Fabrizio Baiardi

Building Trustworthy Intrusion Detection through VM Introspection

Psyco-Virt is a high assurance intrusion detection tool that merges host and network intrusion detection technologies with virtual machine introspection. Psyco-Virt architecture includes a cluster of virtual machines, the monitored VMs, which run the OS and applications of interest, and a further VM, the introspection one. Several agents distributed across the monitored VMs execute network and host IDS tools to discover attempted intrusions/attacks on the monitored VMs. The introspection VM makes the detection tools trustworthy by running an introspector and a director to discover any attempt to maliciously modify the kernel, the agents and the IDSes hosted on a monitored VM. On each monitored VM a collector gathers the alerts generated by the agents and forwards them to the director through a control network dedicated to data exchange among the agents and the introspection VM. The director on the introspection VM filters all the alerts and delegates the execution of a proper action to a notifier whenever an intrusion or an attempt to modify the IDSes is detected. In such cases, a monitored VM can either be stopped or frozen and its current state saved in a file for a later, deeper inspection. After describing Psyco-Virt, we discuss some examples of agents and functions using introspection and present preliminary results and performance figures of a first prototype.

Hierarchical, model-based risk management of critical infrastructures

Risk management is a process that includes several steps, from vulnerability analysis to the formulation of a risk mitigation plan that selects countermeasures to be adopted. With reference to an information infrastructure, we present a risk management strategy that considers a sequence of hierarchical models, each describing dependencies among infrastructure components. A dependency exists anytime a security-related attribute of a component depends upon the attributes of other components. We discuss how this notion supports the formal definition of risk mitigation plan and the evaluation of the infrastructure robustness. A hierarchical relation exists among models that are analyzed because each model increases the level of details of some components in a previous one. Since components and dependencies are modeled through a hypergraph, to increase the model detail level, some hypergraph nodes are replaced by more and more detailed hypergraphs. We show how critical information for the assessment can be automatically deduced from the hypergraph and define conditions that determine cases where a hierarchical decomposition simplifies the assessment. In these cases, the assessment has to analyze the hypergraph that replaces the component rather than applying again all the analyses to a more detailed, and hence larger, hypergraph. We also show how the proposed framework supports the definition of a risk mitigation plan and discuss some indicators of the overall infrastructure robustness. Lastly, the development of tools to support the assessment is discussed.

Measuring Semantic Integrity for Remote Attestation

We propose a framework for the attestation of the integrity of a remote system that considers not only the configuration of the system to be attested but also its current behaviour. The resulting architecture, called Virtual machine Integrity Measurement System (VIMS), is based upon virtualization technology and it runs two virtual machines on a system to be attested, i.e. the Client (C-VM) and the Assurance VM (A-VM). A generic remote server (REM-S) accepts incoming connections and cooperates with the A-VM to authenticate and attest the integrity of the C-VM and of the software it runs. The A-VM is a shadow machine that exploits virtual machine introspection to apply a set of consistency checks on the configuration of the C-VM and on the software it currently runs. The checks depend upon the security policies that the REM-S establishes in the initial connection handshake. The REM-S defines both the complexity of checks to be applied and the frequency of their execution and it communicates the security policy to the A-VM through a control channel. Policies that can be applied range from the one that simply checks the integrity of the binaries loaded by the C-VM to those that continuously monitor the dynamic behaviour of applications to discover attacks that alter their expected behaviour. The control channel also transmits the results of the checks from the A-VM to the REM-S. As an example, remote attestation can be adopted when a client software on the C-VM tries to establish a secure channel to a REM-S on an Intranet. After describing the overall VIMS architecture, we present and discuss the implementation and the performance of a first prototype.

GVScan: Scanning Networks for Global Vulnerabilities

A global vulnerability is a set of vulnerabilities in one or several nodes of an ICT infrastructure. These vulnerabilities enable some attacks that may be sequentialized so that the privileges that each attack requires are acquired through the previous ones. Current vulnerability scanners cannot discover global vulnerabilities because they analyze each node in isolation, without correlating the vulnerabilities in the same or in distinct nodes. To discover global vulnerabilities, an analysis has to correlate node vulnerabilities according to the architecture and the topology of the infrastructure. After defining a formal analysis to discover global vulnerabilities and the corresponding attack sequences, we present GVScan, a tool to automate the analysis based upon a classification of vulnerabilities. A first application of GVScan to a real infrastructure is described together with an evaluation of its accuracy.

