skip to main content
10.1145/3176258.3176317acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article

Hyperagents: Migrating Host Agents to the Hypervisor

Published: 13 March 2018 Publication History

Abstract

Third-party software daemons called host agents are increasingly responsible for a modern host's security, automation, and monitoring tasks. Because of their location within the host, these agents are at risk of manipulation by malware and users. Additionally, in virtualized environments where multiple adjacent guests each run their own set of agents, the cumulative resources that agents consume adds up rapidly. Consolidating agents onto the hypervisor can address these problems, but places a technical burden on agent developers.
This work presents a development methodology to re-engineer a host agent in to a hyperagent, an out-of-guest agent that gains unique hypervisor-based advantages while retaining its original in-guest capabilities. This three-phase methodology makes integrating Virtual Machine Introspection (VMI) functionality in to existing code easier and more accessible, minimizing an agent developer's re-engineering effort. The benefits of hyperagents are illustrated by porting the GRR live forensics agent, which retains 89% of its codebase, uses 40% less memory than its in-guest counterparts, and enables a 4.9x speedup for a representative data-intensive workload. This work shows that a conventional off-the-shelf host agent can be feasibly transformed into a hyperagent and provide a powerful, efficient tool for defending virtualized systems.

References

[1]
GRR Rapid Response. https://github.com/google/grr.
[2]
G. Aceto, A. Botta, W. De Donato, and A. Pescapè. Cloud Monitoring: A Survey. Computer Networks, 57(9):2093--2115, 2013.
[3]
S. Bahram, X. Jiang, Z. Wang, M. Grace, J. Li, D. Srinivasan, J. Rhee, and D. Xu. DKSM: Subverting Virtual Machine Introspection for Fun and Profit. In 29th IEEE Symposium on Reliable Distributed Systems, Oct 2010.
[4]
E. Bauman, G. Ayoade, and Z. Lin. A Survey on Hypervisor-Based Monitoring: Approaches, Applications, and Evolutions. ACM Computing Surveys, 2015.
[5]
M. Bushouse, S. Ahn, and D. Reeves. Arav: Monitoring a Cloud's Virtual Routers. In Proceedings of the 12th Annual Conference on Cyber and Information Security Research.
[6]
M. Carbone, M. Conover, B. Montague, and W. Lee. Secure and Robust Monitoring of Virtual Machines Through Guest-assisted Introspection. In International Workshop on Recent Advances in Intrusion Detection (RAID). Springer, 2012.
[7]
M. I. Cohen, D. Bilby, and G. Caronni. Distributed Forensics and Incident Response in the Enterprise. Digital Investigation, 8:S101--S110, 2011.
[8]
S. Cristalli, M. Pagnozzi, M. Graziano, A. Lanzi, and D. Balzarotti. Micro-Virtualization Memory Tracing to Detect and Prevent Spraying Attacks. In 25th USENIX Security Symposium (USENIX Security 16), pages 431--446, Austin, TX, 2016. USENIX Association.
[9]
T. Delaet, W. Joosen, and B. Van Brabant. A Survey of System Configuration Tools. In Proceedings of the 23rd Conference on Large Installation System Administration, volume 10 of LISA'10, pages 1--8, 2010.
[10]
A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: Malware Analysis via Hardware Virtualization Extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS '08, 2008.
[11]
B. Dolan-Gavitt, T. Leek, J. Hodosh, and W. Lee. Tappan Zee (North) Bridge: Mining Memory Accesses for Introspection. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS '13. ACM, 2013.
[12]
B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. In IEEE Symposium on Security and Privacy (SP), pages 297--312. IEEE, 2011.
[13]
B. Dolan-Gavitt, B. Payne, and W. Lee. Leveraging Forensic Tools for Virtual Machine Introspection. Technical report, Georgia Institute of Technology, 2011.
[14]
Y. Fu. Bridging the Semantic Gap in Virtual Machine Introspection via Binary Code Reuse. PhD thesis, The University of Texas at Dallas, May 2016.
[15]
Y. Fu and Z. Lin. Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection. ACM Transactions on Information System Security, 16(2):7:1--7:29, Sept. 2013.
[16]
T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the Network and Distributed Systems Security Symposium, 2003.
[17]
T. Garfinkel and M. Rosenblum. When Virtual Is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments. In HotOS, 2005.
[18]
C. Gikas. A General Comparison of FISMA, HIPAA, ISO 27000 and PCI-DSS Standards. Information Security Journal: A Global Perspective, 19(3):132--141, 2010.
[19]
D. Gupta, S. Lee, M. Vrable, S. Savage, A. C. Snoeren, G. Varghese, G. M. Voelker, and A. Vahdat. Difference Engine: Harnessing Memory Redundancy in Virtual Machines. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI'08, pages 309--322, Berkeley, CA, USA, 2008. USENIX Association.
