Lionel Litty

Manitou: a layer-below approach to fighting malware

Unbeknownst to many computer users, their machines are running malware. Others are aware that strange software inhabits their machine, but cannot get rid of it. In this paper, we present Manitou, a system that provides users with the ability to assign, track and revoke execution privileges for code, regardless of the integrity and type of operating system the machine is using.Manitou is implemented within a hypervisor and uses the per-page permission bits to ensure that any code contained in an executable page corresponds to authorized code. Manitou authenticates code by taking a cryptographic hash of the content of a page right before executing code contained in that page. Our system guarantees that only authorized code can be run on the system.

Using VMM-based sensors to monitor honeypots

Virtual Machine Monitors (VMMs) are a common tool for implementing honeypots. In this paper we examine the implementation of a VMM-based intrusion detection and monitoring system for collecting information about attacks on honeypots. We document and evaluate three designs we have implemented on two open-source virtualization platforms: User-Mode Linux and Xen. Our results show that our designs give the monitor good visibility into the system and thus, a small number of monitoring sensors can detect a large number of intrusions. In a three month period, we were able to detect five different attacks, as well as collect and try 46 more exploits on our honeypots. All attacks were detected with only two monitoring sensors. We found that the performance overhead for monitoring such intrusions is independent of which events are being monitored, but depends entirely on the number of monitoring events and the underlying monitoring implementation. The performance overhead can be significantly improved by implementing the monitor directly in the privileged code of the VMM, though at the cost of increasing the size of the trusted computing base of the system.

Simplified simulation models for indoor MANET evaluation are not robust

We evaluate the robustness of simplified mobility and radio propagation models for indoor MANET simulations. A robust simplification allows researchers to extrapolate simulation results and reach reliable conclusions about the expected performance of protocols in real life. We show that common simplified mobility and radio propagation models are not robust. Experiments with DSR and DSDV, two representative MANET routing protocols, show that the simplifications affect the two protocols in very different manners. Even for a single protocol, the effects on perceived performance can vary erratically as parameters change. These results cast doubt on the soundness of evaluations of MANET routing protocols based on simplified mobility and radio propagation models, and expose the urgent need for more research on realistic MANET simulation.

Patch auditing in infrastructure as a service clouds

A basic requirement of a secure computer system is that it be up to date with regard to software security patches. Unfortunately, Infrastructure as a Service (IaaS) clouds make this difficult. They leverage virtualization, which provides functionality that causes traditional security patch update systems to fail. In addition, the diversity of operating systems and the distributed nature of administration in the cloud compound the problem of identifying unpatched machines. In this work, we propose P2, a hypervisor-based patch audit solution. P2 audits VMs and detects the execution of unpatched binary and non-binary files in an accurate, continuous and OSagnostic manner. Two key innovations make P2 possible. First, P2 uses efficient information flow tracking to identify the use of unpatched non-binary files in a vulnerable way.We performed a patch survey and discover that 64% of files modified by security updates do not contain binary code, making the audit of non-binary files crucial. Second, P2 implements a novel algorithm that identifies binaries in mid-execution to allow handling of VMs resumed from a checkpoint or migrated into the cloud. We have implemented a prototype of P2 and and our experiments show that it accurately reports the execution of unpatched code while imposing performance overhead of 4%.

Using hypervisors to secure commodity operating systems

Hypervisors are an excellent tool for increasing the security of commodity software against attack. In this paper, we discuss some of the lessons and insights we gained from designing and implementing four research prototypes that use hypervisors to secure commodity systems. We also compare our findings with other approaches to implementing security in a hypervisor