Skip to main content
Springer Nature Link
Log in

HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication

  • Conference paper
  • First Online:
Network and System Security (NSS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12570))

Included in the following conference series:

  • 2007 Accesses

Abstract

Malicious programs vary widely in their functionality, from key-logging to disk encryption. However, most malicious programs communicate with their operators, thus revealing themselves to various security tools. The security tools incorporated within an operating system are vulnerable to attacks due to the large attack surface of the operating system kernel and modules. We present a kernel module that demonstrates how kernel-mode access can be used to bypass any security mechanism that is implemented in kernel-mode. External security tools, like firewalls, lack important information about the origin of the intercepted packets, thus their filtering policy is usually insufficient to prevent communication between the malicious program and its operator. We propose to use a thin hypervisor, which we call “HyperWall”, to prevent malicious communication. The proposed system is effective against an attacker who has gained access to kernel-mode. Our performance evaluation shows that the system incurs insignificant (\(\approx \)1.64% on average) performance degradation in real-world applications.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Bilge, L., Dumitraş, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 833–844 (2012)

    Google Scholar 

  2. Bilge, L., Sen, S., Balzarotti, D., Kirda, E., Kruegel, C.: Exposure: a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. (TISSEC) 16(4), 1–28 (2014)

    Article  Google Scholar 

  3. Chen, P., Xu, J., Lin, Z., Xu, D., Mao, B., Liu, P.: A practical approach for adaptive data structure layout randomization. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 69–89. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_4

    Chapter  Google Scholar 

  4. Cook, K.: Kernel address space layout randomization. Linux Security Summit (2013)

    Google Scholar 

  5. Deshane, T., Shepherd, Z., Matthews, J., Ben-Yehuda, M., Shah, A., Rao, B.: Quantitative comparison of Xen and KVM, pp. 1–2. Xen Summit, Boston (2008)

    Google Scholar 

  6. Ermolov, M., Shishkin, A.: Microsoft windows 8.1 kernel patch protection analysis (2014)

    Google Scholar 

  7. Ge, X., Talele, N., Payer, M., Jaeger, T.: Fine-grained control-flow integrity for kernel software. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 179–194. IEEE (2016)

    Google Scholar 

  8. Ghafir, I., Prenosil, V.: DNS traffic analysis for malicious domains detection. In: 2015 2nd International Conference on Signal Processing and Integrated Networks (SPIN), pp. 613–918. IEEE (2015)

    Google Scholar 

  9. Graziano, M., Flore, L., Lanzi, A., Balzarotti, D.: Subverting operating system properties through evolutionary DKOM attacks. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 3–24. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_1

    Chapter  Google Scholar 

  10. Guide, P.: Intel® 64 and IA-32 architectures software developer’s manual. Volume 3B: System programming Guide, Part 2, 11 (2011)

    Google Scholar 

  11. Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 969–986. IEEE (2016)

    Google Scholar 

  12. Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: USENIX Security Symposium, pp. 383–398 (2009)

    Google Scholar 

  13. Kheir, N., Tran, F., Caron, P., Deschamps, N.: Mentor: positive DNS reputation to skim-off benign domains in botnet C&C blacklists. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IAICT, vol. 428, pp. 1–14. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55415-5_1

    Chapter  Google Scholar 

  14. Korkin, I.: Hypervisor-based active data protection for integrity and confidentiality of dynamically allocated memory in windows kernel. arXiv preprint arXiv:1805.11847 (2018)

  15. Larabel, M., Tippett, M.: Phoronix test suite. Phoronix Media (2020). http://www.phoronix-test-suite.com/. Accessed June 2020

  16. Lentz, M., Sen, R., Druschel, P., Bhattacharjee, B.: Secloak: arm trustzone-based mobile peripheral control. In: Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services, pp. 1–13 (2018)

    Google Scholar 

  17. Lu, S., Lin, Z., Zhang, M.: Kernel vulnerability analysis: a survey. In: 2019 IEEE Fourth International Conference on Data Science in Cyberspace (DSC), pp. 549–554. IEEE (2019)

    Google Scholar 

  18. Markuze, A., Morrison, A., Tsafrir, D.: True iommu protection from dma attacks: when copy is faster than zero copy. In: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 249–262 (2016)

    Google Scholar 

  19. McVoy, L.W., Staelin, C., et al.: lmbench: portable tools for performance analysis. In: USENIX Annual Technical Conference, San Diego, CA, USA, pp. 279–294 (1996)

    Google Scholar 

  20. Neiger, G., Santoni, A., Leung, F., Rodgers, D., Uhlig, R.: Intel virtualization technology: hardware support for efficient processor virtualization. Intel Technol. J. 10(3), 167–177 (2006)

