Nguyen Anh Quynh

Towards a tamper-resistant kernel rootkit detector

A variety of tools and architectures have been developed to detect security violations to Operating System kernels. However, they all have fundamental flaw in the design so that they fail to discover kernel-level attack. Few hardware solutions have been proposed to address the outstanding problem, but unfortunately they are not widely accepted. This paper presents a software-based method to detect intrusion to kernel. The proposed tool named XenKIMONO, which is based on Xen Virtual Machine, is able to detect many kernel rootkits in virtual machines with small penalty to the systems performance. In contrast with the traditional approaches, XenKIMONO is isolated with the kernel being monitored, thus it can still function correctly even if the observed kernel is compromised. Moreover, XenKIMONO is flexible and easy to deploy as it absolutely does not require any modification to the monitored systems.

A novel approach for a file-system integrity monitor tool of Xen virtual machine

File-system integrity tools (FIT) are commonly deployed host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. While FIT are widely used, this kind of HIDS has many drawbacks: the intrusion detection is not done in real-time manner, which might render the whole scheme useless if the attacker can somehow take over the system with privileged access in the time between. The administrator also has a lot of problems to keep the base-line database updating. Besides, the database and the FIT itself are vulnerable if the attacker gains local privileged access.This paper presents a novel approach to address the outstanding problems of the current FIT. We propose a design and implementation of a tool named XenFIT for Xen virtual machines. XenFIT can monitor and fires alarms on intrusion in real-time manner, and our approach does not require to create and update the database like in the legacy methods. XenFIT works by dynamically patching memory of the protected machine, so it is not necessary to install any kernel code or user-space application into the protected machines. As a result, XenFIT is almost effortless to deploy and maintain. In addition, thanks to the advantage introduced by Xen, the security polices as well as the detection process are put in a secure machine, so XenFIT is tamper-resistant with attack, even in case the attacker takes over the whole VM he is penetrating in. Finally, if deploying strictly, XenFIT is able to function very stealthily to avoid the suspect of the intruder.

A Real-time Integrity Monitor for Xen Virtual Machine

File-system integrity tools (FIT) are commonly deployed to assist forensic investigation after security incidents and as host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. Basically all the current solutions employ the same tactic: the administrator specifies a list of critical files and directories that needs to be monitored, then uses the FIT to create a base-line database that tracks general parameters about these files. The FIT is then re-run periodically, and if it detects the modifications of the file-system against the information stored in the database, the report on the changed file is generated. However, this strategy is far from perfect: the intrusion detection cannot be done in real-time, which might render the whole scheme useless if the attacker can somehow take over the system with privileged access in the time between. The administrator also has a lot of problems to keep the database updating. Besides, he must do everything he can to protect the database and the FIT itself from compromising by the attacker, which is not an easy task especially if the attacker gains local access. This paper presents a novel approach to address the outstanding problems of the current FIT. We propose a design and implementation of a tool named XenRIM for Xen virtual machines. XenRIM can monitor and fires alarms on intrusion in real-time manner, and our approach does not require to create and update the database like in the legacy methods. As a result, XenRIM is almost effortless to deploy and maintain. Thanks to the advantage introduced by Xen, the detection polices are centralized in a secure virtual machine and resistant to tampering. Even better, if deployed strictly, this tool is able to function very stealthily to avoid the suspect of the attacker. Our experimental result demonstrates that XenRIM incurs very low performance overhead (less than 4%), which makes the solution attractive and practical for production systems