ferify: A Virtual Machine File Protection System against Zero-Day Attacks
Loading...
Authors
Peppas, Alexis
Xie, Geoffrey G.
Prince, Charles D.
Subjects
Advisors
Date of Issue
2017-12
Date
Publisher
ArXiv
Language
Abstract
Most existing solutions for protecting VMs assume known attack patterns or signatures and focus on detecting malicious manipulations of system files and kernel level memory structures. In this research we develop a system called ferify, which leverages VM introspection (VMI) to protect user files hosted on a VM against unauthorized access even after an attacker has managed to obtain root privileges on the VM. ferify maintains in the hypervisor domain a shadow file access control list (SACL) that is totally transparent to the VM. It uses the SACL to perform independent access control on all system calls that may operate on the target files. Further, ferify prevents kernel modification, ensures the integrity of process ownership, and supports hypervisor based user authentication. We have developed a ferify prototype for Linux and through a set of controlled experiments we show that the system is able to mitigate a range of zero-day attacks that otherwise may evade signature-based solutions. In addition, we analyze the root cause of the observed high processing overhead from trapping of system calls, and propose a general solution that can potentially cut that overhead by half.
Type
Preprint
Description
Series/Report No
Department
Computer Science (CS)
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
8 p.
Citation
Peppas, Alexis, Geoffrey G. Xie, and Charles Prince. "ferify: A Virtual Machine File Protection System against Zero-Day Attacks." arXiv preprint arXiv:2004.08992 (2020).
Distribution Statement
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.