Zhiyu Hao

Exploring Efficient and Robust Virtual Machine Introspection Techniques

Upon practical implementation of virtual machine introspection (VMI), administrators may be overwhelmed by dozens of research works. Specifically, the adopted introspection mechanism perform differently with regard to various performance and security requirements. Besides, most of previous works do not clarify the boundary between Trusted Computing Base (TCB) and attacks towards introspection. This paper aims to help administrators to determine the appropriate introspection approach. Firstly, we summarize current VMI technologies, and present a classification method mainly depending on whether hardware assistance is required, how it solves the semantic gap problem and how introspection is triggered. Secondly, we discuss how to achieve a good trade-off between the two metrics of performance and security. Thirdly, we propose a TCB threat model to employ VMI along with other enhancing mechanism to tackle attacks in different levels of TCB. Finally, we discuss some future trends related to VMI for further improving security.

Piccolo: A Fast and Efficient Rollback System for Virtual Machine Clusters

Rollback is an effective technique to resume the system execution from a recorded intermediate state upon failures, without having to restart the entire system. However, in virtualized environments, rollback of a virtual machine cluster (VMC) produces high network traffic and long service disruption, particularly for a large cluster used for scientific computing, thereby imposing significant overhead both on network and applications. This paper proposes Piccolo, a fast and efficient rollback system, to restore a VMC from snapshot files over data center network. First, we exploit the similarity among VMC snapshots and leverage multicast to deliver the identical pages across VMs placed on disperse hosts, thereby bypassing unnecessary transmission of a large number of pages. Second, we analyze the impact on network traffic of varying VM placements in data center network, formulate the traffic aware placement as an optimization problem, and design a two-tier approximation algorithm that efficiently solves the problem. In addition to presenting Piccolo, we detail its implementation, and evaluate it by a set of experiments. The results show that Piccolo could achieve a significant reduction in terms of total sent data, network traffic and rollback latency compared to the existing generic techniques.

Quantitative threat situation assessment based on alert verification

Traditional network threat situational assessment is based on raw alerts, not combined with contextual information, which influences the accuracy of assessment. In this paper, we propose a method to quantitatively assess network threat situation based on not only alerts but also contextual information. It firstly verifies alerts by matching alerts with contextual information to determine the successful probability of attacks, then analyzes the impact caused by attacks according to the severity and the corresponding asset value of them, and finally quantitatively assesses network threat situation based on the successful probability and the impact of attacks. Case studies show that the method can assess network threat situations more reasonably. Copyright

Lightweight Virtual Machine Checkpoint and Rollback for Long-running Applications

Checkpoint/rollback is an effective approach to guarantee that the long-running applications can be completed in the face of failures. However, it does not come for free. The application suffers from long downtime and performance penalty when it is being checkpointed or rolled back, which result in extra overhead on application execution time. This problem would get worse in virtualized environment mainly due to the heavyweight of virtual machine. This paper proposes warmCR, a lightweight checkpoint/rollback system for virtual machine, which aims to reduce its own extra overhead on application execution time. First, warmCR employs the redirect-on-write approach to create disk checkpoint and leverages the copy-on-write method to lively create memory checkpoint, so that both the downtime and checkpoint duration are reduced. Second, we propose a working set based rollback approach to provide short downtime without compromising application performance. Third, workload-aware batched processing is proposed to achieve trade-off between downtime and performance loss. In addition to presenting warmCR, we detail its implementation, and provide extensive experimental results to prove its efficiency and effectiveness.

Counting sort for the live migration of virtual machines

The live migration of virtual machines is an important technique in the area of virtualization, and it has been used for load balancing, fault tolerance, and system maintenance in modern data centers, clusters, and cloud computing. The pre-copy algorithm is the most used method for the live migration of virtual machines. However, the existing problem of repeatedly transferring dirty memory pages leads the increase of the transferring data amount, delays of the total migration time as well as the downtime. By analyzing the iteration process of the pre-copy algorithm, we find that the transferring order of memory pages during every middle round has a huge impact on the generation and transferring of dirty memory pages. Further we put forward the concept of the live migration of virtual machines based on the counting sort. During every middle round of the iteration process, we do not transfer the memory pages according to their original order, instead we transfer the memory pages according to their times of being dirty. Experiment results show that with different workloads the counting sort method could simultaneously decrease the transferring data amount, the total migration time, and the downtime to improve the performance of the live migration.

Modeling Social Engineering Botnet Dynamics across Multiple Social Networks

In recent years, widely spreading botnets in social networks are becoming a major security threat to both social networking services and the privacy of their users. In order to have a better understanding of the dynamics of these botnets, defenders should model the process of their propagation. However, previous studies on botnet propagation model have tended to focus solely on characterizing the vulnerability propagation on one infection domain, and left two key properties (cross-domain mobility and user dynamics) untouched. In this paper, we formalize a new propagation model to reveal the general infection process of social engineering botnets in multiple social networks. This proposed model is based on stochastic process, and investigates two important factors involved in botnet propagation: (i)bot spreading across multiple domains, and (ii)user behaviors in social networks. Furthermore, with statistical data obtained from four real-world social networks, a botnet simulation platform is built based on OMNeT++ to test the validity of our model. The experimental results indicate that our model can accurately predict the infection process of these new advanced botnets with less than 5% deviation.

