Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted IaaS Clouds Kenichi Kourai Kazuki Juda Kyushu Institute of Technology.

Slides:



Advertisements
Similar presentations
Live migration of Virtual Machines Nour Stefan, SCPD.
Advertisements

Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Fast and Safe Performance Recovery on OS Reboot Kenichi Kourai Kyushu Institute of Technology.
Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
A Fast Rejuvenation Technique for Server Consolidation with Virtual Machines Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology.
Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.
Kenichi Kourai (Kyushu Institute of Technology) Takeshi Azumi (Tokyo Institute of Technology) Shigeru Chiba (Tokyo University) A Self-protection Mechanism.
 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.
Efficient VM Introspection in KVM and Performance Comparison with Xen
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
A Secure System-wide Process Scheduling across Virtual Machines Hidekazu Tadokoro (Tokyo Institute of Technology) Kenichi Kourai (Kyushu Institute of Technology)
Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Towards Application Security On Untrusted OS
CacheMind: Fast Performance Recovery Using a Virtual Machine Monitor Kenichi Kourai Kyushu Institute of Technology, Japan.
Fast and Correct Performance Recovery of Operating Systems Using a Virtual Machine Monitor Kenichi Kourai Kyushu Institute of Technology, Japan.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Virtual AMT for Unified Management of Physical and Virtual Desktops Kenichi Kourai Kouki Oozono Kyushu Institute of Technology.
Self-service Cloud Computing Shakeel Butt Department of Computer Science Rutgers University.
Tanenbaum 8.3 See references
Author : Jiang Wang, Angelos Stavrou, and Anup Ghosh Conference: RAID 2010 Advisor: Yuh-Jye Lee Reporter: Yi-Hsiang Yang
Bootstrapping Trust in Commodity Computers Bryan Parno, Jonathan McCune, Adrian Perrig 1 Carnegie Mellon University.
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.
HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.
Secure Out-of-band Remote Management Using Encrypted Virtual Serial Consoles in IaaS Clouds Kenichi Kourai Tatsuya Kajiwara Kyushu Institute of Technology.
An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko
Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.
Zero-copy Migration for Lightweight Software Rejuvenation of Virtualized Systems Kenichi Kourai Hiroki Ooba Kyushu Institute of Technology.
A Virtual Machine Introspection Based Architecture for Intrusion Detection CS598 STK Presented by Zahid Anwar.
Dynamic and Secure Application Consolidation with Nested Virtualization and Library OS in Cloud Kouta Sannomiya and Kenichi Kourai (Kyushu Institute of.
Synchronized Co-migration of Virtual Machines for IDS Offloading in Clouds Kenichi Kourai and Hisato Utsunomiya Kyushu Institute of Technology, Japan.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Full and Para Virtualization
Trusted Passages: Managing Trust Properties of Open Distributed Overlays Faculty: Mustaque Ahamad, Greg Eisenhauer, Wenke Lee and Karsten Schwan PhD Students:
Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Threat Modeling for Cloud Computing
Alina Oprea Associate Professor, CCIS Northeastern University
Kenichi Kourai Kouta Sannomiya Kyushu Institute of Technology, Japan
Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.
Outline What does the OS protect? Authentication for operating systems
Kenichi Kourai Hiroki Ooba Kyushu Institute of Technology, Japan
Outline What does the OS protect? Authentication for operating systems
Shohei Miyama Kenichi Kourai Kyushu Institute of Technology, Japan
Network Services, Cloud Computing, and Virtualization
I'm Kenichi Kourai from Kyushu Institute of Technology.
6.6 Firewalls Packet Filter (=filtering router)
TERRA Authored by: Garfinkel, Pfaff, Chow, Rosenblum, and Boneh
OS Virtualization.
Sho Kawahara and Kenichi Kourai Kyushu Institute of Technology, Japan
Cloud Security 李芮,蒋希坤,崔男 2018年4月.
Preventing Performance Degradation on Operating System Reboots
I'm Kenichi Kourai from Kyushu Institute of Technology.
I'm Kenichi Kourai from Kyushu Institute of Technology.
Resource Cages: A New Abstraction of the Hypervisor for Performance Isolation Considering IDS Offloading Kenichi Kourai*, Sungho Arai**, Kousuke Nakamura*,
Sai Krishna Deepak Maram, CS 6410
SCONE: Secure Linux Containers Environments with Intel SGX
Shielding applications from an untrusted cloud with Haven
Operating System Concepts
Virtual Machine Migration for Secure Out-of-band Remote Management in Clouds T.Unoki, S.Futagami, K.Kourai (Kyushu Institute of Technology) OUT-OF-BAND.
Kenichi Kourai Kyushu Institute of Technology
Low-cost and Fast Failure Recovery Using In-VM Containers in Clouds
Consistent Offline Update of Suspended Virtual Machines in Clouds
Efficient Migration of Large-memory VMs Using Private Virtual Memory
Presentation transcript:

Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted IaaS Clouds Kenichi Kourai Kazuki Juda Kyushu Institute of Technology

IDS Offloading [Garfinkel+'03]  Run intrusion detection systems (IDSes) outside target virtual machines (VMs) securely  E.g, in the management VM  Intruders cannot disable offloaded IDSes  Use VM introspection (VMI)  Directly obtain information inside VMs  E.g., memory, storage, and networks management VMtarget VM VMI offloaded IDS

