Secure Observation of Kernel Behavior
Loading...
Author(s)
Srivastava, Abhinav
Singh, Kapil
Giffin, Jonathon
Advisor(s)
Editor(s)
Collections
Supplementary to:
Permanent Link
Abstract
Operating system kernels are difficult to understand and monitor. Hardware virtualization provides a
layer where security tools can observe a kernel, but the gap between operating system abstractions and hardware
accesses limits the ability of tools to comprehend the kernel’s activity. Virtual machine introspection
(VMI) builds knowledge of high-level kernel state by directly accessing the memory of an executing kernel.
We show that implementations of introspection-based tools unsafely rely on operating system level
data structures to provide meaningful information about a guest. We evade XenAccess, an open source
implementation of introspection developed for Xen. We then develop Wizard, a Xen-based kernel monitor
cognizant of the semantic correlation between events at a high-level kernel service interface and events
at a low-level hardware device interface. In contrast to VMI, Wizard trusts no guest OS data, but its semantic
understanding still identifies kernel-level attacks that alter the kernel’s execution behavior. Wizard’s
monitoring imposes modest overheads of 0%–25% on guest applications.
Sponsor
Date
2008
Extent
Resource Type
Text
Resource Subtype
Technical Report