Abstract
Monitoring file integrity and preventing illegal modifications is a crucial part of improving system security. Unfortunately, current research focusing on isolating monitoring components from supervised systems can often still be thwarted by tampering with the hooks placed inside of Virtual Machines (VMs), thus resulting in critical file operations not being noticed. In this paper, we present an approach of relocating a supervised VM’s entire filesystem into the isolated realm of the host. This way, we can enforce that all file operations originating from a VM (e.g., read and write operations) must necessarily be routed through the hypervisor, and thus can be tracked and even be prevented. Disabling hooks in the VM then becomes pointless as this would render a VM incapable of accessing or manipulating its own filesystem. This guarantees secure and complete active file integrity monitoring of VMs. The experimental results of our prototype implementation show the feasibility of our approach.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Kim, G.H., Spafford, E.H.: The design and implementation of Tripwire: A file system integrity checker. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, pp. 18–29. ACM (1994)
Smalley, S., Vance, C., Salamon, W.: Implementing SELinux as a Linux security module. NAI Labs Report 1, 43 (2001)
Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proc. Network and Distributed Systems Security Symposium, pp. 191–206 (2003)
Nance, K., Bishop, M., Hay, B.: Virtual machine introspection: Observation or interference? IEEE Security & Privacy 6(5), 32–37 (2008)
Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: Tracking processes in a virtual machine environment. In: Proceedings of the USENIX Annual Technical Conference, pp. 1–14 (2006)
Payne, B.D., de Carbone, M.D.P., Lee, W.: Secure and flexible monitoring of virtual machines. In: Twenty-Third Annual Computer Security Applications Conference, ACSAC 2007, pp. 385–397 (2007)
Payne, B.D., Carbone, M., Sharif, M., Lares, W.L.: An architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security and Privacy, SP 2008, pp. 233–247. IEEE (2008)
Quynh, N.A., Suzaki, K.: Xenprobes, a lightweight user-space probing framework for xen virtual machine. In: USENIX Annual Technical Conference Proceedings (2007)
Zhao, F., Jiang, Y., Xiang, G., Jin, H., Jiang, W.: VRFPS: A Novel Virtual Machine-Based Real-time File Protection System. In: Proceedings of the 2009 Seventh ACIS International Conference on Software Engineering Research, Management and Applications, SERA 2009, Washington, DC, USA, pp. 217–224 (2009)
Van Hensbergen, E., Minnich, R.: Grave Robbers from outer space using 9P2000 under Linux. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC 2005, p. 45. USENIX Association, Berkeley (2005)
Velten, M., Stumpf, F.: Secure and Privacy-Aware Multiplexing of Hardware-Protected TPM Integrity Measurements among Virtual Machines. In: Kwon, T., Lee, M.-K., Kwon, D. (eds.) ICISC 2012. LNCS, vol. 7839, pp. 324–336. Springer, Heidelberg (2013)
Russell, R.: Virtio: towards a de-facto standard for virtual I/O devices. ACM SIGOPS Operating Systems Review 42(5), 95–103 (2008)
Trusted Platform Module, Main Specification, Level 2, Version 1.2, Revision 116 (2011), http://www.trustedcomputinggroup.org/resources/tpm_main_specification
Plan 9 – 9P2000.L Protocol, https://code.google.com/p/diod/w/list
Tool Interface Standard (TIS) – Executable and Linking Format (ELF) Specification (May 1995), http://refspecs.linuxbase.org/elf/elf.pdf
Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: Proceedings of the 13th Conference on USENIX Security Symposium, SSYM 2004, vol. 13. USENIX Association, Berkeley (2004)
Native Linux KVM Tool, https://github.com/penberg/linux-kvm
Kivity, A., Kamay, Y., Laor, D., Lublin, U., Liguori, A.: kvm: the Linux virtual machine monitor. In: OLS 2007: Proceedings of the Linux Symposium, vol. 1, pp. 225–230 (June 2007)
Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC 2005. USENIX Association, Berkeley (2005)
Wessel, S., Stumpf, F.: Page-based Runtime Integrity Protection of User and Kernel Code. In: 5th European Workshop on System Security (2012)
Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 243–258. USENIX Association, Berkeley (2008)
Patil, S., Kashyap, A., Sivathanu, G., Zadok, E.: I3FS: An in-kernel integrity checker and intrusion detection file system. In: Proceedings of the 18th Annual Large Installation System Administration Conference, LISA 2004 (2004)
Azab, A.M., Ning, P., Sezer, E.C., Zhang, X.: HIMA: A Hypervisor-Based Integrity Measurement Agent. In: ACSAC, pp. 461–470. IEEE Computer Society (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this paper
Cite this paper
Velten, M., Wessel, S., Stumpf, F., Eckert, C. (2013). Active File Integrity Monitoring Using Paravirtualized Filesystems. In: Bloem, R., Lipp, P. (eds) Trusted Systems. INTRUST 2013. Lecture Notes in Computer Science, vol 8292. Springer, Cham. https://doi.org/10.1007/978-3-319-03491-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-03491-1_4
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-03490-4
Online ISBN: 978-3-319-03491-1
eBook Packages: Computer ScienceComputer Science (R0)