Abstract
The sustained popularity of the cloud and cloud-related services accelerate the evolution of virtualization-enabling technologies. Modern off-the-shelf computers are already equipped with specialized hardware that enables a hypervisor to manage the simultaneous execution of multiple operating systems. Researchers have proposed security mechanisms that operate within such a hypervisor to protect the virtualized operating systems from attacks. These mechanisms improve in security over previous techniques since the defense system is no longer part of an operating system’s attack surface. However, due to constant transitions between the hypervisor and the operating systems, these countermeasures typically incur a significant performance overhead.
In this paper we present HyperForce, a framework which allows the deployment of security-critical code in a way that significantly outperforms previous in-hypervisor systems while maintaining similar guarantees with respect to security and integrity. HyperForce is a hybrid system which combines the performance of an in-guest security mechanism with the security of in-hypervisor one. We evaluate our framework by using it to re-implement an invariance-based rootkit detection system and show the performance benefits of a HyperForce-utilizing countermeasure.
Chapter PDF
References
Baliga, A., Ganapathy, V., Iftode, L.: Detecting kernel-level rootkits using data structure invariants. IEEE Transactions on Dependable and Secure Computing 8, 670–684 (2011)
Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: CCS 2008: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 27–38. ACM (2008)
Business Insider. Amazon’s Cloud Crash Disaster Permanently Destroyed Many Customers’ Data (2011), http://articles.businessinsider.com/2011-04-28/tech/29958976_1_amazon-customer-customers-data-data-loss
Chiueh, T.C., Conover, M., Lu, M., Montague, B.: Stealthy deployment and execution of in-guest kernel agents. In: Proceedings of the Black Hat USA Security Conference (2009)
Criswell, J., Lenharth, A., Dhurjati, D., Adve, V.: Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems. In: SOSP 2007: Proceedings of the 21st ACM Symposium on Operating Systems Principles, pp. 351–366. ACM (2007)
Dewan, P., Durham, D., Khosravi, H., Long, M., Nagabhushan, G.: A hypervisor-based system for protecting software runtime memory and persistent storage. In: SpringSim 2008: Proceedings of the 2008 Spring Simulation Multiconference, pp. 828–835. Society for Computer Simulation International (2008)
Gadaleta, F., Nikiforakis, N., Younan, Y., Joosen, W.: Hello rootKitty: A Lightweight Invariance-Enforcing Framework. In: Lai, X., Zhou, J., Li, H. (eds.) ISC 2011. LNCS, vol. 7001, pp. 213–228. Springer, Heidelberg (2011)
Gadaleta, F., Younan, Y., Jacobs, B., Joosen, W., De Neve, E., Beosier, N.: Instruction-level countermeasures against stack-based buffer overflow attacks. In: Eurosys, pp. 7–12. ACM (2009)
Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: SSYM 2009: Proceedings of the 18th Conference on USENIX Security Symposium, pp. 383–398. USENIX Association (2009)
Open Kernel labs. Why lmbench is evil?, http://www.ok-labs.com/blog/entry/why-lmbench-is-evil/
Lee, Y.-C., Rahimi, S., Harvey, S.: A pre-kernel agent platform for security assurance. In: IEEE Symposium on Intelligent Agent (IA), pp. 1–7. IEEE (2011)
McVoy, L., Staelin, C.: LMbench: Portable tools for performance analysis. In: Proceedings of the 1996 Annual Conference on USENIX Annual Technical Conference, pp. 23–39. USENIX Association, Berkeley (1996)
Nikiforakis, N., Balduzzi, M., Van Acker, S., Joosen, W., Balzarotti, D.: Exposing the lack of privacy in file hosting services. In: Proceedings of the 4th USENIX conference on Large-Scale Exploits and Emergent Threats, LEET (2011)
Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th USENIX Security Symposium, p. 13. USENIX Association (2004)
QubesOS: Architecture Specification, http://qubes-os.org/files/doc/arch-spec-0.3.pdf
Riley, R., Jiang, X., Xu, D.: Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)
Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, pp. 335–350. ACM (2007)
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 552–561. ACM (2007)
Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Hirano, M., Kourai, K., Oyama, Y., Kawai, E., Kono, K., Chiba, S., Shinjo, Y., Kato, K.: BitVisor: a thin hypervisor for enforcing I/O device security. In: VEE 2009: Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pp. 121–130. ACM (2009)
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: CCS 2009: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 545–554. ACM (2009)
Yin, H., Poosankam, P., Hanna, S., Song, D.: HookScout: Proactive Binary-Centric Hook Detection. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 1–20. Springer, Heidelberg (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Gadaleta, F., Nikiforakis, N., Mühlberg, J.T., Joosen, W. (2012). HyperForce: Hypervisor-enForced Execution of Security-Critical Code. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds) Information Security and Privacy Research. SEC 2012. IFIP Advances in Information and Communication Technology, vol 376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30436-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-30436-1_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30435-4
Online ISBN: 978-3-642-30436-1
eBook Packages: Computer ScienceComputer Science (R0)