Recently,virtualization technologies have been widely used in industry.In order to monitor the security of target systems in virtualization environments,conventional methods usually put the security monitoring mechani...Recently,virtualization technologies have been widely used in industry.In order to monitor the security of target systems in virtualization environments,conventional methods usually put the security monitoring mechanism into the normal functionality of the target systems.However,these methods are either prone to be tempered by attackers or introduce considerable performance overhead for target systems.To address these problems,in this paper,we present a concurrent security monitoring method which decouples traditional serial mechanisms,including security event collector and analyzer,into two concurrent components.On one hand,we utilize the SIM framework to deploy the event collector into the target virtual machine.On the other hand,we combine the virtualization technology and multi-core technology to put the event analyzer into a trusted execution environment.To address the synchronization problem between these two concurrent components,we make use of Lamport's ring buffer algorithm.Based on the Xen hypervisor,we have implemented a prototype system named COMO.The experimental results show that COMO can monitor the security of the target virtual machine concurrently within a little performance overhead.展开更多
Kernel hooks are very important control data in OS kernel.Once these data are compromised by attackers,they can change the control flow of OS kernel’s execution.Previous solutions suffer from limitations in that:1)so...Kernel hooks are very important control data in OS kernel.Once these data are compromised by attackers,they can change the control flow of OS kernel’s execution.Previous solutions suffer from limitations in that:1)some methods require modifying the source code of OS kernel and kernel modules,which is less practical for wide deployment;2)other methods cannot well protect the kernel hooks and function return addresses inside kernel modules whose memory locations cannot be predetermined.To address these problems,we propose OPKH,an on-the-fly hook protection system based on the virtualization technology.Compared with previous solutions,OPKH offers the protected OS a fully transparent environment and an easy deployment.In general,the working procedure of OPKH can be divided into two steps.First,we utilise the memory virtualization for offline profiling so that the dynamic hooks can be identified.Second,we exploit the online patching technique to instrument the hooks for run-time protection.The experiments show that our system can protect the dynamic hooks effectively with minimal performance overhead.展开更多
Heap overflow attack is one of the major memory corruption attacks that have become prevalent for decades. To defeat this attack,many protection methods are proposed in recent years. However,most of these existing met...Heap overflow attack is one of the major memory corruption attacks that have become prevalent for decades. To defeat this attack,many protection methods are proposed in recent years. However,most of these existing methods focus on user-level heap overflow detection. Only a few methods are proposed for kernel heap protection. Moreover,all these kernel protection methods need modifying the existing OS kernel so that they may not be adopted in practice. To address this problem,we propose a lightweight virtualization-based solution that can protect the kernel heap buffers allocated for the target kernel modules. The key idea of our approach is to combine the static binary analysis and virtualization technology to trap a memory allocation operation of the target kernel module,and then add one secure canary word to the end of the allocated buffer. After that,a monitor process is launched to check the integrity of the canaries. The evaluations show that our system can detect kernel heap overflow attacks effectively with minimal performance cost.展开更多
基金supported in part by National Natural Science Foundation of China(NSFC)under Grant No.61100228 and 61202479the National High-tech R&D Program of China under Grant No.2012AA013101+1 种基金the Strategic Priority Research Program of the Chinese Academy of Sciences under Grant No.XDA06030601 and XDA06010701Open Found of Key Laboratory of IOT Application Technology of Universities in Yunnan Province Grant No.2015IOT03
文摘Recently,virtualization technologies have been widely used in industry.In order to monitor the security of target systems in virtualization environments,conventional methods usually put the security monitoring mechanism into the normal functionality of the target systems.However,these methods are either prone to be tempered by attackers or introduce considerable performance overhead for target systems.To address these problems,in this paper,we present a concurrent security monitoring method which decouples traditional serial mechanisms,including security event collector and analyzer,into two concurrent components.On one hand,we utilize the SIM framework to deploy the event collector into the target virtual machine.On the other hand,we combine the virtualization technology and multi-core technology to put the event analyzer into a trusted execution environment.To address the synchronization problem between these two concurrent components,we make use of Lamport's ring buffer algorithm.Based on the Xen hypervisor,we have implemented a prototype system named COMO.The experimental results show that COMO can monitor the security of the target virtual machine concurrently within a little performance overhead.
基金supported in part by the National High Technology Research and Development Program of China(863 Program)under Grant No.2009AA01Z433the Project of National Ministry under Grant No.A21201-10006the Open Foundation of State Key Laboratory of Information Security(Institute of Information Engineering,Chinese Academy of Sciences)under Grant No.2013-4-1
文摘Kernel hooks are very important control data in OS kernel.Once these data are compromised by attackers,they can change the control flow of OS kernel’s execution.Previous solutions suffer from limitations in that:1)some methods require modifying the source code of OS kernel and kernel modules,which is less practical for wide deployment;2)other methods cannot well protect the kernel hooks and function return addresses inside kernel modules whose memory locations cannot be predetermined.To address these problems,we propose OPKH,an on-the-fly hook protection system based on the virtualization technology.Compared with previous solutions,OPKH offers the protected OS a fully transparent environment and an easy deployment.In general,the working procedure of OPKH can be divided into two steps.First,we utilise the memory virtualization for offline profiling so that the dynamic hooks can be identified.Second,we exploit the online patching technique to instrument the hooks for run-time protection.The experiments show that our system can protect the dynamic hooks effectively with minimal performance overhead.
基金supported in part by National Natural Science Foundation of China (NSFC) under Grant No.61602035the National Key Research and Development Program of China under Grant No.2016YFB0800700+1 种基金the Opening Project of Shanghai Key Laboratory of Integrated Administration Technologies for Information SecurityOpen Found of Key Laboratory of IOT Application Technology of Universities in Yunnan Province under Grant No.2015IOT03
文摘Heap overflow attack is one of the major memory corruption attacks that have become prevalent for decades. To defeat this attack,many protection methods are proposed in recent years. However,most of these existing methods focus on user-level heap overflow detection. Only a few methods are proposed for kernel heap protection. Moreover,all these kernel protection methods need modifying the existing OS kernel so that they may not be adopted in practice. To address this problem,we propose a lightweight virtualization-based solution that can protect the kernel heap buffers allocated for the target kernel modules. The key idea of our approach is to combine the static binary analysis and virtualization technology to trap a memory allocation operation of the target kernel module,and then add one secure canary word to the end of the allocated buffer. After that,a monitor process is launched to check the integrity of the canaries. The evaluations show that our system can detect kernel heap overflow attacks effectively with minimal performance cost.