VIRTUAL MACHINE SECURITY SYSTEMS Kumiko Ogawa Virtual Machine Security Systems by Xin Zhao Kevin Borders Atul Prakash Department of EECS University of Michigan VM Based Security Isolation Intruder cannot tamper with the security system even if he or she subverted a guest VM Inspection Virtual machine monitor can access to the entire state of each guest VM Interposition Preiviledged instruction is present Architecture of VM based Security Services While VM based security systems have different features they usually share a similar architecture Host based IDS Network based IDS Software log history NIDS HIDS Excellent view what is happening inside More resistant to attack Highly susceptible to attack Poor view of what happening inside Livewire VM based IDS OS interface Library Providing OS level view of the target virtual machine by interpreting the hardware state on the VMM Policy Engine Obtaining from VMM interface events and deciding whether or not the system has been compromised Example Signature Detector in memory Siren VM based IDS Detecting malicious software operating within a guest virtual machine that attempts to send out information over the network keyboard Mouse etc Network traffic Siren Catching Evasive Malware Short Paper by Kevin Borders Xin Zhao Atul Prakash SVFS Secure Virtual File System To protect sensitive files All access to sensitive files by applications must first be approved by DVM Data Virtual Machine VRPC Virtual Remote Procedure Calls are much faster than normal PRCs with using memory sharing Hey You Get Off of My Cloud Exploring Information Leakage in Third Party Compute Clouds 2009 by Thomas Ristenpart Eran Tromer Hovav Shacham Stefan Savage Amazon EC2 Placement Placing a malicious VM on the same physical machine which hosts the victim s VM Proving co residence Cross VM information leakage via manipulation of shared physical resource Side channel attack sHype Secure Hypervisor Developed by IBM Implemented for Xen Access Control Module Ref sHype Hypervisor Security Architecture A Layered Approach Towards Trusted Virtual Domains by Dr Ing Reiner Sailer IBM T J Watson Research Center NY VM Based Honeypots A honeypot is a computer system that is set up with the sole intention of luring attackers Honeypots Low interaction accepting packets but only giving a minimal response cost effective High interaction behaving more like a normal computer providing more information about attacks VM based Honeypots Advantage providing resource multiplexing which allows more high interaction honeypots on the same hardware Disadvantage Hackers can detect VM and avoid honeypots Potemkin Virtual Honeyfarm 1 High interaction Honeypot system VMM Requirement INTERNET Gateway Virtual Honeyfarm 1 Packet received by gateway 2 VM created on demand VM creatinon must be fast enough to maintain illusion Potemkin Virtual Honeyfarm 2 Traffic Reflection INTERNET Gateway Virtual Honeyfarm 1 If packets are tried to sent out to third parties 2 The traffic is redirected back into honeyfarm Collapsar Honeypot Center Traffic are redirected to Collapsar Honeypot Center Disadvantage if redirected traffic is detected Redirector Redirector Redirector Collapsar Honeypot Center Virtual Machine Security Systems by Xin Zhao Kevin Borders Atul Prakash Department of EECS University of Michigan