[20]
G. Irazoqui, M. S. Inci, T. Eisenbarth, and B. Sunar. Wait a minute! A fast, Cross-VM attack on AES. In International Workshop on Recent Advances in Intrusion Detection (RAID), pages 299--319. Springer, 2014.
[21]
B. Jain, M. B. Baig, D. Zhang, D. E. Porter, and R. Sion. SoK: Introspections on Trust and the Semantic Gap. In 2014 IEEE Symposium on Security and Privacy, May 2014.
[22]
S. Javaid, A. Zoranic, I. Ahmed, and G. G. Richard III. Atomizer: Fast, Scalable and Lightweight Heap Analyzer for Virtual Machines in a Cloud Environment. In 6th Layered Assurance Workshop, 2012.
[23]
D. Johnson, M. Hibler, and E. Eide. Composable multi-level debugging with Stackdb. In Proceedings of the 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE '14, pages 213--225, Salt Lake City, UT, Mar. 2014.
[24]
K. Kourai and K. Nakamura. Efficient VM introspection in KVM and Performance comparison with Xen. In 20th Pacific Rim International Symposium on Dependable Computing (PRDC), pages 192--202. IEEE, 2014.
[25]
S. Krishnan, K. Z. Snow, and F. Monrose. Trail of Bytes: Efficient Support for Forensic Analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security, pages 50--60. ACM, 2010.
[26]
T. K. Lengyel, T. Kittel, G. Webster, J. Torrey, and C. Eckert. Pitfalls of Virtual Machine Introspection on Modern Hardware. In 1st Workshop on Malware Memory Forensics (MMF), 2014.
[27]
T. K. Lengyel, S. Maresca, B. D. Payne, G. D. Webster, S. Vogl, and A. Kiayias. Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System. In Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC '14. ACM, 2014.
[28]
T. K. Lengyel, J. Neumann, S. Maresca, B. D. Payne, and A. Kiayias. Virtual Machine Introspection in a Hybrid Honeypot Architecture. In 5th Workshop on Cyber Security Experimentation and Test (CSET), 2012.
[29]
N. Li, B. Li, J. Li, T. Wo, and J. Huai. vMON: An Efficient out-of-VM Process Monitor for Virtual Machines. In 10th International Conference on High Performance Computing and Communications, pages 1366--1373. IEEE, 2013.
[30]
M. Ligh, A. Case, J. Levy, and A. Walters. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Wiley, 2014.
[31]
R. Love. Linux Kernel Development. Pearson Education, 2010.
[32]
D. Lutas, A. Colesa, S. Lukács, and A. Lutas. Secure Virtual Machine for Real Time Forensic Tools on Commodity Workstations. In Innovative Security Solutions for Information Technology and Communications, pages 193--208, Cham, 2016. Springer International Publishing.
[33]
J. Mankin and D. Kaeli. Dione: A Flexible Disk Monitoring and Analysis Framework. In International Workshop on Recent Advances in Intrusion Detection (RAID), pages 127--146. Springer, 2012.
[34]
L. Martignoni, A. Fattori, R. Paleari, and L. Cavallaro. Live and Trustworthy Forensic Analysis of Commodity Production Systems. In International Workshop on Recent Advances in Intrusion Detection (RAID), pages 297--316. Springer, 2010.
[35]
J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB Reduction and Attestation. In Security and Privacy (SP), 2010 IEEE Symposium on, pages 143--158. IEEE, 2010.
[36]
S. Miyama and K. Kourai. Secure IDS Offloading with Nested Virtualization and Deep VM Introspection. In 22nd European Symposium on Research in Computer Security. ESORICS, 2017.
[37]
B. D. Payne, M. de Carbone, and W. Lee. Secure and Flexible Monitoring of Virtual Machines. Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC), 2007.
[38]
J. Rutkowska. Introducing Blue Pill. Invisible Things Laboratory, 2006.
[39]
A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In ACM SIGOPS Operating Systems Review, volume 41, pages 335--350. ACM, 2007.
[40]
R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask Security Architecture: System Support for Diverse Security Policies. In Proceedings of the 8th Conference on USENIX Security Symposium - Volume 8, SSYM'99, pages 11--11, Berkeley, CA, USA, 1999. USENIX Association.
[41]
S. Suneja, C. Isci, V. Bala, E. de Lara, and T. Mummert. Non-intrusive, Out-of-band and Out-of-the-box Systems Monitoring in the Cloud. In The 2014 ACM International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS '14, pages 249--261, New York, NY, USA, 2014. ACM.
[42]
B. Taubmann, N. Rakotondravony, and H. P. Reiser. CloudPhylactor: Harnessing Mandatory Access Control for Virtual Machine Introspection in Cloud Data Centers. In 2016 IEEE Trustcom/BigDataSE/ISPA, pages 957--964, Aug 2016.
[43]
A. Vasudevan, S. Chaki, L. Jia, J. McCune, J. Newsome, and A. Datta. Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP '13, pages 430--444, Washington, DC, USA, 2013. IEEE Computer Society.
[44]
C. Wang, X. Yun, Z. Hao, L. Cui, Y. Han, and Q. Zou. Exploring Efficient and Robust Virtual Machine Introspection Techniques. In Algorithms and Architectures for Parallel Processing. Springer, 2015.

