A Wingman for Virtual Appliances

Nayak, Prashanth; Hibler, Mike; Johnson, David; Eide, Eric

doi:10.1007/978-3-319-67531-2_25

Prashanth Nayak¹⁵,
Mike Hibler¹⁶,
David Johnson¹⁶ &
…
Eric Eide¹⁶

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 10548))

Included in the following conference series:

International Conference on Runtime Verification

1237 Accesses

Abstract

Wingman is a run-time monitoring system that aims to detect and mitigate anomalies, including malware infections, within virtual appliances (VAs). It observes the kernel state of a VA and uses an expert system to determine when that state is anomalous. Wingman does not simply restart a compromised VA; instead, it attempts to repair the VA, thereby minimizing potential downtime and state loss. This paper describes Wingman and summarizes experiments in which it detected and mitigated three types of malware within a web-server VA. For each attack, Wingman was able to defend the VA by bringing it to an acceptable state.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Chokepoint: Azazel userland rootkit, February 2015. https://github.com/chokepoint/azazel
Coppola, M.: Suterusu rootkit, September 2014. https://github.com/mncoppola/suterusu
Fu, Y., Lin, Z.: Exterior: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery. In: Proceedings VEE, pp. 97–110, March 2013. doi:10.1145/2451512.2451534
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings NDSS, pp. 191–206, February 2003. http://www.isoc.org/isoc/conferences/ndss/03/proceedings/papers/13.pdf
Hofmann, O.S., Dunn, A.M., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with OSck. In: Proceedings ASPLOS, pp. 279–290, March 2011. doi:10.1145/1950365.1950398
Johnson, D., Hibler, M., Eide, E.: Composable multi-level debugging with Stackdb. In: Proceedings VEE, pp. 213–226, March 2014. doi:10.1145/2576195.2576212
Johnson, D., Nayak, P., Hibler, M., Burtsev, A., Eide, E.: Wingman and Stackdb software, March 2017. https://gitlab.flux.utah.edu/a3/vmi
Joshi, A., King, S.T., Dunlap, G.W., Chen, P.M.: Detecting past and present intrusions through vulnerability-specific predicates. In: Proceedings SOSP, pp. 91–104, October 2005. doi:10.1145/1095810.1095820
Landesman, M.: Apache Darkleech compromises, 2 April 2013. http://blogs.cisco.com/security/apache-darkleech-compromises
Loscocco, P.A., Wilson, P.W., Pendergrass, J.A., McDonell, C.D.: Linux kernel integrity measurement using contextual inspection. In: Proceedings ACM Workshop on Scalable Trusted Computing (STC), pp. 21–29, November 2007. doi:10.1145/1314354.1314362
Nayak, P.: Detecting and mitigating malware in virtual appliances. Master’s thesis, University of Utah, December 2014. http://www.flux.utah.edu/paper/pnayak-thesis
Ostrand, T.J., Weyuker, E.J.: The distribution of faults in a large industrial software system. In: Proceedings ISSTA, pp. 55–64, July 2002. doi:10.1145/566172.566181
Ostrand, T.J., Weyuker, E.J., Bell, R.M.: Where the bugs are. In: Proceedings ISSTA, pp. 86–96, July 2004. doi:10.1145/1007512.1007524
Savely, R., Culbert, C., Riley, G., Dantes, B., Ly, B., Ortiz, C., Giarratano, J., Lopez, F.: CLIPS: a tool for building expert systems, May 2015. http://clipsrules.sourceforge.net/
Sun, C., He, L., Wang, Q., Willenborg, R.: Simplifying service deployment with virtual appliances. In: Proceedings IEEE International Conference on Services Computing (SCC), pp. 265–272, July 2008. doi:10.1109/SCC.2008.53
White, B., Lepreau, J., Stoller, L., Ricci, R., Guruprasad, S., Newbold, M., Hibler, M., Barb, C., Joglekar, A.: An integrated experimental environment for distributed systems and networks. In: Proceedings OSDI, pp. 255–270, December 2002. https://www.usenix.org/legacy/event/osdi02/tech/white.html

Download references

Acknowledgments

We performed our experiments on machines in the Utah Emulab testbed [16]. This work was supported in part by the Air Force Research Laboratory and DARPA under Contract No. FA8750–10–C–0242. This material is based upon work supported in part by the National Science Foundation under Grant No. 1314945.

Author information

Authors and Affiliations

NetApp, Research Triangle Park, NC, USA
Prashanth Nayak
University of Utah, Salt Lake City, UT, USA
Mike Hibler, David Johnson & Eric Eide

Authors

Prashanth Nayak
View author publications
You can also search for this author in PubMed Google Scholar
Mike Hibler
View author publications
You can also search for this author in PubMed Google Scholar
David Johnson
View author publications
You can also search for this author in PubMed Google Scholar
Eric Eide
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eric Eide .

Editor information

Editors and Affiliations

Microsoft Research, Redmond, Washington, USA
Shuvendu Lahiri
The University of Manchester, Manchester, United Kingdom
Giles Reger

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Nayak, P., Hibler, M., Johnson, D., Eide, E. (2017). A Wingman for Virtual Appliances. In: Lahiri, S., Reger, G. (eds) Runtime Verification. RV 2017. Lecture Notes in Computer Science(), vol 10548. Springer, Cham. https://doi.org/10.1007/978-3-319-67531-2_25

Download citation

DOI: https://doi.org/10.1007/978-3-319-67531-2_25
Published: 06 September 2017
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67530-5
Online ISBN: 978-3-319-67531-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics