Security Services in Virtualized Environments       

links

 photo

Security Services in Virtualized Environments - overview


Project Goal: To build an infrastructure for providing a rich set of security services that are based on the secure foundation of virtualization infrastructure. Specifically, this project aims at ensuring safe introspection API's and based on it, integrity protection of critical resources, deployment of in-partition agents, and cross platform support.

Virtualization enables

  • On-demand, centralized security services

  • Centralization (reduced security footprint, sharing of knowledge)

  • Isolation (improve the tamper-resistance of solutions)

  • Visibility (examine virtual networks and virtual machines)

  • Scalability (grow/shrink security footprint based on load)

  • Advanced Remediation (integrate with infrastructure APIs)

  • Reduction of security sprawl across virtual infrastructures

Use case: Anti-Rootkit System based on Virtual Machine Introspection

Use case summary: A protected Security virtual machine (SVM) uses virtual machine introspection to monitor critical OS data structures in guests for changes made by rootkits and other types of malware. We develop the Anti-Rootkit System in collaboration with the IBM Zurich Research Lab.

Exemplary attack scenario:
  • Rootkit takes a hold in the guest, e.g., by exploiting a web browser vulnerability
  • Rootkit attempts to hide itself by manipulating guest kernel data structures
  • SVM security agent detects OS tampering and detects or reverts tampering using introspection
  • SVM security agent performs clean-up of rootkit

Publications:
Cloud Security Is Not (Just) Virtualization Security. Mihai Christodorescu, Reiner Sailer, Douglas Schales, Daniele Sgandurra, Diego Zamboni. The 1st ACM Cloud Computing Security Workshop. November, 2009. Paper on ACM Server.

This paper also has drawn some attention in the press:
Technology Review: Self-Policing Cloud Computing: IBM security tool searches for and destroys malicious code in the cloud. Friday, November 20, 2009. By David Talbot.