Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted IaaS Clouds Kenichi Kourai Kazuki Juda Kyushu Institute of Technology

IDS Offloading [Garfinkel+'03]  Run intrusion detection systems (IDSes) outside target virtual machines (VMs) securely  E.g, in the management VM  Intruders cannot disable offloaded IDSes  Use VM introspection (VMI)  Directly obtain information inside VMs  E.g., memory, storage, and networks management VMtarget VM VMI offloaded IDS

Abusing VMI by Insiders  Semi-trusted clouds  28% of cyber crimes are caused by insiders [PwC'14]  An engineer in Google violated user's privacy [TechSpot News'10]  35% of admins access sensitive information [CyberArk'09]  VMI can be abused by insiders  Sensitive information inside VMs are leaked management VMtarget VM VMI insider

Secure VM Execution  Reduce the risk of insider attacks  Secure runtime environment [Li+'10], VMCrypt [Tadokoro+'12]  Encrypt VM's memory against insiders  Self-service cloud [Butt+'12]  Prevent insiders from accessing user's VMs management VMtarget VM insider ? VMI

Obstacles to Secure IDS Offloading  Secure VM execution cannot coexist with IDS offloading  Offloaded IDSes need to access VM's memory  Secure VM execution prevents such access  Insiders can disable offloaded IDSes  Stop IDSes or tamper with their configuration management VMtarget VM offloaded IDS ? VMI

IDS Remote Offloading  Run IDSes at remote hosts outside semi-trusted clouds  Offloaded IDSes can securely introspect VMs inside remote clouds  Insiders cannot disable offloaded IDSes  Offloaded IDSes can detect DoS attacks easily remote hostmanagement VMtarget VM offloaded IDS remote VMI cloud

Remote VMI  Introspect remote VMs using a VMI engine  Run a minimal VMI engine in the hypervisor  Bypass secure VM execution by the hypervisor  Preserve the integrity and confidentiality of introspected data  Between the VMI engine and remote hosts remote host management VMtarget VM VMI engine VMI IDS hypervisor insider

Threat Model  Trust cloud providers and hardware  The integrity of the hypervisor is guaranteed by  Remote attestation with TPM at boot time  PCI card [Petroni+'04] or SMM [Wang+'10] at runtime  Not trust all the admins in clouds  Insiders tamper with only the management VM trusted hypervisor target VM management VM trusted hardware admin trusted remote host

RemoteTrans  A system for achieving IDS remote offloading  An untrusted server relays communication  Support legacy IDSes using Transcall [Iida+]  Provide an execution environment for legacy IDSes  E.g., system call emulation and shadow filesystems RT runtime remote host Transcall management VMtarget VM VMI engine RT server legacy IDS hypervisor

Remote Memory Introspection  The VMI engine returns requested data via the RemoteTrans server  Translate virtual into physical addresses  Encrypt data and calculate the MAC  The RemoteTrans runtime caches obtained data  Freshness vs. performance VMI engine RT runtime RT server data management VMtarget VM remote host IDS hypervisor request

Remote Network Introspection  The VMI engine forwards captured packets  Analyze interactions between a target VM and a virtual NIC in the management VM  Monitor events sent between them  Capture packets in the shared memory  Calculate the MAC VMI engine RT runtime RT server management VMtarget VMremote host tap virtual NIC IDS event shared memory hypervisor packets

Remote Storage Introspection  RemoteTrans provides protected storage to remote hosts  The target VM encrypts storage by dm-crypt  The password is securely passed at boot time using FBCrypt [Egawa+'12] or SCCrypt [Kourai+'15]  The remote host decrypts it using the same password RT runtime RT server management VMtarget VM remote host dm-crypt disk IDS pass word hypervisor FBCrypt

Experiments  We examined the security and performance of IDS remote offloading  Prevention of insider attacks  Performance of remote VMI  Performance of offloaded legacy IDSes CPU: Intel Xeon E Memory: 16 GB Linux CPU: Intel Xeon E Memory: 16 GB Xen vCPU: 1 Memory: 4 GB VM Gigabit Ethernet IDS

Prevention of Insider Attacks  We tampered with memory requests/responses  The RemoteTrans runtime failed MAC verification  We tampered with forwarded packets  The runtime failed MAC verification  We searched a disk image for passwords  Full-disk encryption prevented this attempt hypervisor RT runtime malicious RT server management VMtarget VM remote host IDS MAC disk

Performance of Remote VMI  We compared remote VMI with local VMI  Memory introspection: 92% degradation  Due to the overhead of communication and encryption  Storage introspection: 36% degradation  Network introspection: no packet loss memory storage

Performance of Legacy IDSes  We compared IDS remote offloading with local offloading  chkrootkit: 60% faster  Because of no virtualization at a remote host  Tripwire: 13% faster  Snort: only 5ms longer detection time chkrootkit Tripwire

Related Work  Using remote hosts with IDSes  Copilot [Petroni et al.'04]  Send the result of integrity checking using a PCI card  HyperCheck [Wang et al.'10]  Send the raw memory using SMM in x86  Secure execution of local IDSes  Flicker [McCune et al.'08]  Execute IDSes using Intel TXT and AMD SVM  Self-service cloud [Butt et al.'12]  Execute IDSes in VMs that cannot be disabled by admins

Conclusion  IDS remote offloading with remote VMI  Securely run legacy IDSes at trusted remote hosts outside semi-trusted clouds  Coexist with secure VM execution by a VMI engine in the trusted hypervisor  Achieve efficient execution of offloaded IDSes  Future work  Performance evaluation when many VMs are monitored  Performance improvement under large network delay