TY - JOUR
T1 - Checking virtual machine kernel control-flow integrity using a page-level dynamic tracing approach
AU - Zhan, Dongyang
AU - Ye, Lin
AU - Fang, Binxing
AU - Zhang, Hongli
AU - Du, Xiaojiang
N1 - Publisher Copyright:
© 2017, Springer-Verlag GmbH Germany.
PY - 2018/12/1
Y1 - 2018/12/1
N2 - Kernel control-flow integrity (CFI) of virtual machines is very important to cloud security. VMI-based dynamic tracing and analyzing methods are promising options for checking kernel CFI in cloud. However, the CFI monitors based on tracing always work at instruction or branch level and result in serious virtual machine performance degradation. To meet the performance requirements in the cloud, we present a page-level dynamic VMI-based kernel CFI checking solution. We trace VM kernel execution at page level, which means that the in-page instruction execution cannot trigger our monitor. As a result, the tracing overhead can be greatly reduced. Based on page-level execution information, we propose two policies to describe the kernel control-flow so as to build the secure kernel control-flow database in the learning stage. In the monitoring stage, we compare runtime execution information with the secure database to check kernel CFI. To further reduce the monitoring overhead, we propose two performance optimization strategies. We implement the prototype on Xen and leverage hardware events to trace VM memory page execution. Then, we evaluate the effectiveness and performance of the prototype. The experimental results prove that our system has enough detection capability and the overhead is acceptable.
AB - Kernel control-flow integrity (CFI) of virtual machines is very important to cloud security. VMI-based dynamic tracing and analyzing methods are promising options for checking kernel CFI in cloud. However, the CFI monitors based on tracing always work at instruction or branch level and result in serious virtual machine performance degradation. To meet the performance requirements in the cloud, we present a page-level dynamic VMI-based kernel CFI checking solution. We trace VM kernel execution at page level, which means that the in-page instruction execution cannot trigger our monitor. As a result, the tracing overhead can be greatly reduced. Based on page-level execution information, we propose two policies to describe the kernel control-flow so as to build the secure kernel control-flow database in the learning stage. In the monitoring stage, we compare runtime execution information with the secure database to check kernel CFI. To further reduce the monitoring overhead, we propose two performance optimization strategies. We implement the prototype on Xen and leverage hardware events to trace VM memory page execution. Then, we evaluate the effectiveness and performance of the prototype. The experimental results prove that our system has enough detection capability and the overhead is acceptable.
KW - Cloud computing
KW - Kernel control-flow integrity
KW - Page-level tracing
KW - VMI
UR - http://www.scopus.com/inward/record.url?scp=85026535980&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85026535980&partnerID=8YFLogxK
U2 - 10.1007/s00500-017-2745-x
DO - 10.1007/s00500-017-2745-x
M3 - Article
AN - SCOPUS:85026535980
SN - 1432-7643
VL - 22
SP - 7977
EP - 7987
JO - Soft Computing
JF - Soft Computing
IS - 23
ER -