Yoshihiro Oyama

BitVisor: a thin hypervisor for enforcing i/o device security

Virtual machine monitors (VMMs), including hypervisors, are a popular platform for implementing various security functionalities. However, traditional VMMs require numerous components for providing virtual hardware devices and for sharing and protecting system resources among virtual machines (VMs), enlarging the code size of and reducing the reliability of the VMMs. This paper introduces a hypervisor architecture, called parapass-through, designed to minimize the code size of hypervisors by allowing most of the I/O access from the guest operating system (OS) to pass-through the hypervisor, while the minimum access necessary to implement security functionalities is completely mediated by the hypervisor. This architecture uses device drivers of the guest OS to handle devices, thereby reducing the size of components in the hypervisor to provide virtual devices. This architecture also allows to run only single VM on it, eliminating the components for sharing and protecting system resources among VMs. We implemented a hypervisor called BitVisor and a parapass-through driver for enforcing storage encryption of ATA devices based on the parapass-through architecture. The experimental result reveals that the hypervisor and ATA driver require approximately 20 kilo lines of code (KLOC) and 1.4 KLOC respectively.

Load-based covert channels between Xen virtual machines

Multiple virtual machines on a single virtual machine monitor are isolated from each other. A malicious user on one virtual machine usually cannot relay secret data to other virtual machines without using explicit communication media such as shared files or a network. However, this isolation is threatened by communication in which CPU load is used as a covert channel. Unfortunately, this threat has not been fully understood or evaluated. In this study, we quantitatively evaluate the threat of CPU-based covert channels between virtual machines on the Xen hypervisor. We have developed CCCV, a system that creates a covert channel and communicates data secretly using CPU loads. CCCV consists of two user processes, a sender and a receiver. The sender runs on one virtual machine, and the receiver runs on another virtual machine on the same hypervisor. We measured the bandwidth and communication accuracy of the covert channel. CCCV communicated 64-bit data with a 100% success rate in an ideal environment, and with a success rate of over 90% in an environment where Web servers are processing requests on other virtual machines.

Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix

Anomaly detection is a promising approach to detecting intruders masquerading as valid users (called masqueraders). It creates a user profile and labels any behavior that deviates from the profile as anomalous. In anomaly detection, a challenging task is modeling a user’s dynamic behavior based on sequential data collected from computer systems. In this paper, we propose a novel method, called Eigen co-occurrence matrix (ECM), that models sequences such as UNIX commands and extracts their principal features. We applied the ECM method to a masquerade detection experiment with data from Schonlau et al. We report the results and compare them with results obtained from several conventional methods.

Control of system calls from outside of virtual machines

A virtual machine monitor (VMM) can isolate virtual machines (VMs) for trusted programs from VMs for untrusted ones. The security of VMs for untrusted programs can be enhanced by monitoring and controlling the behavior of the VMs with security systems running in a VM for trusted programs. However, programs running outside of a monitored VM usually obtain only low-level events and states such as interrupts and register values. Therefore, it is not straight-forward for the programs to understand the high-level behavior of an operating system in a monitored VM and to control resources managed by the operating system. In this paper, we propose a security system that controls the execution of processes from the outside of VMs. It consists of a modified VMM and a program running in a trusted VM. The system intercepts system calls invoked in a monitored VM and controls the execution according to a security policy. To fill the semantic gap between low-level events and high-level behavior, the system uses knowledge of the structure of a given operating system kernel. The user creates the knowledge with a tool when building an operating system. We implemented the system using Xen, and measured the overhead through experiments using microbenchmarks and a benchmark for the Apache web server.

