A Virtual Machine Introspection Based Architecture for Intrusion Detection

1. A Virtual Machine Introspection Based Architecture for Intrusion Detection CS598 STK Presented by Zahid Anwar

2. My favorite Newsgroup Comment • “paper is NOT interesting.. To save time, suggest reading just Fig 1 and Sec 8”

3. Types of IDSes

4. VMI IDS Architecture

5. Policy Modules • Newsgroup Question: • “claim they opted to suspend VM only on definitive misuse, at the same time they do polling on periodic basis. • How these two relate? • Who is doing the polling and who decides if an event is definitive misuse?”

6. Sample Policy Modules • User program integrity detector • Periodically hashes unchanging sections of running programs, compares to those of known good originals • Signature detector • Periodically scans guest memory for substrings belonging to known malware • Finds malware in unexpected places, like filesystem cache • Lie detector • Detects inconsistencies between hardware state and what is reported by user-level programs (ls, netstat, …) • Raw socket detector

7. Enforcing Confinement Policies • Event driven Modules run in response to a change in hardware state • Memory access enforcer • Prevents sensitive portions of the kernel from being modified • NIC access enforcer • Prevents the guest’s network interface card (NIC) from entering promiscuous mode or having a non-authorized MAC address

8. Newsgroup question: "how to interpret the VMI performance graph - is the baseline, a native system executing directly or VMWare without any of our detection software.”

9. Automatic maintenance and repair of advanced electric meters. Remote Entity Remote Entity • Thoughts: • Terra • IBM’s sHype Extract Useful State Send Policy Corrupted VM VM Agree to abide And pass down Report Violations Replace With newly Constructed VM VMM VMM

10. Fine-graining halt-on-fault • “Only stop those malicious programs and keep legal applications running” • Some thoughts: • Theoretically possible for user-level Trojans since they say you have control of process table • Not always possible to reverse a worm’s effects in a running kernel

11. Complicated OS Interface Library • “efforts are large. All the machine states visible in the OS should be explicitly exported across the border of VMs so that the monitoring VM is able to view them. Moreover, can every hardware/OS state be exported across a VM border?” • Some Thoughts: • XenAccess Introspection Library • provides a higher-level abstraction than available through Xen’s libxc • Limitation: DomU and Dom0 must use same kernel image

12. Other techniques • “seems to be some previous work (e.g., Linux LIDS) that make some system files unmodifiable, even by the root …good enough for attack resilience?” • Kernel hardening techniques such as LIDS and Pitbull are preventive (not detection) • MAC is hard to configure correctly • May still be subvirted by booting with an alternate kernel

13. Detecting unknown attacks • “IDS has weakness in detecting attacks & unknown vulnerabilities • Limitation of secure systems in general. • Virus checkers need to be constantly updated for new signatures • .. in addition, detecting attacks after compromise might be useless…” • Depends on nature of compromise. Consider timely recovery from a DoSed system • Might find an interesting read • Z Anwar, R H Campbell, “Secure Reincarnation of Compromised Servers using Xen Based Time-Forking Virtual Machines” ,"Perware, 5th Annual IEEE International Conference on Pervasive Computing and Communications NY, March, 2007.

14. Discussion • Malware might detect an IDS running on the infected host and remove itself from memory when a scan is performed • Can save entire system state for forensics • Better visibility into guest  worse performance • OS interface library is complex, can be fooled • Policy Management • How to differentiate good and bad behavior? • Hard to express and enforce fine-grained policies • Ad-hoc way to do intrusion detection • Update signature database • Maybe complete logging is better