Abstract

Numerous event-based probing methods exist for cloud computing environments allowing a hypervisor to gain insight into guest activities. Such event-based probing has been shown to be useful for detecting attacks, system hangs through watchdogs, and for inserting exploit detectors before a system can be patched, among others. Here, we illustrate how to use such probing for trustworthy logging and highlight some of the challenges that existing event-based probing mechanisms do not address. Challenges include ensuring a probe inserted at given address is trustworthy despite the lack of attestation available for probes that have been inserted dynamically. We show how probes can be inserted to ensure proper logging of every invocation of a probed instruction. When combined with attested boot of the hypervisor and guest machines, we can ensure the output stream of monitored events is trustworthy. Using these techniques we build a trustworthy log of certain guest-system-call events. The log powers a cloud-tuned Intrusion Detection System (IDS). New event types are identified that must be added to existing probing systems to ensure attempts to circumvent probes within the guest appear in the log. We highlight the overhead penalties paid by guests to increase guarantees of log completeness when faced with attacks on the guest kernel. Promising results (less that 10% for guests) are shown when a guest relaxes the trade-off between log completeness and overhead. Our demonstrative IDS detects common attack scenarios with simple policies built using our guest behavior recording system.

Original languageEnglish (US)
Title of host publicationProceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages215-225
Number of pages11
ISBN (Electronic)9781509058174
DOIs
StatePublished - May 9 2017
Event2017 IEEE International Conference on Cloud Engineering, IC2E 2017 - Vancouver, Canada
Duration: Apr 4 2017Apr 7 2017

Publication series

NameProceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017

Other

Other2017 IEEE International Conference on Cloud Engineering, IC2E 2017
Country/TerritoryCanada
CityVancouver
Period4/4/174/7/17

Keywords

  • VMI
  • defense-in-depth
  • intrusion detection
  • virtual appliance

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Hardware and Architecture
  • Information Systems and Management

Fingerprint

Dive into the research topics of 'Trustworthy services built on event-based probing for layered defense'. Together they form a unique fingerprint.

Cite this