Presentation is loading. Please wait.

Presentation is loading. Please wait.

Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’

Published byRichard Fisher Modified over 8 years ago

Similar presentations

Presentation on theme: "Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’"— Presentation transcript:

1 Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’

2 Outline  Introduction  Secure In-VM Monitoring  Implementation  Experimental Evaluation  Conclusion

3 Introduction  Malicious programs compromise the kernel of an operating system.  Many security approaches require the ability to monitor frequently executing events.  Secure In-VM Monitoring (SIM), a general-purpose framework based on hardware virtualization features.

4  contributions: hardware virtualization and memory protection features. implemented a prototype of the SIM framework based on KVM and Windows guest OS. systematic security analysis of SIM against a number of possible threats, and show that SIM provides no less security guarantees than what can be achieved by out-of-VM monitors.

5 In-VM monitoring H Handler C M Monitor code D M Monitor data R Response A Adversary program D P Program data C P Program code K Hook D K Hook data

6 Out-of-VM monitoring H Handler C M Monitor code D M Monitor data R Response A Adversary program D P Program data C P Program code K Hook D K Hook data

7  performance requirements (P1) Fast invocation: ○ not involve any privilege level changes. (P2) Data read/write at native speed: ○ without any hypervisor intervention

8  security requirements: (S1) Isolation of the monitor’s code (CM) and data (DM) (S2) Designated point for switching into CM (S3) A handler (hi) is called if and only if the corresponding hook (ki) executes (S4) The behavior of Monitor is not maliciously alterable

9 Secure In-VM Monitoring

10 The SIM address space SIM Data/Code  The monitor itself  Visible only within SIM address space Invocation checker  Verifies call chain is legit  Visible only in SIM space Entry/exit gates  Visible in both  Writable only in SIM space  Tiny, well crafted Kernel code/data  Not executable in SIM space (can't accidentally run insecure code) 10

11 Entry/exit gates  Entry: Disable interrupts (Untrusted VM) Save CPU state to the stack Switch address space Re-disable interrupts (SIM VM) Switch stack to a SIM-restricted one Run invocation checker  Exit: Restore stack, page table, CPU state Re-enable interrupts Jump to return point

12 security requirements 1. Isolation of the monitor’s code and data hypervisor to not allow the monitor code and data to be mappable to any untrusted address space in the guest VM. 2. Designated point for switching into CM : only method to enter the trusted address space from the untrusted one is via the entry gates. 3. A handler is called if and only if the corresponding hook executes each hook invokes a corresponding entry gate, which eventually calls a corresponding handler, and each invoker of the entry gate is checked by the invocation checking routine 4. The behavior of Monitor is not maliciously alterable: not allow any code from the untrusted domain to be executable in the trusted address space, not allow the monitor to call into the untrusted kernel

13 Implementation  Host: Linux distribution  guest OS : Windows XP SP2  Initialization 1. reserve virtual address ranges in the system address space for use in entry and exit gate creation 2. creation of the SIM virtual address space by the hypervisor component 3. loading a security monitor application into the SIM address space 4. relevant routines to perform switching into the SIM address space

14 Experimental Evaluation Monitor typeAvg. time (μ sec) Std. dev. (μ sec) SIM approach0.4690.051 Out-of-VM approach 5.0550.132 Monitor Invocation Overhead Comparison Monitor type Average time (μ sec) Relative overhead (%) Traditional3.487× Out-of-VM approach 28.039690.50% SIM approach3.96713.70% Process creation monitor performance results

15 BenchmarkBare Out-of-VM overhead SIM overhead Memory Latency10.42 MAcc/s84.58%7.97% HTML Render1.12 pg/s52.42%5.83% File Compress3.4 MB/s3.97%0.59% File Encrypt20.56 MB/s7.85%0.89% File Decrypt78.21 MB/s2.53%0.45% HDD15.29 MB/s41.68%3.74% Text Edit82.73 pg/s128.84%9.64% Average-46.10%4.15% System call tracing macrobenchmarks

16 Conclusion  a general-purpose SIM framework  provides the same security guarantees of out- of-VM monitoring low performance overhead of in-VM monitoring.  the SIM framework reduce monitoring overhead by 11 times if only monitor invocation time is considered.  SIM introduces an overhead of to 13.7% out-of-VM approach compared 690.5%.  SIM overall overhead below 10% out-of-VM approach overhead : 128%.

17

Download ppt "Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’"

Similar presentations

Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines J. LeVasseur V. Uhlig J. Stoess S. G¨otz University of Karlsruhe,

Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines J. LeVasseur V. Uhlig J. Stoess S. G¨otz University of Karlsruhe,
More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
XEN AND THE ART OF VIRTUALIZATION Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, lan Pratt, Andrew Warfield.

XEN AND THE ART OF VIRTUALIZATION Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, lan Pratt, Andrew Warfield.
Implementing an Untrusted Operating System on Trusted Hardware.

Implementing an Untrusted Operating System on Trusted Hardware.
Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,

Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
InkTag: Secure Applications on an Untrusted Operating system

InkTag: Secure Applications on an Untrusted Operating system
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.

Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.

KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
Threads CS 416: Operating Systems Design, Spring 2001 Department of Computer Science Rutgers University

Threads CS 416: Operating Systems Design, Spring 2001 Department of Computer Science Rutgers University
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.

CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.

Similar presentations

Ads by Google