Abusing VMI by Insiders  Semi-trusted clouds  28% of cyber crimes are caused by insiders [PwC'14]  An engineer in Google violated user's privacy [TechSpot News'10]  35% of admins access sensitive information [CyberArk'09]  VMI can be abused by insiders  Sensitive information inside VMs are leaked management VMtarget VM VMI insider

Secure VM Execution  Reduce the risk of insider attacks  Secure runtime environment [Li+'10], VMCrypt [Tadokoro+'12]  Encrypt VM's memory against insiders  Self-service cloud [Butt+'12]  Prevent insiders from accessing user's VMs management VMtarget VM insider ? VMI

Obstacles to Secure IDS Offloading  Secure VM execution cannot coexist with IDS offloading  Offloaded IDSes need to access VM's memory  Secure VM execution prevents such access  Insiders can disable offloaded IDSes  Stop IDSes or tamper with their configuration management VMtarget VM offloaded IDS ? VMI

IDS Remote Offloading  Run IDSes at remote hosts outside semi-trusted clouds  Offloaded IDSes can securely introspect VMs inside remote clouds  Insiders cannot disable offloaded IDSes  Offloaded IDSes can detect DoS attacks easily remote hostmanagement VMtarget VM offloaded IDS remote VMI cloud

Remote VMI  Introspect remote VMs using a VMI engine  Run a minimal VMI engine in the hypervisor  Bypass secure VM execution by the hypervisor  Preserve the integrity and confidentiality of introspected data  Between the VMI engine and remote hosts remote host management VMtarget VM VMI engine VMI IDS hypervisor insider

Threat Model  Trust cloud providers and hardware  The integrity of the hypervisor is guaranteed by  Remote attestation with TPM at boot time  PCI card [Petroni+'04] or SMM [Wang+'10] at runtime  Not trust all the admins in clouds  Insiders tamper with only the management VM trusted hypervisor target VM management VM trusted hardware admin trusted remote host

RemoteTrans  A system for achieving IDS remote offloading  An untrusted server relays communication  Support legacy IDSes using Transcall [Iida+]  Provide an execution environment for legacy IDSes  E.g., system call emulation and shadow filesystems RT runtime remote host Transcall management VMtarget VM VMI engine RT server legacy IDS hypervisor

Remote Memory Introspection  The VMI engine returns requested data via the RemoteTrans server  Translate virtual into physical addresses  Encrypt data and calculate the MAC  The RemoteTrans runtime caches obtained data  Freshness vs. performance VMI engine RT runtime RT server data management VMtarget VM remote host IDS hypervisor request

Remote Network Introspection  The VMI engine forwards captured packets  Analyze interactions between a target VM and a virtual NIC in the management VM  Monitor events sent between them  Capture packets in the shared memory  Calculate the MAC VMI engine RT runtime RT server management VMtarget VMremote host tap virtual NIC IDS event shared memory hypervisor packets

Remote Storage Introspection  RemoteTrans provides protected storage to remote hosts  The target VM encrypts storage by dm-crypt  The password is securely passed at boot time using FBCrypt [Egawa+'12] or SCCrypt [Kourai+'15]  The remote host decrypts it using the same password RT runtime RT server management VMtarget VM remote host dm-crypt disk IDS pass word hypervisor FBCrypt

Experiments  We examined the security and performance of IDS remote offloading  Prevention of insider attacks  Performance of remote VMI  Performance of offloaded legacy IDSes CPU: Intel Xeon E Memory: 16 GB Linux CPU: Intel Xeon E Memory: 16 GB Xen vCPU: 1 Memory: 4 GB VM Gigabit Ethernet IDS

Prevention of Insider Attacks  We tampered with memory requests/responses  The RemoteTrans runtime failed MAC verification  We tampered with forwarded packets  The runtime failed MAC verification  We searched a disk image for passwords  Full-disk encryption prevented this attempt hypervisor RT runtime malicious RT server management VMtarget VM remote host IDS MAC disk

Performance of Remote VMI  We compared remote VMI with local VMI  Memory introspection: 92% degradation  Due to the overhead of communication and encryption  Storage introspection: 36% degradation  Network introspection: no packet loss memory storage

Performance of Legacy IDSes  We compared IDS remote offloading with local offloading  chkrootkit: 60% faster  Because of no virtualization at a remote host  Tripwire: 13% faster  Snort: only 5ms longer detection time chkrootkit Tripwire

Related Work  Using remote hosts with IDSes  Copilot [Petroni et al.'04]  Send the result of integrity checking using a PCI card  HyperCheck [Wang et al.'10]  Send the raw memory using SMM in x86  Secure execution of local IDSes  Flicker [McCune et al.'08]  Execute IDSes using Intel TXT and AMD SVM  Self-service cloud [Butt et al.'12]  Execute IDSes in VMs that cannot be disabled by admins

Conclusion  IDS remote offloading with remote VMI  Securely run legacy IDSes at trusted remote hosts outside semi-trusted clouds  Coexist with secure VM execution by a VMI engine in the trusted hypervisor  Achieve efficient execution of offloaded IDSes  Future work  Performance evaluation when many VMs are monitored  Performance improvement under large network delay