Kenichi Kourai

BitVisor: a thin hypervisor for enforcing i/o device security

Virtual machine monitors (VMMs), including hypervisors, are a popular platform for implementing various security functionalities. However, traditional VMMs require numerous components for providing virtual hardware devices and for sharing and protecting system resources among virtual machines (VMs), enlarging the code size of and reducing the reliability of the VMMs. This paper introduces a hypervisor architecture, called parapass-through, designed to minimize the code size of hypervisors by allowing most of the I/O access from the guest operating system (OS) to pass-through the hypervisor, while the minimum access necessary to implement security functionalities is completely mediated by the hypervisor. This architecture uses device drivers of the guest OS to handle devices, thereby reducing the size of components in the hypervisor to provide virtual devices. This architecture also allows to run only single VM on it, eliminating the components for sharing and protecting system resources among VMs. We implemented a hypervisor called BitVisor and a parapass-through driver for enforcing storage encryption of ATA devices based on the parapass-through architecture. The experimental result reveals that the hypervisor and ATA driver require approximately 20 kilo lines of code (KLOC) and 1.4 KLOC respectively.

HyperSpector: virtual distributed monitoring environments for secure intrusion detection

In this paper, a virtual distributed monitoring environment called HyperSpector is described that achieves secure intrusion detection in distributed computer systems. While multiple intrusion detection systems (IDSes) can protect a distributed system from attackers, they can increase the number of insecure points in the protected system. HyperSpector overcomes this problem without any additional hardware by using virtualization to isolate each IDS from the servers it monitors. The IDSes are located in a virtual machine called an IDS VM and the servers are located in a server VM. The IDS VMs among different hosts are connected using a virtual network. To enable legacy IDSes running in the IDS VM to monitor the server VM, HyperSpector provides three inter-VM monitoring mechanisms: software port mirroring, inter-VM disk mounting, and inter-VM process mapping. Consequently, active attacks, which directly attack the IDSes, are prevented. The impact of passive attacks, which wait until data including malicious code is read by an IDS and the IDS becomes compromised, is confined to within an affected HyperSpector environment.

A Fast Rejuvenation Technique for Server Consolidation with Virtual Machines

As server consolidation using virtual machines (VMs) is carried out, software aging of virtual machine monitors (VMMs) is becoming critical. Performance degradation or crash failure of a VMM affects all VMs on it. To counteract such software aging, a proactive technique called software rejuvenation has been proposed. A typical example of rejuvenation is to reboot a VMM. However, simply rebooting a VMM is undesirable because that needs rebooting operating systems on all VMs. In this paper, we propose a new technique for fast rejuvenation of VMMs called the warm-VM reboot. The warm-VM reboot enables efficiently rebooting only a VMM by suspending and resuming VMs without accessing the memory images. To achieve this, we have developed two mechanisms: on-memory suspend/resume of VMs and quick reload of VMMs. The warm- VM reboot reduces the downtime and prevents the performance degradation due to cache misses after the reboot.

Fast Software Rejuvenation of Virtual Machine Monitors

As server consolidation using virtual machines (VMs) is carried out, software aging of virtual machine monitors (VMMs) is becoming critical. Since a VMM is fundamental software for running VMs, its performance degradation or crash failure affects all VMs running on top of it. To counteract such software aging, a proactive technique called software rejuvenation has been proposed. A simple example of rejuvenation is to reboot a VMM. However, simply rebooting a VMM is undesirable because that needs rebooting operating systems on all VMs. In this paper, we propose a new technique for fast rejuvenation of VMMs called the warm-VM reboot. The warm-VM reboot enables efficiently rebooting only a VMM by suspending and resuming VMs without saving the memory images to persistent storage. To achieve this, we have developed two mechanisms: on-memory suspend/resume of VMs and quick reload of a VMM. Compared with a normal reboot, the warm-VM reboot reduced the downtime by 74 percent at maximum. It also prevented the performance degradation due to cache misses after the reboot, which was 52 percent in case of a normal reboot. In a cluster environment, the warm-VM reboot achieved higher total throughput than the system using VM migration and a normal reboot.

A dynamic aspect-oriented system for OS kernels

We propose a dynamic aspect-oriented system for operating system (OS) kernels written in the C language. Unlike other similar systems, our system named KLASY allows the users to pointcut not only function calls but also member accesses to structures. This feature helps the developers who want to use aspects for profiling or debugging an OS kernel. To enable this, KLASY uses a modified C compiler for compiling an OS kernel. The modified compiler produces extended symbol information, which enables a dynamic weaver to find the memory addresses of join point shadows during runtime. Since a normal C compiler produces only limited symbol information, other dynamic aspect-oriented systems for C have been able to pointcut only function calls. We have implemented KLASY for Linux with the GNU C compiler. Our experiments revealed that KLASY achieves sufficient execution performance for practical use. Our case studies disclosed that KLASY is useful for real applications.

