime and state loss. This paper describes Wingman and summarizes experiments in which it detected and mitigated three types of malware within a web-server VA. For each attack, Wingman was able to defend the VA by bringing it to an acceptable state.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Chokepoint: Azazel userland rootkit, February 2015. https://github.com/chokepoint/azazel
Coppola, M.: Suterusu rootkit, September 2014. https://github.com/mncoppola/suterusu
Fu, Y., Lin, Z.: Exterior: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery. In: Proceedings VEE, pp. 97–110, March 2013. doi:10.1145/2451512.2451534
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings NDSS, pp. 191–206, February 2003. http://www.isoc.org/isoc/conferences/ndss/03/proceedings/papers/13.pdf
Hofmann, O.S., Dunn, A.M., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with OSck. In: Proceedings ASPLOS, pp. 279–290, March 2011. doi:10.1145/1950365.1950398
Johnson, D., Hibler, M., Eide, E.: Composable multi-level debugging with Stackdb. In: Proceedings VEE, pp. 213–226, March 2014. doi:10.1145/2576195.2576212
Johnson, D., Nayak, P., Hibler, M., Burtsev, A., Eide, E.: Wingman and Stackdb software, March 2017. https://gitlab.flux.utah.edu/a3/vmi
Joshi, A., King, S.T., Dunlap, G.W., Chen, P.M.: Detecting past and present intrusions through vulnerability-specific predicates. In: Proceedings SOSP, pp. 91–104, October 2005. doi:10.1145/1095810.1095820
Landesman, M.: Apache Darkleech compromises, 2 April 2013. http://blogs.cisco.com/security/apache-darkleech-compromises
Loscocco, P.A., Wilson, P.W., Pendergrass, J.A., McDonell, C.D.: Linux kernel integrity measurement using contextual inspection. In: Proceedings ACM Workshop on Scalable Trusted Computing (STC), pp. 21–29, November 2007. doi:10.1145/1314354.1314362
Nayak, P.: Detecting and mitigating malware in virtual appliances. Master’s thesis, University of Utah, December 2014. http://www.flux.utah.edu/paper/pnayak-thesis
Ostrand, T.J., Weyuker, E.J.: The distribution of faults in a large industrial software system. In: Proceedings ISSTA, pp. 55–64, July 2002. doi:10.1145/566172.566181
Ostrand, T.J., Weyuker, E.J., Bell, R.M.: Where the bugs are. In: Proceedings ISSTA, pp. 86–96, July 2004. doi:10.1145/1007512.1007524
Savely, R., Culbert, C., Riley, G., Dantes, B., Ly, B., Ortiz, C., Giarratano, J., Lopez, F.: CLIPS: a tool for building expert systems, May 2015. http://clipsrules.sourceforge.net/
Sun, C., He, L., Wang, Q., Willenborg, R.: Simplifying service deployment with virtual appliances. In: Proceedings IEEE International Conference on Services Computing (SCC), pp. 265–272, July 2008. doi:10.1109/SCC.2008.53
White, B., Lepreau, J., Stoller, L., Ricci, R., Guruprasad, S., Newbold, M., Hibler, M., Barb, C., Joglekar, A.: An integrated experimental environment for distributed systems and networks. In: Proceedings OSDI, pp. 255–270, December 2002. https://www.usenix.org/legacy/event/osdi02/tech/white.html
Acknowledgments
We performed our experiments on machines in the Utah Emulab testbed [16]. This work was supported in part by the Air Force Research Laboratory and DARPA under Contract No. FA8750–10–C–0242. This material is based upon work supported in part by the National Science Foundation under Grant No. 1314945.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Nayak, P., Hibler, M., Johnson, D., Eide, E. (2017). A Wingman for Virtual Appliances. In: Lahiri, S., Reger, G. (eds) Runtime Verification. RV 2017. Lecture Notes in Computer Science(), vol 10548. Springer, Cham. https://doi.org/10.1007/978-3-319-67531-2_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-67531-2_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67530-5
Online ISBN: 978-3-319-67531-2
eBook Packages: Computer ScienceComputer Science (R0)