Cory Hayes CSE 60641 Annotated Bibliography September 20

advertisement
Cory Hayes
CSE 60641
Annotated Bibliography
September 20, 2011
Intended Project: Detecting Virtual Machines via In-Band Mechanisms
[1] (Journal Paper) Laureano M., Mazier C., Jamhour E. (2004) Intrusion Detection in
Virtual Machine Environments. Euromicro Conference, 2004. Proceedings 30th, pp.
520-525.
This paper describes the use of virtual machines in an attempt to improve the
security of the host system for attacks over networks. The authors achieve this by
observing process actions using an intrusion detection system from the virtual
machine monitor. This paper could be useful because it discusses ways to interact
with the guest system and sniff out potential dangerous processes, so this analysis
could probably be applied to determining the sources of calls over the network.
[2] (Journal Paper) Sundararaj A., Dinda P. (2004) Towards Virtual Networks for
Virtual Machine Grid Computing. VM’04 Proceedings of the 3rd Conference on
Virtual Machine Research and Technology Symposium, Vol 3.
In this paper, the authors discuss the development of a network tool that connects a
virtual machine to the user’s home network and they test the performance using
WAN and LAN. By allowing the machines to dynamically change routing protocols,
they combine to form a virtual network that can change to meet traffic loads. The
usefulness of this paper is not entirely sure but its focus on combining virtual
machines with a computer network could be useful.
[3] (Unrefereed Paper) Jayaram M., Cytron R. (1995) Efficient Demultiplexing of
Network Packets by Automatic Parsing. University of Arizona.
The authors of this paper focused on packet filter specifications. These
specifications are approached as language recognition problems with grammar
rules corresponding to packets that should pass through a filter. This paper
acknowledges existing parsing methods and attempts to reduce the overhead. The
filtering mentioned in this paper could be useful when determining the whether the
source of a packet over a network comes from a physical or virtual machine.
[4] (Journal Paper) Chen P., Noble B. (2001) When Virtual is Better than Real.
HOTOS ’01 Proceedings of the Eight Workshop on Hot Topics in Operating Systems.
This paper focuses on three services that take advantage of using a virtual machine
over a physical one. These services are secure logging, intrusion prevention and
detection, and environment migration. The basic reasoning behind this is that since
the virtual machine exists in a layer of software, these services can be modified and
maintained more easily than doing so in the hardware layer. Aside from the
intrusion detection mentioned by other papers, this paper also mentions the system
keeping track of events, which could be applicable for determining properties of a
remote source.
[5] (Magazine Article) Clark D., Jacobson V., Romkey J., Salwen H. (1989) An Analysis
of TCP Processing Overhead. IEEE Communications Magazine.
The point of this paper is to locate the source of the overhead associated with the
TCP/IP transport protocol. This is analyzed using both input and output processing
as well as header prediction. The authors found that a lot of the overhead was a
result of processing control parameters. This paper is useful because it discusses the
overhead associated with TCP and will be helpful in making sure that whatever
system we implement in this project will not have an unreasonable amount of
overhead since it will inherently make use of IP.
[6] (Journal Paper) Bellovin S. (1989) Security Problems in the TCP/IP Protocol
Suite. ACM SIGCOMM Computer Communication Review, Vol 19 Issue 2.
This paper points out the security flaws of TCP and the attacks that target these
flaws. The authors also provide countermeasures for each of the attacks. The useful
of this paper is not entirely clear, but it would not hurt to know the weaknesses of
the protocol that will most likely be used in this project.
[7] (Journal Paper) Travostino F. et al. (2006) Seamless Live Migration of Virtual
Machines over the MAN/WAN. Future Generation Computer Systems – Igrid 2005:
The Global Lambda Integrated Facility, Vol. 22 Issue 8.
Virtual machines are taken to the next level in this paper, where instead of existing
on a single machine, computations are moved over local area and wide area
networks with minimal lag and overhead. Their approach uses a “VM Turntable” to
demonstrate the ability to migrate virtual machines in a manner transparent to
applications and users. The methods used to minimize overhead with virtual
machines over networks could be applicable to this project
[8] (Journal Paper) Haldar V., Chandra, D. Franz M. (2004) Semantic Remote
Attestation – A Virtual Machine Directed Approach to Trusted Computing. VM’-4
Proceedings of the 3rd Conference on Virtual Machine Research and Technology
Symposium, Vol. 3.
Remote attestation allows outside parties to detect changes on a host machine. The
authors of this paper propose semantic remote attestation where they use languagebased virtual machines to employ remote attestation. In this paper they implement
a prototype for this framework and evaluate applications on a peer-to-peer and
distributed network. The actual attestation mentioned may not be of much use, but
the discussion and analysis of virtual machines communicating with remote hosts
could be helpful.
