详情

原文传递 Protecting Files Hosted on Virtual Machines With Out-of-Guest Access Control.

题名：	Protecting Files Hosted on Virtual Machines With Out-of-Guest Access Control.
作者：	Peppas, A.
关键词：	Virtualization, Virtual machines, Operating systems, Computer programs, Vulnerability, Computer access control, Computer security, Hypervisors, Kernels (operating system), File protection, Out-of-guest control, Virtual machines, Application white-list, Virtual machine introspection
摘要：	When an operating system (OS) runs on a virtual machine (VM), a hypervisor, the software that facilitates virtualization of computer hardware, provides a service called introspection, which is used for monitoring the internal state of the VM. However, a VM still shares all of the vulnerabilities of its resident OS and software. At some point in time, it will likely be the victim of a successful exploitation. In this research, we develop a security solution, leveraging introspection and enforcement of a separate shadow access control list (SACL) in the hypervisor to protect critical user files hosted on a VM against a range of zero-day attacks. The main security features of our solution include 1) zero-footprint in the guest VM by maintaining an out-of-guest SACL and other required security information in the hypervisor; 2) protection of critical user files from unauthorized access even if an attacker has managed to obtain root privileges on the VM; 3) application white listing to thwart malware execution; and 4) kernel protection by denying both kernel reboot and runtime addition of kernel modules. We conclude that our solution can successfully protect user files against unauthorized access. The observed performance overhead, although significant, remains within usable levels and is mainly attributed to the context switch between the hypervisor and the VM.
报告类型：	科技报告