A Method to Defend Intrusion from Hypercall of Xen

doi:10.3969/j.issn.1671-1122.2014.12.009

Abstract

Abstract: Cloud computing is developing fast and widely used, as an important support for cloud computing, virtualization has improved the efficiency of resource utilization and management capability for a platform. As an open source software for virtualization, the unique design and excellent performance make Xen adopted by many could service providers, which are also troubled by the security problems of Xen hypervisor. The privilege interfaces provided by Xen can be utilized by malicious code of virtual machine, which can be used by intruders to attack Xen or virtual machines running above. To solve the problem of hypercalls of Xen to be abused by malicious code inside guest kernel, a method to analyze the execution path of guest kernel is provided, which is used to trace the execution path of guest kernel that has launched this hypercall, compared with the training set constructed at the beginning, preventing hypercalls being misused by malicious code of guest kernel becomes possible. By tracking stack information of guest kernel, the execution path of virtual machine is reconstructed and built up with the help of instruction analysis and symbol table of guest kernel, unexpected execution paths of hypervalls are avoided with this method. We experimented our idea on Xen platform, a new virtual machine was created to get its training set during its running time. Then when this heprcall happens, the corresponding execution path is constructed dynamically, compared with the training set, unforeseen invoking to hypervalls is avoided.

Key words: Xen, kernel stack, function call graph, instruction analysis

CLC Number:

TP309

LI Hui, CHEN Xing-shu, ZHANG Lei, WANG Wen-xian. A Method to Defend Intrusion from Hypercall of Xen[J]. 信息网络安全, 2014, 14(12): 43-46.

References

[1] Riley R, Jiang X, Xu D. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing[C]//Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2008: 1-20.
[2] Lange J R, Dinda P. Symcall: Symbiotic virtualization through vmm-to-guest upcalls[C]//ACM SIGPLAN Notices. ACM, 2011, 46(7): 193-204.
[3] Sharif M I, Lee W, Cui W, et al. Secure in-vm monitoring using hardware virtualization[C]// Proceedings of the 16th ACM conference on Computer and communications security. ACM, 2009: 477-487.
[4] Jiang J, Jia X, Feng D, et al. HyperCrop: a hypervisor-based countermeasure for return oriented programming[M]. Information and Communications Security. Springer Berlin Heidelberg, 2011.360-373.
[5] Barham P, Dragovic B, Fraser K, et al. Xen and the art of virtualization[J]. ACM SIGOPS Operating Systems Review, 2003, 37(5): 164-177.
[6] Garfinkel T. Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools[C]//NDSS. 2003, 3: 163-176.
[7] 石晶翔,陈蜀宇,黄晗辉. 基于Linux系统调用的内核级Rootkit技术研究[J]. 计算机技术与发展,2010,20（4）：175-178.
[8] Xianghe L, Liancheng Z, Shuo L. Kernel rootkits implement and detection[J]. Wuhan University Journal of Natural Sciences, 2006, 11(6): 1473-1476.
[9] 赵欣,谭小彬,奚宏生. 一种改进的基于系统调用的入侵检测算法[J]. 数据通信,2010,（2）：48-51.
[10] 苏锦秀,陈莉君. 基于系统调用的日志系统的设计与实现[J]. 西安邮电学院学报,2012,16（4）：59-61.
[11] Xu M, Wu L, Qi S, et al. A similarity metric method of obfuscated malware using function-call graph[J]. Journal of Computer Virology and Hacking Techniques, 2013, 9(1): 35-47.
[12] Shang S, Zheng N, Xu J, et al. Detecting malware variants via function-call graph similarity[C]//Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on. IEEE, 2010: 113-120.
[13] Graham S L, Kessler P B, Mckusick M K. Gprof: A call graph execution profiler[J]. ACM Sigplan Notices, 1982, 17(6): 120-126.
[14] Spivey J M. Fast, accurate call graph profiling[J]. Software: Practice and Experience, 2004, 34(3): 249-264.