• No results found

VIRTUALIZATION INTROSPECTION SYSTEM ON KVM-BASED CLOUD COMPUTING PLATFORMS. Advisor: Software Security Lab.

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "VIRTUALIZATION INTROSPECTION SYSTEM ON KVM-BASED CLOUD COMPUTING PLATFORMS. Advisor: Software Security Lab."

Copied!
45
0
0

Loading.... (view fulltext now)

Download now ( 45 Page )

Full text

(1)

VIRTUALIZATION

INTROSPECTION SYSTEM

ON KVM-BASED CLOUD

COMPUTING PLATFORMS

雲端運算平台之虛擬化偵察系統

李聖瑋 [email protected] Advisor: 郁方 [email protected]

Software Security Lab.

(2)

Motivation

(3)

Motivation

•  In the era of cloud computing, security threats could be a

(4)

KVM

•  Linux Kernel Virtual Machine (KVM) is one of the most

common commodity hypervisor driver deployed in the IaaS layer of clouds.

•  KVM provides a full-virtualization environment that

emulates hardware as much as possible including CPU(s), network interfaces and mother-board chips.

(5)

Attacking VM Hypervisor

•  An intruder can attack the KVM hypervisor by exploiting a

software defect in its kernel module and can get the Host privilege with which the intruder can take over the

hypervisor

•  E.g., Cloudburst Attack that exploits the software vulnerability

(6)

Objective

•  We implement a system called Virtualization

Introspection System(VIS) that detects and intercepts

attacks from VMs by monitoring their status.

•  Detect VMs that attack Hypervisor

•  Detect VMs that attack other VMs

•  Detect VMs that have been compromised

•  VIS can be deployed on most cloud operating systems

(7)
(8)

Monitor VM status

•  We collect both static and dynamic information to

characterize VM behaviors

•  Run-time status: using “strace” to collect underlying system calls

•  Static status: using “qemu-monitor” to check installed VM image

(9)
(10)

VIS

•  Monitor

•  Monitor running behaviors/status of VMs

•  Strace, Qemu-monitor

•  Store the data into Behavior Databases

•  Visualize running status

•  Behavior Analyzer

•  Derive policy/rules for known malicious behaviors

(11)

VIS

•  Introspection Modules

•  Each is an independent python module that can be loaded

dynamically to detect malicious VM on a specific behavior

•  Policy Database

•  Rules for the actions on malicious VMs

•  Behavior Database

•  Store the previously analyzed patten of malicious behavior of VMs

•  Save the category data as

(12)

VIS

•  Behavior Checker

•  Executes the modules to compare the behaviors of underlying VMs

with policy rules

•  Identifies VMs that are (1) executing malicious programs/system

calls or (2) in compromised status

•  Sends the domain action message to controller

Controller

•  Executes commands from Behavior Checker:

destroy, shutdown, migrate etc.

•  This can be done by passing the message to cloud middleware

(e.g. OpenStack, OpenNebula)

•  In our current implementation, we use libvirt and virsh to control the

(13)

!

Termination: Shutdown the attack VMs

(14)

VIS Defense Operation

•  Termination

•  Direct shutdown and offline migration

•  VMs that are confirmed with severe attacks

•  Isolation

•  Online migration (to a physical isolated place)

•  Potential vulnerable VMs, e.g., VMs that are identified been

(15)

•  Isolation:

Migrate Malicious VMs and Redirect iptables

(16)

Evaluation

•  Detect Cloudburst Attack

(17)

Detect Cloudburst Attack

!

(18)

Detect Cloudburst Attack

•  The attack exploits the KVM software defect

(CVE-2011-1751: a pointer leaking that is triggered by un-pluging the PIIX4_PM device)

(19)

Detect Cloudburst Attack

•  Checking the change of QEMU device

(20)

Detect Social Engineering Attack

•  We replay social engineering attacks on VMs

•  Hacker VM that executes the attacks

•  Victim VM that is compromised

(21)

Detect Social Engineering Attack

Hacker VM (BackTrack 5 R3)

•  Period Initial: do nothing

•  Period Prepare: setup the social engineering attack (send

fishing emails)

•  Period Compromise: Victim clicks malicious url to build

ssh channel

•  Period Attack I: Hacker kills the process inside Victim

•  Period Attack II: Hacker keystorkes the Victim for

(22)

Detect Social Engineering Attack

Victim VM (Windows 7)

•  Period Initial: Having Firewall and Anti-virus installed

•  Period Normal: Receive fishing email with malicious url

from Hacker

•  Period Compromise: Click the malicious url

•  Period under Attack I

•  Period under Attack II

Normal VM (BackTrack 5 R3)

(23)

System Call Distribution (via Strace)

!

(24)

!

(25)

!

(26)

Run the testing

!

(27)
(28)
(29)
(30)
(31)
(32)
(33)
(34)
(35)
(36)
(37)
(38)
(39)
(40)
(41)
(42)
(43)

Conclusion

•  We propose VIS, a virtualization introspection system for

KVM-based cloud platforms

•  We monitor both dynamic and static VM status

•  We replay and characterize various attacks

•  Detect VMs that attack VM Hypervisor

•  Detect VMs that attack other VMs

•  Detect VMs that are compromised

(44)

Limitation

•  VIS is limited to protection on rules that have been

established

•  Need to collect more attack patterns

•  The rules are derived by heuristics

•  False positives and negatives

(45)

Q & A

References

Download now ( PDF - 45 Page - 2.14 MB )

Related documents

Causes and Significant of Chinese Revolution

In the 19th century, when the Ch'ing was on the decline, foreign imperialism came to China and quickened the downward course of the dynasty.. With the Ch'ing government's defeat

Effectiveness of peer support to increase uptake of retinal examination for diabetic retinopathy: study protocol for the DURE pragmatic cluster randomized clinical trial in Kirinyaga, Kenya.

CONSORT : Consolidated Standards of Reporting Trials; cRCT: Cluster Randomized Clinical Trial; DR: Diabetic Retinopathy; DSG: Diabetes support group; DURE: Uptake of Retinal

Hepatitis B vaccination status among healthcare workers in a tertiary care hospital in Tripoli, Libya

Aim: The aim of this study was to evaluate the susceptibility of HCWs to HBV infec- tion in the representative Tripoli Central Hospital in Libya and prepare a practical guideline

Section 1 - Identification of The Material and Supplier

Short Term Exposure: Available data indicates that this product is a skin irritant.. Symptoms may include itchiness and reddening of

Indian Contract Act- Offer & Acceptance

General rulesay that it mustbe as per the manner prescribed by offeror. If no mode is prescribed in which it can beaccepted, thenit must be in someusual and reasonable manner.

When the minimum wage bites back : quantile treatment effects of a sectoral minimum wage in Germany

As a result of this wage moderation, workers experienced deteriorating real wages resulting in a strong wage compression at the upper tail of the real hourly wage distribution

The Streets, de Marlene Nourbese Philip: denuncia y redención de la Historia

La ratio decidendi, por último, será la siguiente: “How and why the sentence of silence was imposed” 75, es decir, que el artículo se propone elucidar de qué manera y por qué

The inter-annual variability of heat-related mortality in nine European cities (1990-2010).

The aim is to estimate inter-annual variations in the effect of heat for a fixed temperature range, on mortality in 9 European cities included in the PHASE (Public Health