Some Ideas on Virtualized System Security, and Monitors

  • Hedi Benzina
  • Jean Goubault-Larrecq
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6514)


Virtualized systems such as Xen, VirtualBox, VMWare or QEmu have been proposed to increase the level of security achievable on personal computers. On the other hand, such virtualized systems are now targets for attacks. We propose an intrusion detection architecture for virtualized systems, and discuss some of the security issues that arise. We argue that a weak spot of such systems is domain zero administration, which is left entirely under the administrator’s responsibility, and is in particular vulnerable to trojans. To avert some of the risks, we propose to install a role-based access control model with possible role delegation, and to describe all undesired activity flows through simple temporal formulas. We show how the latter are compiled into Orchids rules, via a fragment of linear temporal logic, through a generalization of the so-called history variable mechanism.


Virtual Machine Intrusion Detection Security Policy System Call Intrusion Detection System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Briffaut, J.: Formalisation et garantie de propriétés de sécurité système: Application à la détection dintrusions. PhD thesis, LIFO Université d’Orléans, ENSI Bourges (December 2007)Google Scholar
  2. 2.
    Brown, A., Ryan, M.: Synthesising monitors from high-level policies for the safe execution of untrusted software. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991, pp. 233–247. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Dias, H.: Linux kernel ’net/atm/proc.c’ local denial of service vulnerability. BugTraq Id 32676, CVE-2008-5079 (December 2008)Google Scholar
  4. 4.
    Fischer, M.J., Ladner, R.E.: Propositional dynamic logic of regular programs. Journal of Computer and System Sciences 18, 194–211 (1979)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the 10th Annual Network and Distributed Systems Security Symposium, San Diego, CA (February 2003)Google Scholar
  6. 6.
    Goldberg, I., Wagner, D., Thomas, R., Brewer, E.A.: A secure environment for untrusted helper applications (confining the wily hacker). In: Proceedings of the 6th USENIX Security Symposium, San Jose, CA (July 1996)Google Scholar
  7. 7.
    Goubault-Larrecq, J., Olivain, J.: A smell of orchids. In: Leucker, M. (ed.) RV 2008. LNCS, vol. 5289, pp. 1–20. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Morin, B., Debar, H.: Correlation of intrusion symptoms: an application of chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Necula, G.C., Lee, P.: Safe kernel extensions without run-time checking. SIGOPS Operating Systems Review 30, 229–243 (1996)CrossRefGoogle Scholar
  10. 10.
  11. 11.
    Olivain, J., Goubault-Larrecq, J.: The orchids intrusion detection tool. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 286–290. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Onoue, K., Oyama, Y., Yonezawa, A.: Control of system calls from outside of virtual machines. In: Wainwright, R.L., Haddad, H. (eds.) SAC, pp. 2116–1221. ACM, New York (2008)Google Scholar
  13. 13.
    Provos, N.: Improving host security with system call policies. In: Proceedings of the 12th USENIX Security Symposium, Washington, DC (August 2003)Google Scholar
  14. 14.
    Purczyński, W., qaaz: Linux kernel prior to ‘vmsplice_to_pipe()’ local privilege escalation vulnerability (February 2008),
  15. 15.
    Qemu (2010),
  16. 16.
    Small number of video iPods shipped with Windows virus (2010),
  17. 17.
    Roger, M., Goubault-Larrecq, J.: Log auditing through model checking. In: 14th IEEE Computer Security Foundations Workshop (CSFW 2001), pp. 220–236. IEEE Comp. Soc. Press, Los Alamitos (2001)CrossRefGoogle Scholar
  18. 18.
    Sailer, R., Jaeger, T., Valdez, E., Caceres, R., Perez, R., Berger, S., Griffin, J., Doorn, L.: Building a MAC-based security architecture for the Xen opensource hypervisor. In: Proceedings of the 21st Annual Computer Security Applications Conference, Tucson, AZ (December 2005)Google Scholar
  19. 19.
    Sekar, R., Bendre, M., Bollineni, P., Dhurjati, D.: A fast automaton-based method for detecting anomalous program behaviors. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2001)Google Scholar
  20. 20.
    Sekar, R., Ramakrishnan, C., Ramakrishnan, I., Smolka, S.: Model-carrying code (MCC): A new paradigm for mobile-code security. In: Proceedings of the New Security Paradigms Workshop (NSPW 2001). ACM Press, Cloudcroft (September 2001)Google Scholar
  21. 21.
    Sekar, R., Uppuluri, P.: Synthesizing fast intrusion prevention/detection systems from high-level specifications. In: Proceedings of the 8th Conference on USENIX Security Symposium, SSYM 1999, Berkeley, CA (1999)Google Scholar
  22. 22.
    Smalley, S., Vance, C., Salamon, W.: Implementing SELinux as a Linux security module. Technical report, NSA (2001)Google Scholar
  23. 23.
    Starzetz, P.: Linux kernel 2.4.22 do_brk() privilege escalation vulnerability. K-Otik ID 0446, CVE CAN-2003-0961 (December 2003),
  24. 24.
    Virtualbox (2010),
  25. 25.
    Vmware (2010),
  26. 26.
    Wojtczuk, R.: Subverting the Xen hypervisor. In: Black Hat 2008, Las Vegas, NV (2008)Google Scholar
  27. 27.
    [ms-wusp]: Windows update services: Client-server protocol specification (2007-2010),
  28. 28.
    Xen (2005-2010),
  29. 29.
    Zimmermann, J., Mé, L., Bidan, C.: Introducing reference flow control for detecting intrusion symptoms at the OS level. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 292–306. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  30. 30.
    Zimmerman, J., Mé, L., Bidan, C.: Experimenting with a policy-based hids based on an information flow control model. In: ACSAC 2003: Proceedings of the 19th Annual Computer Security Applications Conference, Washington, DC, USA, p. 364. IEEE Computer Society, Los Alamitos (2003)CrossRefGoogle Scholar
  31. 31.
    Zimmermann, J., Mé, L., Bidan, C.: An improved reference flow control model for policy-based intrusion detection. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 291–308. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Hedi Benzina
    • 1
  • Jean Goubault-Larrecq
    • 1
  1. 1.LSV, ENS Cachan, CNRS, INRIACACHANFrance

Personalised recommendations