Assessing ICT risk through a Monte Carlo method

To assess and manage the risk due to an information and communication system before its deployment, data of interest can be produced by a Monte Carlo method. This paper presents Haruspex, a software tool that applies a Monte Carlo method to simulate intelligent and adaptive threat agents that reach predefined goals through plan with several attacks. The samples that Haruspex collects are used to compute statistics on the agent’s impacts and their plans as well as to select cost-effective countermeasures. We describe the rationale and the implementation of Haruspex, the inputs it requires and the simulation of how the agents select and implement their plans. After discussing the validation and the performance of the first version of Haruspex, we present a case study and the first set of experimental results.

DDSGA: A Data-Driven Semi-Global Alignment Approach for Detecting Masquerade Attacks

A masquerade attacker impersonates a legal user to utilize the user services and privileges. The semi-global alignment algorithm (SGA) is one of the most effective and efficient techniques to detect these attacks but it has not reached yet the accuracy and performance required by large scale, multiuser systems. To improve both the effectiveness and the performances of this algorithm, we propose the Data-Driven Semi-Global Alignment, DDSGA approach. From the security effectiveness view point, DDSGA improves the scoring systems by adopting distinct alignment parameters for each user. Furthermore, it tolerates small mutations in user command sequences by allowing small changes in the low-level representation of the commands functionality. It also adapts to changes in the user behaviour by updating the signature of a user according to its current behaviour. To optimize the runtime overhead, DDSGA minimizes the alignment overhead and parallelizes the detection and the update. After describing the DDSGA phases, we present the experimental results that show that DDSGA achieves a high hit ratio of 88.4 percent with a low false positive rate of 1.7 percent. It improves the hit ratio of the enhanced SGA by about 21.9 percent and reduces Maxion-Townsend cost by 22.5 percent. Hence, DDSGA results in improving both the hit ratio and false positive rates with an acceptable computational overhead.

Securing a Community Cloud

Virtual Interacting Network CommunIty (Vinci) is a software architecture that exploits virtualization to secure a community cloud, i.e. a cloud system shared among communities with distinct security levels and reliability requirements. A community consists of a set of users, their applications, a set of services and of shared resources. Users with distinct privileges and applications with distinct trust levels belong to distinct communities. Rather than acquiring and managing its own physical infrastructure, a community defines a virtual ICT infrastructure, i.e. an overlay, by instantiating and interconnecting virtual machines (VMs) defined from a small set of templates. Vinci includes templates to run user applications, protect shared resources and control traffic among communities to filter out malware or distributed attacks. The adoption of alternative VM templates minimizes the complexity of each VM and increases the robustness of both the VMs and of the overall infrastructure. The resulting overlays are mapped onto the cloud infrastructure or, from another perspective, they access an infrastructure service. The cloud provider defines a further overlay that interconnects VMs to manage the infrastructure resources and configure the VMs at start-up.

Transparent Process Monitoring in a Virtual Environment

PsycoTrace is a system that integrates static and dynamic tools to protect a process from attacks that alter the process self as specified by the program source code. The static tools build a context-free grammar that describes the sequences of system calls the process may issue and a set of assertions on the process state, one for each invocation. The dynamic tools parse the call trace of the process to check that it belongs to the grammar language and evaluate the assertions. This paper describes the architecture of PsycoTrace, which exploits virtualization to introduce two virtual machines, the monitored and the monitoring virtual machines, to increase both the robustness and the transparency of the monitoring because the machine that implements all the checks is strongly separated from the monitored one. We discuss the modification to the kernel of the monitored machine to trace system call invocations, the definition of the legal traces and the checks to prove the trace is valid. We describe how PsycoTrace applies introspection to evaluate the assertions and analyze the state of the monitored machine and of its data structures. Finally, we present the security and performance results of the dynamic tools, and the implementation of the static tools.

Assessing the risk of an information infrastructure through security dependencies

We outline a framework for the risk assessment of information infrastructures that generalizes the notion of dependency with respect to security attributes such as confidentiality, integrity or availability. Dependencies are used to model an infrastructure at distinct abstraction levels, to discover attack strategies and to define risk mitigation plans. A plan is formulated in terms of set of countermeasures because single countermeasures may be ineffective due to alternative threat attack strategies. We do not detail the assessment steps and focus on the integration of their results to define risk mitigation plans. Lastly, we discuss the development of programming tools to support the assessment.

Integrating load balancing and locality in the parallelization of irregular problems

An irregular problem models the evolution of a system where several elements are irregularly distributed in a domain. The evolution modifies this distribution in a way that cannot be foreseen and the behavior of each element depends upon the elements close to it according to a problem dependent relation. Starting from a hierarchical representation of the domain, we define a parallelization methodology that includes a load balancing strategy that preserves this locality property and a strategy to collect information distributed onto the processing nodes.