    Google Scholar 

  21. Petroni Jr, N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot-a coprocessor-based kernel runtime integrity monitor. In: USENIX Security Symposium, San Diego, USA, pp. 179–194 (2004)

    Google Scholar 

  22. Petroni Jr, N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 103–115 (2007)

    Google Scholar 

  23. Pfoh, J., Schneider, C., Eckert, C.: Nitro: hardware-based system call tracing for virtual machines. In: Iwata, T., Nishigaki, M. (eds.) IWSEC 2011. LNCS, vol. 7038, pp. 96–112. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25141-2_7

    Chapter  Google Scholar 

  24. Pinto, S., Santos, N.: Demystifying ARM TrustZone: a comprehensive survey. ACM Comput. Surv. (CSUR) 51(6), 1–36 (2019)

    Article  Google Scholar 

  25. Proskurin, S., Lengyel, T., Momeu, M., Eckert, C., Zarras, A.: Hiding in the shadows: empowering arm for stealthy virtual machine introspection. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 407–417 (2018)

    Google Scholar 

  26. Rahbarinia, B., Perdisci, R., Antonakakis, M.: Segugio: efficient behavior-based tracking of malware-control domains in large ISP networks. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 403–414. IEEE (2015)

    Google Scholar 

  27. Rutkowska, J., Wojtczuk, R.: Preventing and detecting xen hypervisor subversions. Blackhat Briefings USA (2008)

    Google Scholar 

  28. Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, pp. 335–350 (2007)

    Google Scholar 

  29. Shinagawa, T., et al.: Bitvisor: a thin hypervisor for enforcing i/o device security. In: Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pp. 121–130 (2009)

    Google Scholar 

  30. Singh, A., Nordström, O., Lu, C., dos Santos, A.L.M.: Malicious ICMP tunneling: defense against the vulnerability. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 226–236. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-45067-X_20

    Chapter  Google Scholar 

  31. Smalley, S., Vance, C., Salamon, W.: Implementing selinux as a linux security module. NAI Labs Report 1(43), 139 (2001)

    Google Scholar 

  32. Szekeres, L., Payer, M., Wei, T., Song, D.: Sok: eternal war in memory. In: 2013 IEEE Symposium on Security and Privacy, pp. 48–62. IEEE (2013)

    Google Scholar 

  33. Velte, A., Velte, T.: Microsoft Virtualization with Hyper-V. McGraw-Hill Inc., New York (2009)

    Google Scholar 

  34. Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: 2010 IEEE Symposium on Security and Privacy, pp. 380–395. IEEE (2010)

    Google Scholar 

  35. Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 545–554 (2009)

    Google Scholar 

  36. Wang, Z., Jiang, X., Cui, W., Wang, X.: Countering persistent kernel rootkits through systematic hook discovery. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 21–38. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-87403-4_2

    Chapter  Google Scholar 

  37. White, J.S., Pape, S.R., Meily, A.T., Gloo, R.M.: Dynamic malware analysis using introvirt: a modified hypervisor-based system. In: Cyber Sensing 2013, vol. 8757, p. 87570D. International Society for Optics and Photonics (2013)

    Google Scholar 

  38. Wilkins, R., Richardson, B.: Uefi secure boot in modern computer security solutions. In: UEFI Forum (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Software Engineering Department, Shamoon College of Engineering, Beer-Sheva, Israel

    Michael Kiperberg

  2. Department of Mathematical IT, University of Jyväskylä, Jyväskylä, Finland

    Raz Ben Yehuda

  3. School of Computer Science, The College of Management, Academic Studies, Rishon LeZion, Israel

    Nezer J. Zaidenberg

Authors
  1. Michael Kiperberg
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Raz Ben Yehuda
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nezer J. Zaidenberg
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michael Kiperberg .

Editor information

Editors and Affiliations

  1. Wrocław University of Technology, Wroclaw, Poland

    Mirosław Kutyłowski

  2. Swinburne University of Technology, Hawthorn, VIC, Australia

    Jun Zhang

  3. James Cook University, Douglas, QLD, Australia

    Chao Chen

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kiperberg, M., Yehuda, R.B., Zaidenberg, N.J. (2020). HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication. In: Kutyłowski, M., Zhang, J., Chen, C. (eds) Network and System Security. NSS 2020. Lecture Notes in Computer Science(), vol 12570. Springer, Cham. https://doi.org/10.1007/978-3-030-65745-1_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-65745-1_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-65744-4

  • Online ISBN: 978-3-030-65745-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics