James H. Hamlyn-Harris

CloudSec: A security monitoring appliance for Virtual Machines in the IaaS cloud model

The Infrastructure-as-a-Service (IaaS) cloud computing model has become a compelling computing solution with a proven ability to reduce costs and improve resource efficiency. Virtualization has a key role in supporting the IaaS model. However, virtualization also makes it a target for potent rootkits because of the loss of control problem over the hosted Virtual Machines (VMs). This makes traditional in-guest security solutions, relying on operating system kernel trustworthiness, no longer an effective solution to secure the virtual infrastructure of the IaaS model. In this paper, we explore briefly the security problem of the IaaS cloud computing model, and present CloudSec, a new virtualization-aware monitoring appliance that provides active, transparent and real-time security monitoring for hosted VMs in the IaaS model. CloudSec utilizes virtual machine introspection techniques to provide fine-grained inspection of VMs physical memory without installing any monitoring code inside the VM. It actively reconstructs and monitors the dynamically changing kernel data structures instances, as a prior step to enable providing protection for kernel data structures. We have implemented a proof-of-concept prototype using VMsafe libraries on a VMware ESX platform. We have evaluated the system monitoring accuracy and the performance overhead of CloudSec.

Operating system kernel data disambiguation to support security analysis

It is very challenging to verify the integrity of Operating System (OS) kernel data because of its complex layout. In this paper, we address the problem of systematically generating an accurate kernel data definition for OSes without any prior knowledge of the OS kernel data. This definition accurately reflects the kernel data layout by resolving the pointer-based relations ambiguities between kernel data, in order to support systemic kernel data integrity checking. We generate this definition by performing static points-to analysis on the kernels source code. We have designed a new points-to analysis algorithm and have implemented a prototype of our system. We have performed several experiments with real-world applications and OSes to prove the scalability and effectiveness of our approach for OS security applications.

Supporting operating system kernel data disambiguation using points-to analysis

Generic pointers scattered around operating system (OS) kernels make the kernel data layout ambiguous. This limits current kernel integrity checking research to covering a small fraction of kernel data. Hence, there is a great need to obtain an accurate kernel data definition that resolves generic pointer ambiguities, in order to formulate a set of constraints between structures to support precise integrity checking. In this paper, we present KDD, a new tool for systematically generating a sound kernel data definition for any C-based OS e.g. Windows and Linux, without any prior knowledge of the kernel data layout. KDD performs static points-to analysis on the kernels source code to infer the appropriate candidate types for generic pointers. We implemented a prototype of KDD and evaluated it to prove its scalability and effectiveness.

Identifying OS kernel objects for run-time security analysis

In operating systems, we usually refer to a running instance of a data structure (data type) as an object. Locating dynamic runtime kernel objects in physical memory is the most difficult step towards enabling implementation of robust operating system security solutions. In this paper, we address the problem of systemically uncovering all operating system dynamic kernel runtime objects, without any prior knowledge of the operating system kernel data layout in memory. We present a new hybrid approach - called DIGGER - that uncovers kernel runtime objects with nearly complete coverage, high accuracy and robust results. The information revealed allows detection of generic pointer exploits and data hooks. We have implemented a prototype of DIGGER and conducted an evaluation of its efficiency and effectiveness. To demonstrate our approachs potential, we have also developed three different proof-of-concept operating system security tools based on the DIGGER approach.