Browse > Article
http://dx.doi.org/10.3837/tiis.2018.11.023

A Multi-level Perception Security Model Using Virtualization  

Lou, Rui (State Key Laboratory of Mathematical Engineering and Advanced Computing)
Jiang, Liehui (State Key Laboratory of Mathematical Engineering and Advanced Computing)
Chang, Rui (State Key Laboratory of Mathematical Engineering and Advanced Computing)
Wang, Yisen (State Key Laboratory of Mathematical Engineering and Advanced Computing)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.12, no.11, 2018 , pp. 5588-5613 More about this Journal
Abstract
Virtualization technology has been widely applied in the area of computer security research that provides a new method for system protection. It has been a hotspot in system security research at present. Virtualization technology brings new risk as well as progress to computer operating system (OS). A multi-level perception security model using virtualization is proposed to deal with the problems of over-simplification of risk models, unreliable assumption of secure virtual machine monitor (VMM) and insufficient integration with virtualization technology in security design. Adopting the enhanced isolation mechanism of address space, the security perception units can be protected from risk environment. Based on parallel perceiving by the secure domain possessing with the same privilege level as VMM, a mechanism is established to ensure the security of VMM. In addition, a special pathway is set up to strengthen the ability of information interaction in the light of making reverse use of the method of covert channel. The evaluation results show that the proposed model is able to obtain the valuable risk information of system while ensuring the integrity of security perception units, and it can effectively identify the abnormal state of target system without significantly increasing the extra overhead.
Keywords
Virtualization security; threat model; information perception; VMM protection; anomaly detection;
Citations & Related Records
연도 인용수 순위
  • Reference
1 H. Patel, Y. Patel and H. Trivedi, "Auditing and monitoring of virtual machine instances of cloud," International Journal for Scientific Research & Development (IJSRD), vol 1, no. 2, pp. 338-341, 2013.
2 S. Oikawa and J. Kawasaki, "Simultaneous virtual-machine logging and replay," Simultaneous Virtual-Machine Logging and Replay, vol 6, no. 4, pp. 1128-1138, 2011.
3 L. Catuogno, A. Castiglione and F. Palmieri, "A honeypot system with honeyword-driven fake interactive sessions," in Proc. of IEEE International Conf. on High Performance Computing & Simulation (HPCS), pp. 187-194, July 20-24, 2015.
4 N. Al-Dabagh and M. Fakhri, "Monitoring and analyzing system activities using high interaction honeypot," International Journal of Computer Networks and Communications Security, vol 2, no. 1, pp. 39-45, 2014.
5 R. Tiwari and A. Jain, "Design and analysis of distributed honeypot system," International Journal of Computer Applications, vol 55, no.13, pp. 20-23, 2012.   DOI
6 P. Pisarcik and P. Sokol, "Framework for distributed virtual honeynets," in Proc. of ACM International Conf. on Security of Information and Networks (SIN), pp. 324-329, September 9-11, 2014.
7 J. Qin, B. Shi and B. Li, "NEM: A new in-vm monitoring with high efficiency and strong isolation," in Proc. of International Conf. on Smart Computing and Communication (SmartCom), pp. 396-405, December 10-12, 2017.
8 B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin and W. Lee, "Virtuoso: Narrowing the semantic gap in virtual machine introspection," in Proc. of IEEE Symposium on Security and Privacy (SP), pp. 297-312, May 22-25, 2011.
9 Y. Liu, Y. Xia, H. Guan, B. Zang and H. Chen, "Concurrent and consistent virtual machine introspection with hardware transactional memory," in Proc. of IEEE, International Symposium on High Performance Computer Architecture (HPCA), pp. 416-427, February 15-19, 2014.
10 L. Zhang, X. Chen, Y. Ren and H. Li, "Kernel-level rootkit detection technology based on VMM," Netinfo Security, vol 4, pp. 56-61, 2015.
11 L. Zhang, S. Shetty, P. Liu and J. Jing, "RootkitDet: Practical end-to-end defense against kernel rootkits in a cloud environment," in Proc. of European Symposium on Research in Computer Security (ESORICS), pp. 475-493, September 7-11, 2014.
12 S. King and P. Chen, "SubVirt: Implementing malware with virtual machines," in Proc. of IEEE Symposium on Security and Privacy (S&P), pp. 314-327, May 21-24, 2006.
13 D. Anthony, E. Filiol and I. Lefou, "Detecting (and creating!) a HVM rootkit (aka BluePill-like)," Journal in computer virology, vol 7, no. 1, pp. 23-49, 2011.   DOI
14 B. Robert, J. Vetter and J. Nordholz, "The threat of virtualization: Hypervisor-based rootkits on the ARM architecture," in Proc. of International Conf. on Information and Communications Security (ICICS), pp. 376-391, April 5-7, 2016.
15 O. Keisuke and Y. Oyama, "Load-based covert channels between Xen virtual machines," in Proc. of ACM Symposium on Applied Computing (SAC), pp. 173-180, March 22-26, 2010.