Cited By

View all
  • (2019)TwinPorter - An Architecture For Enabling the Live Migration of VMI-Based Monitored Virtual Machines2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE)10.1109/TrustCom/BigDataSE.2019.00064(427-434)Online publication date: Aug-2019
  • (2019)High-Speed File Transferring Over Linux Bridge for QGA Enhancement in Cyber RangeArtificial Intelligence and Security10.1007/978-3-030-24268-8_42(452-462)Online publication date: 11-Jul-2019

Index Terms

  1. Hyperagents: Migrating Host Agents to the Hypervisor

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy
    March 2018
    401 pages
    ISBN:9781450356329
    DOI:10.1145/3176258
    © 2018 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the United States Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 13 March 2018

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. cloud security
    2. computer forensics
    3. virtual machine introspection

    Qualifiers

    • Research-article

    Conference

    CODASPY '18
    Sponsor:

    Acceptance Rates

    CODASPY '18 Paper Acceptance Rate 23 of 110 submissions, 21%;
    Overall Acceptance Rate 149 of 789 submissions, 19%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)5
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 21 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2019)TwinPorter - An Architecture For Enabling the Live Migration of VMI-Based Monitored Virtual Machines2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE)10.1109/TrustCom/BigDataSE.2019.00064(427-434)Online publication date: Aug-2019
    • (2019)High-Speed File Transferring Over Linux Bridge for QGA Enhancement in Cyber RangeArtificial Intelligence and Security10.1007/978-3-030-24268-8_42(452-462)Online publication date: 11-Jul-2019

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media