An Efficient Routing Mechanism in Network Simulation

Simulation is widely recognized as an essential tool for analyzing large-scale networks. Routing is a key factor which impacts the simulation scale and efficiency. This paper presents a new approach to routing calculation, storage and lookup, named MTree_Nix routing. It maintains a variable number of spanning trees as the base routing table, and uses Nix-Vector routing to compute on demand the routing states that cannot be covered by any of the spanning trees. Theoretically, we obtain the constraint condition on the optimized trade-off between space and time in MTree_Nix routing. Integrated with the advantages of the current routing mechanisms, MTree_Nix comes to a better trade-off between the storage space for the routing tables and the CPU time for routing lookup. Experimental results show that, with a storage space of only about 1% more than Nix-Vector, MTree_Nix can reduce the simulation time to about 85% of that using Nix-Vector.Simulation is widely recognized as an essential tool for analyzing large-scale networks. Routing is a key factor which impacts the simulation scale and efficiency. This paper presents a new approach to routing calculation, storage and lookup, named MTree_Nix routing. It maintains a variable number of spanning trees as the base routing table, and uses Nix-Vector routing to compute on demand the routing states that cannot be covered by any of the spanning trees. Theoretically, we obtain the constraint condition on the optimized trade-off between space and time in MTree_Nix routing. Integrated with the advantages of the current routing mechanisms, MTree_Nix comes to a better trade-off between the storage space for the routing tables and the CPU time for routing lookup. Experimental results show that, with a storage space of only about 1% more than Nix-Vector, MTree_Nix can reduce the simulation time to about 85% of that using Nix-Vector.

Introspection-Based Memory Pruning for Live VM Migration

Virtual Machine (VM) migration is an appealing technique on nowadays cloud platforms to achieve high availability, load balancing and power saving. Unfortunately, migration of VM involves transferring a large amount of data, thereby imposing high overheads on network traffic, and consequently results in significant application performance degradation. In this paper, we propose an introspection-based memory pruning method for fast and effective live VM migration. Firstly, we classify memory pages into five categories including anonymous, inode, kernel, free and cache pages, according to how they are used by OS. Then, upon migration, we drop the free pages which are insignificant and cache pages which are redundant. In this way, a large amount of unnecessary data are precluded, so that the migration time is reduced as well. Our system can classify memory pages into specific categories precisely using introspection. Besides cache pages, we also eliminate the pages that are ever used but are freed later which is different from most of the works that only eliminate free pages which are marked as zero pages by OS. Experiments show that our work achieves preferable reduction (72% on average ) in terms of the total migration time compared with the original pre-copy algorithm within QEMU/KVM.

ShadowMonitor: An Effective In-VM Monitoring Framework with Hardware-Enforced Isolation

Virtual machine introspection (VMI) is one compelling technique to enhance system security in clouds. It is able to provide strong isolation between untrusted guests and security tools placed in guests, thereby enabling dependability of the security tools even if the guest has been compromised. Due to this benefit, VMI has been widely used for cloud security such as intrusion detection, security monitoring, and tampering forensics. However, existing VMI solutions suffer significant performance degradation mainly due to the high overhead upon frequent memory address translations and context-switches. This drawback limits its usage in many real-world scenarios, especially when fine-grained monitoring is desired. In this paper, we present ShadowMonitor, an effective VMI framework that enables efficient in-VM monitoring without imposing significant overhead. ShadowMonitor decomposes the whole monitoring system into two compartments and then assigns each compartment with isolated address space. By placing the monitored components in the protected compartment, ShadowMonitor guarantees the safety of both monitoring tools and guests. In addition, ShadowMonitor employs hardware-enforced instructions to design the gates across two compartments, thereby providing efficient switching between compartments. We have implemented ShadowMonitor on QEMU/KVM exploiting several hardware virtualization features. The experimental results show that ShadowMonitor could prevent several types of attacks and achieves 10\(\times \) speedup over the existing method in terms of both event monitoring and overall application performance.

A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware

Provenance of system subjects (e.g., processes) and objects (e.g., files) are very useful for many forensics tasks. In our analysis and comparison of existing Linux provenance tracing systems, we found that most systems assume the Linux kernel to be in the trust base, making these systems vulnerable to kernel level malware. To address this problem, we present HProve, a hypervisor level provenance tracing system to reconstruct kernel malware attack story. It monitors the execution of kernel functions and sensitive objects, and correlates the system subjects and objects to form the causality dependencies for the attacks. We evaluated our prototype on 12 real world kernel malware samples, and the results show that it can correctly identify the provenance behaviors of the kernel malware.