16 J. Wu, L. Ding, Y. Wang and W. Han, "Identification and evaluation of sharing memory covert timing channel in Xen virtual machines," in Proc. of IEEE International Conf. on Cloud Computing (CLOUD), pp. 283-291, July 4-9, 2011.
17 Z. Wu, Z. Xu and H. Wang, "Whispers in the hyper-space: high-bandwidth and reliable covert channel attacks inside the cloud," IEEE/ACM Transactions on Networking (TON), vol 23, no. 2, pp. 603-614, 2015.   DOI
18 R. Kemmerer, "Shared resource matrix methodology: An approach to identifying storage and timing channels," ACM Transactions on Computer Systems (TOCS), vol 1, no. 3, pp. 256-277, 1983.   DOI
19 N. Kaur and A. Bindal, "A complete dynamic malware analysis," International Journal of Computer Applications, vol 135, no. 4, pp. 20-25, 2016.
20 Y. Xu, M. Bailey, F. Jahanian, K. Joshi, M. Hiltunen and R. Schlichting, "An exploration of L2 cache covert channels in virtualized environments," in Proc. of ACM workshop on Cloud computing security (CCSW), pp. 29-40, October 21, 2011.
21 Y. Lin, S. Malik, K. Bilal, Q. Yang, Y. Wang and S. Khan, "Designing and modeling of covert channels in operating systems," IEEE Transactions on Computers, vol 65, no. 6, pp. 1706-1719, 2016.   DOI
22 P. Ranjith, C. Priya and K. Shalini, "On covert channels between virtual machines," Journal in Computer Virology, vol 8, no. 3, pp. 85-97, 2012.   DOI
23 H. Nemati, S. Sharma and M. Ragenais, "Fine-grained nested virtual machine performance analysis through first level hypervisor tracing," in Proc. of IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGrid), pp. 84-89, May 14-17, 2017.
24 U. Tupakula, V. Varadharajan and D. Dutta, "Intrusion detection techniques for virtual domains," in Proc. of International Conf. on High Performance Computing (HiPC), pp. 1-9, December 18-22, 2012.
25 L. Zhang, X. Chen, L. Liu and H. Li, "A kernel integrity protection technology based on virtual machine," Journal of University of Electronic Science & Technology of China, vol 44, no. 1, pp. 117-122, 2015.
26 I. Studnia, E. Alata, Y. Deswarte, M. Kaâniche and V. Nicomette, "Survey of security problems in cloud computing virtual machines," in Proc. of Computer and Electronics Security Applications Rendez-vous (C&ESAR 2012), pp. 61-74, November 20-22, 2012.
27 L. Zhang and X. Kong, "Embedded trusted computing environment build based on QEMU virtual machine architecture," in Proc. of International Symposium on Computational Intelligence and Design (ISCID), vol 1, pp. 193-196, December 13-14, 2015.
28 M. Kumara and C. Jaidhar, "Virtual machine introspection based spurious process detection in virtualized cloud computing environment," in Proc. of International Conf. on Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE), pp. 309-315, February 25-27, 2015.
29 T. Win, H. Tianfield and Q. Mair, "Virtualization security combining mandatory access control and virtual machine introspection," in Proc. of IEEE/ACM International Conf. on Utility and Cloud Computing (UCC), pp. 1004-1009, December 8-11, 2014.
30 T. Zhang and R. Lee, "Monitoring and attestation of virtual machine security health in cloud computing," IEEE Micro, vol 36, no. 5, pp. 28-37, 2016.   DOI
31 S. Kim, J. Park, K. Lee, I. You and K. Yim, "A brief survey on rootkit techniques in malicious codes," Journal of Internet Services and Information Security, vol 3, no. 4, pp. 134-137, 2012.
32 R. Wojtczuk, "Subverting the Xen hypervisor," in Proc. of Black Hat USA, August 2-7, 2008.
33 J. Rutkowska and A. Tereshkin, "Bluepilling the xen hypervisor," in Proc. of Black Hat USA, August 2-7, 2008.
34 C. Chen, M. Wu, B. He, X, Zheng, C. Hsing and H. Sun, "A methodology for hook-based kernel level rootkits," in Proc. of International Conf. on Information Security Practice and Experience (ISPEC), pp. 119-128, May 5-8, 2014.
35 R. Lou, Y. Guo and Y. Song, "Research on trusted boot technology based on collaborative virtualization system," Application Research of Computers, vol 31, no. 10, pp. 3125-3130, 2014.   DOI
36 K. Wang, Z. Li, F. Huang and F. Yan, "HyperSpector: VMM dynamic trusted monitor based on UEFI," Chinese Journal of Network and Information Security, vol 2, no. 12, pp. 47-55, 2016.
37 J. Yu, P. Zhou, Y. Wu and C. Zhao, "Virtual machine replay update: improved implementation for modern hardware architecture," in Proc. of International Conf. on Software Security and Reliability Companion (SERE-C), pp. 1-6, June 20-22, 2012.