Secure Observation of Kernel Behavior

Files
GT-CS-08-01.pdf (214.83 KB)
Author(s)
Srivastava, Abhinav
Singh, Kapil
Giffin, Jonathon
Advisor(s)
Editor(s)
Associated Organization(s)
Organizational Unit
Organizational Unit
School of Computer Science
School established in 2007
Series
Series
Series
Collections
Research Publications
Supplementary to:
Permanent Link
http://hdl.handle.net/1853/25464
Abstract
Operating system kernels are difficult to understand and monitor. Hardware virtualization provides a layer where security tools can observe a kernel, but the gap between operating system abstractions and hardware accesses limits the ability of tools to comprehend the kernel’s activity. Virtual machine introspection (VMI) builds knowledge of high-level kernel state by directly accessing the memory of an executing kernel. We show that implementations of introspection-based tools unsafely rely on operating system level data structures to provide meaningful information about a guest. We evade XenAccess, an open source implementation of introspection developed for Xen. We then develop Wizard, a Xen-based kernel monitor cognizant of the semantic correlation between events at a high-level kernel service interface and events at a low-level hardware device interface. In contrast to VMI, Wizard trusts no guest OS data, but its semantic understanding still identifies kernel-level attacks that alter the kernel’s execution behavior. Wizard’s monitoring imposes modest overheads of 0%–25% on guest applications.
Sponsor
Date
2008
Extent
Resource Type
Text
Resource Subtype
Technical Report
Rights Statement
Rights URI