Detecting malware signatures in a thin hypervisor

Enhancement of security using hypervisors is an effective approach that has been extensively studied. This paper is concerned with hypervisors using the parapass-through architecture, in which most of the I/O accesses from the operating system are passed through the hypervisor, while the minimum accesses necessary to implement security functionality are mediated by the hypervisor. Parapass-through hypervisors can provide various security functionalities such as encryption of storage data and creation of virtual private networks. Although a previous study has detailed a method for protecting privacy with a parapass-through hypervisor, it has not yet clarified a method for detecting malware. In this paper, we propose a scheme for incorporating malware detection functionality into a parapass-through hypervisor. Using this scheme, we implemented BVMD, an extension of a parapass-through hypervisor BitVisor, for malware detection. BVMD detects malware by comparing the contents of the data I/O with the malware signatures. A major advantage of BVMD is that its detection depends only slightly on the guest operating system. We confirmed through experiments that BVMD could detect many in-the-wild malware.

A Virtual Machine Migration System Based on a CPU Emulator

Migration of virtual computing environments is a useful mechanism for advanced management of servers and utilization of a uniform computing environment on different machines. There have been a number of studies on migration of virtual computing environments based on virtual machine monitors (e.g., VMware) or language-level virtual machines (e.g., Java). However, migration systems based on a CPU emulator have not received much attention and their viability in a practical setting is not clear. In this paper, we describe Quasar, a virtual machine (VM) migration system implemented on top of the QEMU CPU emulator. Quasar can migrate a whole operating system between physical machines whose architectures are different (e.g., between an x86 machine and a PowerPC machine). Quasar provides a virtual networking facility, which allows migrating VMs to continue communication without disconnecting sockets for migration. Quasar also provides a staged migration function to reduce the downtime of migrating VMs. We have examined the viability of Quasar through experiments, in which Quasar was compared with Xen, SBUML, and UML. The experiments assessed the performance of virtual server hosting, the sizes of the files that represent VMs, and the amount of downtime for VM migration.

Malware analysis system using process-level virtualization

We have developed a malware analysis system based on process-level virtualization. Our BitSaucer system can dynamically generate a number of virtual execution environments as honeypots on one machine. It confines malware by creating a virtual file tree in a virtual execution environment and by redirecting outgoing network communication to another virtual execution environment on the same machine. BitSaucer has minimal resource consumption and runtime overhead. Even when 1000 virtual execution environments were hosted on one machine, the applications running in the environments worked as well as they normally do. We deployed a honeypot on the Internet and collected information related to actual attacks. Experimental results showed that BitSaucer had better performance on the ApacheBench benchmark than a naive honeypot system based on a virtual machine monitor.

Speculative security checks in sandboxing systems

Sandboxing systems are extremely useful for secure execution of untrusted applications. Many of the sandboxing systems proposed so far provide security by intercepting system calls invoked by an application and controlling their execution. However, a problem in existing sandboxing systems is the amount of overhead required for security checks performed after system call interceptions. In this paper, we propose a sandboxing system that executes speculative security checks. The proposed system predicts the behavior of a sandboxed application and executes speculative security checks in parallel with the application, thus reducing the overhead. Behavior is predicted based on system call profiles in past executions of the application. We implemented the system on Linux and made a preliminary evaluation.

A virtual machine monitor for utilizing non-dedicated clusters

We have designed and implemented a virtual machine monitor (VMM) for utilizing non-dedicated clusters. The VMM virtualizes a shared-memory multi-processor machine on a commodity cluster. In addition, it hides dynamic changes of physical hardware configurations. The experimental result demonstrates the feasibility of our approach.

SoftwarePot: an encapsulated transferable file system for secure software circulation

We have developed a general approach to enable secure circulation of software in an open network environment such as the Internet. By software circulation, we mean a generalized conventional software distribution concept in which software can be transferred even in an iterative manner such as through redistribution or using mobile agents. To clarify the problem that arises when software is circulated in an open network environment, we first considered a simple model for unsecure software circulation and then developed a model for secure software circulation (SSC). In the SSC model, we extended the sandbox concept to include its own file system and to have the ability to be transferred via a network. In this sense, our approach is characterized by an encapsulated, transferable file system. We describe how the SoftwarePot system was designed to implement the SSC model, and discuss the implications of experimental results that we obtained during the implementation.