Aspect-oriented application-level scheduling for J2EE servers

Achieving sufficient execution performance is a challenging goal of software development. Unfortunately, violating performance requirements is often revealed at a late stage of the development. Fixing a performance problem at such a late stage is difficult in terms of cost and time. To solve this problem, this paper presents QoSWeaver, which provides aspect-oriented application-level scheduling. QoSWeaver weaves scheduling code written in an aspect into application code. The scheduling code gets an application thread to voluntarily yield its execution to implement a scheduling policy. The idea of scheduling at the application level is not new, but aspect-oriented programming makes it more realistic by separation of scheduling code. QoSWeaver also provides a profile-based pointcut generator, which automatically generates pointcuts for fine-grained scheduling. To investigate the ability of QoSWeaver for implementing practical scheduling policies, we used QoSWeaver for tuning the performance of a river monitoring system named Kasendas. For reliable examination, Kasendas was originally developed by an outside corporation and then it was tuned by the authors with QoSWeaver. The authors could successfully improve the performance of Kasendas under heavy workload and the work of the performance tuning was not large.

Secure and manageable virtual private networks for end-users

This paper presents personal networks, which integrate a VPN and the per-VPN execution environments of the hosts included in the VPN. The key point is that each execution environment called a portspace is bound to only one VPN, i.e., single-homed. Using this feature of portspaces, personal networks address several problems at multi-homed hosts that use multiple VPNs. Information flow is separated by personal networks so that it is not mixed at multi-homed hosts. IP addressing in a personal network is independent of the other personal networks, even the base network, and therefore does not conflict with those of other networks at multi-homed hosts. In addition, personal networks provide facilities for easy bootstrapping so that the end-users can construct such isolated networks easily. Inheritance of portspaces supports the creation of new portspaces based on existing portspaces. Self-construction of personal networks enables end-users to construct personal networks without help from the base network.

A Self-Protection Mechanism against Stepping-Stone Attacks for IaaS Clouds

For Infrastructure-as-a-Service (IaaS) clouds, stepping-stone attacks via hosted virtual machines (VMs) are critical. This type of attack uses compromised VMs as stepping stones for attacking the outside hosts. Not only compromised VMs but also IaaS providers are regarded as attackers. For self-protection, IaaS clouds should perform active response against stepping-stone attacks. However, it is difficult to stop only outgoing attacks at edge firewalls of clouds because edge firewalls can use only information in network packets. In this paper, we propose a new self-protection mechanism against stepping-stone attacks for IaaS clouds, which is called xFilter. xFilter is a packet filter running in the virtual machine monitor (VMM) underlying VMs and achieves pinpoint active response by using VM introspection. VM introspection enables xFilter in the VMM to obtain information on packet senders directly from the memory of VMs. When xFilter detects outgoing attacks, it automatically generates appropriate filtering rules with information on sender processes. Our experiments showed that xFilter could stop only outgoing attacks as much as possible. The performance degradation due to xFilter was less than 13% in usual cases.

A Secure System-Wide Process Scheduler across Virtual Machines

Server consolidation using virtual machines (VMs) makes it difficult to execute processes as the administrators intend. A process scheduler in each VM is not aware of the other VM and schedules only processes in one VM independently. To solve this problem, process scheduling across VMs is necessary. However, such system-wide scheduling is vulnerable to denial-of-service (DoS) attacks from a compromised VM against the other VMs. In this paper, we propose the Monarch scheduler, which is a secure system-wide process scheduler running in the virtual machine monitor (VMM). The Monarch scheduler monitors the execution of processes and changes the scheduling behavior in all VMs. To change process scheduling from the VMM, it manipulates run queues and process states consistently without modifying guest operating systems. Its hybrid scheduling mitigates DoS attacks by leveraging performance isolation among VMs. We confirmed that the Monarch scheduler could achieve useful scheduling and the overheads were small.

Dependable and secure remote management in IaaS clouds

In Infrastructure-as-a-Service (IaaS) clouds, the users manage the systems in the provided virtual machines (VMs) called user VMs through remote management software such as Virtual Network Computing (VNC). For dependability, they often perform out-of-band remote management via the management VM. Even in the case of system failures inside their VMs, the users could directly access their systems. However, the management VM is not always trustworthy in IaaS. Once outside or inside attackers intrude into the management VM, they could easily eavesdrop on all the inputs and outputs in remote management. To solve this security issue, this paper proposes FBCrypt for preventing information leakage via the management VM in out-of-band remote management. FBCrypt encrypts the inputs and outputs between a VNC client and a user VM using the virtual machine monitor (VMM). Sensitive information is protected against the management VM between them. The VMM intercepts the reads of virtual devices by a user VM and decrypts the inputs, whereas it intercepts the updates of a framebuffer by a user VM and encrypts the pixel data. We have implemented FBCrypt in Xen and TightVNC and confirmed that any keystrokes or pixel data did not leak.