Data Driven Security Models and Analysis - October 2014
Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.
PI(s): Ravi Iyer
Co-PI(s): Zbigniew Kalbarczyk and Adam Slagell
Researchers: Cuong Pham, Zachary Estrada, and Phuong Cao
HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.
* Predictive security metrics - design, development, and validation
* Resilient architectures - in the end we want to use the metrics to achieve a measurable enhancement in system resiliency, i.e., the ability to withstand attacks
* Human behavior - data contain traces of the steps the attacker took, and hence inherently include some aspects of the human behavior (of both users and miscreants)
PUBLICATIONS
Papers published in this quarter as a result of this research. Include title, author(s), venue published/presented, and a short description or abstract. Identify which hard problem(s) the publication addressed. Papers that have not yet been published should be reported in region 2 below.
[1] Cuong Pham, Zachary Estrada, Phuong Cao, Zbigniew Kalbarczyk, and Ravishankar Iyer, "Building Reliable and Secure Virtual Machines using Architectural Invariants", IEEE Security and Privacy Magazine 2014 Vol. 12, Issue No. 5 Sept.-Oct. 2014.
Paper addresses: Resilient architectures.
Abstract: In this article, we discuss how to address this challenge in the context of cloud computing, for which both reliability and security are growing concerns. Since cloud deployments are usually composed of commodity hardware and software, efficient monitoring is key to achieving resiliency. Although reliability and security monitoring may use different types of analytics, the same sensing infrastructure can be used to provide inputs to monitoring modules. We split the monitoring process into two phases: logging and auditing. We applied the principles stated above when designing HyperTap, a hypervisor-level monitoring framework for Virtual Machines.
[2] C. Pham, Z. Estrada, Z. Kalbarczyk, R. Iyer, "Reliability and Security Monitoring of Virtual Machines Using Hardware Architectural Invariants", 44th Int'l Conference on Dependable Systems and Networks, (DSN), Atlanta, GA, 2014, (William C. Carter Award for the Best Paper based on Ph.D. Work; and Best Paper Award voted by the conference participants).
Paper addresses: Resilient architectures.
Abstract: This paper presents a solution that simultaneously addresses both reliability and security (RnS) in a monitoring framework. We identify the commonalities between reliability and security to guide the design of HyperTap, a hypervisor-level framework that efficiently supports both types of monitoring in virtualization environments. In HyperTap, the logging of system events and states is common across monitors and constitutes the core of the framework. HyperTap relies on hardware invariants to provide a strongly isolated root of trust. HyperTap uses active monitoring, which can be adapted to enforce a wide spectrum of RnS policies. We validate HyperTap by introducing three example monitors: Guest OS Hang Detection (GOSHD), Hidden RootKit Detection (HRKD), and Privilege Escalation Detection (PED). Our experiments with fault injection and real rootkits/exploits demonstrate that HyperTap provides robust monitoring with low performance overhead.
[3] G. Wang, Z. Estrada, C. Pham, Z. Kalbarczyk, R. Iyer, "Hypervisor Introspection: Exploiting Timing Side-Channels against VM Monitoring", 44th International Conference on Dependable Systems and Networks (DSN), Fast Abstract, Atlanta, GA, 2014.
Paper addresses: Resilient architectures and attack knowledge-base.
This short paper introduces a novel side-channel to extract timing information from hypervisor-level monitoring systems, such as Virtual Machine Introspection based monitoring. This information can be used to launch sophisticated transient attacks against hypervisor-level monitoring system. It is often assumed that hypervisor activity is hidden from guest VMs but we show that this is not always the case. When the hypervisor performs certain actions (e.g., security monitoring of the guest OS), the VM must be paused. Therefore, suspension of the VM leaks information about the hypervisor's activities. We present suspended network activity as an example of a side-channel that can be used to obtain a profile of the hypervisor behavior.
ACCOMPLISHMENT HIGHLIGHTS
This quarter we focused on broadening our knowledge-base on attacks. Because, our investigation is based on data-driven methodologies to create models and metrics used for monitoring, with the goal of recognizing, mitigating, and containing attacks, it is essential to create representative data set on security attacks. Specifically, we concentrated on the timing side-channels that leak information about the hypervisor (that supports virtualized environment) to an external observer. Timing side-channels: (i) break a fundamental property of virtualized systems that the hypervisor should be isolated from the guest system and (ii) can be used to launch real attacks while bypassing the security monitoring. Specific accomplishments include:
* Demonstrate experimentally that by exploiting the timing side-channel an external observer (e.g., a potential intruder) can determine whether a target system is using a periodic hypervisor-level monitoring at the 50ms granularity or better;
* Show that the knowledge on hypervisor-level monitoring can be used to launch a real attack without being detected
o As an example, we consider an attacker that uses a rootkit to corrupt a kernel data structure and to force the kernel to execute the attacker's code. This attack could be detected by a periodic verification of the kernel memory e.g., using OSck (operating system check) technique proposed in [1], which takes 50-300ms to perform the check. The checking interval is usually on the order of seconds (to minimize the performance overhead). Because the attack can be completed on the order of microseconds (significantly less than the monitoring period), an attacker can use the hypervisor timing side-channel to identify the monitoring interval and launch a transient attack that avoids detection.
* Implement and evaluate alternative techniques based on the active monitoring to eliminate timing side-channel attack scenario described above.
O. Hofmann, A. Dunn, S. Kim, I. Roy, E. Witchel, "Ensuring Operating System Kernel Integrity with OSck," ASPLOS'11, 2011, Newport Beach, California, USA.