Publication:
Protecting files hosted on virtual machines with out-of-guest access control

Loading...
Thumbnail Image
Authors
Peppas, Alexis
Subjects
virtualization
file protection
out-of-guest control
virtual machines
application white-list
virtual machine introspection
Advisors
Xie, Geoffrey G.
Date of Issue
2017-12
Date
Dec-17
Publisher
Monterey, California: Naval Postgraduate School
Language
Abstract
When an operating system (OS) runs on a virtual machine (VM), a hypervisor, the software that facilitates virtualization of computer hardware, provides a service called introspection, which is used for monitoring the internal state of the VM. However, a VM still shares all of the vulnerabilities of its resident OS and software. At some point in time, it will likely be the victim of a successful exploitation. In this research, we develop a security solution, leveraging introspection and enforcement of a separate shadow access control list (SACL) in the hypervisor to protect critical user files hosted on a VM against a range of zero-day attacks. The main security features of our solution include 1) zero-footprint in the guest VM by maintaining an out-of-guest SACL and other required security information in the hypervisor; 2) protection of critical user files from unauthorized access even if an attacker has managed to obtain root privileges on the VM; 3) application white listing to thwart malware execution; and 4) kernel protection by denying both kernel reboot and runtime addition of kernel modules. We conclude that our solution can successfully protect user files against unauthorized access. The observed performance overhead, although significant, remains within usable levels and is mainly attributed to the context switch between the hypervisor and the VM.
Type
Thesis
Description
Department
Computer Science (CS)
Other Units
Identifiers
NPS Report Number
Sponsors
Funder
Format
Citation
Distribution Statement
Approved for public release; distribution is unlimited.
Rights
Copyright is reserved by the copyright owner.
Collections