原文传递
Cloud-Ready Hypervisor-Based Security.
| 题名: | Cloud-Ready Hypervisor-Based Security. |
| 作者: | Bushouse, M. J. |
| 关键词: | Best practices, Computer network security, Kernels (operating system), Virtual machines, Computer program documentation, Computer program reliability, Intrusion detection, Software development, Debugging, Web browsers, Computer programs, Cybersecurity, Operating systems, Cloud computing, Hypervisor based security, Virtual machine introspection |
| 摘要: | Improving host security through virtualization has led to many novel out-of-guest Hypervisor-Based Security (HBS) systems. Unlike traditional operating-system-based security mechanisms, HBS systems are both isolated from the guest operating system and operate at a higher privilege level, making it difficult for in-guest malicious code to disable or even detect an HBS system. However, although HBS systems have been an active area of research for fifteen years, they have not yet been adopted as a routine security practice in production systems. In this dissertation, we investigate several HBS shortfalls and propose solutions for scaling limitations, development and integration challenges, and lack of a safe cloud framework. We begin by introducing two scalable, low-overhead HBS systems. First, Goalkeeper enforces guest process level security policies and scales across tens to hundreds of guests per hypervisor by focusing on asynchronous, stateless, and lightweight Virtual Machine Introspection (VMI) techniques. Goalkeeper minimizes overhead by limiting inspections to recently-changed guest processes. Second, we discuss Arav, an HBS system that leverages a new VMI-based security monitoring design in lieu of in-guest agents. Arav inexpensively monitors guests unsuitable for traditional security monitoring. Next, we address HBS development and integration by presenting a methodology to re-engineer existing security agents into hyperagents, hypervisor-based agents which gain the benefits of HBS while retaining their original in-guest capabilities. Hyperagents integrate easily with established security operations because they inherit the years of practitioner experience and best practices inherent in the original agent. When agents are consolidated from multiple adjacent guests and centralized on the hypervisor, their hyperagent form is more resource-efficient than its predecessor and allows for new agent features. |
| 报告类型: | 科技报告 |
相关文献
- Protecting Files Hosted on Virtual Machines With Out-of-Guest Access Control.
- Video Based System and Method for Improving Aircraft Security.
- Video Based System and Method for Improving Aircraft Security.
- Transportation Security Administration's Known Shipper Program. (REDACTED).
- Safer Skies: Baggage Screening and Beyond
- Securing the Global Airspace System Via Identity-Based Security.
检索历史
应用推荐