[9] (Journal Paper) Whitaker A., Shaw M., Gribble S. (2002) Denali: Lightweight
Virtual Machines for Distributed and Networked Applications. In Proceedings of the
USENIX Annual Technical Conference.
Denali is a virtual machine monitor designed to execute numerous server
applications on a single machine. Denali is special in that it uses paravirtualization
where it modifies virtual architecture. Once again, the usefulness of this paper is not
clear but the paper goes very in-depth in topics regarding control flow and TCP/IP
performance.
[10] (Journal Paper) Garfinkel T., Rosenblum M. (2003) A Virtual Machine
Introspection Based Architecture for Intrusion Detection. In Proc. Network and
Distributed Systems Security Symposium.
This paper focuses on using virtual machines during intrusion detection processes
on the host machine. Also mentioned in this paper are the weaknesses of this
approach. The authors in this paper evaluated a system they built and claimed it to
be practical and feasible. This paper could be useful because it discusses inspecting
a virtual machine from the outside, which could be applied to this project since we
are attempting to inspect behavior on a virtual machine on a remote host.
[11] (Journal Article) Ansari S., Rajeev S., Chandrashekar H. (2003) Packet Sniffing:
A Brief Introduction. IEEE Potentials, Vol. 21 Issue 5, pp. 17-19.
This short paper gives a quick primer to packet sniffing which is the method of
inspecting data as it flows across a network. The authors provide a walkthrough to
make a Linux packet sniffer and also address the weaknesses of packet sniffing. This
paper will be useful since we will have to inspect the packets over the network in
this project and we may have to develop a tool to intercept the packets.
[12] (Journal Article) Clark D. (1988) The Design Philosophy of the DARPA Internet
Protocols. SIGCOMM ’88 Symposium Proceedings on Communications Architectures
and Protocols.
This paper explains the reasoning that led to the design of internet protocols. The
paper discusses the primary and secondary goals of the protocols, scalability, types
of services, variety of networks, and architecture. Having a better understanding of
internet protocols and why they were designed that way is something necessary for
this project, so this paper will probably be a big contributor to this project.
[13] (Journal Article) Sockut G. (1975) Firmware/Hardware Support for Operating
Systems: Principles and Selected History. ACM SIGMICRO Newsletter, Vol. 6 Issue 4.
This paper is a survey of firmware and hardware support for operating systems. The
survey is performed on the areas of current and past research in both virtual and
non-virtual machines. This is a dated paper that will most likely be referenced only
in the introduction section of the project report.
[14] (Journal Paper) King S., Dunlap G., Chen P. (2003) Operating System Support
for Virtual Machines. Proceeding ATEC ’03 Proceedings of the Annual Conference on
USENIX Annual Technical Conference.
This paper is mostly and introduction to virtual machines and virtual machine
monitors. The authors of this paper focus on Type II virtual machines and reducing
the associated overhead. The paper could be useful since it discusses reducing
overhead, but it will most likely just be used as a reference in the introduction or
background section of the project report.
[15] (Journal Paper) King S., Chen P. (2006) SubVirt: Implementing Malware with
Virtual Machines. IEEE Symposium on Security and Privacy, pp. 327.
A virtual machine based rootkit (VMBR) is a type of malware that gains control over
a system by installing a virtual machine monitor in a system and then places the
host operating system into the virtual machine. The authors of the paper implement
two VMBRs and attack a Windows XP and Linux system then conclude the paper by
discussing ways to defend against these attacks. Also mentioned in this paper are
ways to detect and prevent VMBRs in the first place. This paper is useful because it
acknowledges how hard it is to detect these rootkits and defend against them, so it
could be directly applicable to this project where we are trying to detect whether
source of a connection over a network comes from a virtual machine.
[16] (Journal Paper) Schmidt A., Campbell R. (1993) Internet Protocol Traffic
Analysis with Applications for ATM Switch Design. ACM SIGCOMM Computer
Communications Review, Vol. 23 Issue 2.
The motivation behind this paper is that knowing data traffic behavior is important
in the design of virtual circuit packet switches. The authors of this paper focus on
the behavior of wide and local area networks. Some effects of data traffic include
determining buffering allocation, design the adaptation layer, and congestion
control. This paper could be useful because we may need to analyze data traffic
behavior to determine the source of packets over a network by seeing if they differ
when using a physical machine and a virtual machine.
[17] (Journal Paper) Kourai K., Chiba S. (2005) HyperSector: Virtual Distributed
Monitoring Environments for Secure Intrusion Detection. Proceedings of the 1st
ACM/USENIX International Conference on Virtual Execution Environments.
HyperSpector is a virtual monitoring environment that has secure intrusion
detection over distributed systems. HyperSpector is able to prevent attacks by
isolating detection systems in a manner similar to how a local virtual machine
monitor is able to isolate its detection systems from its physical machine. This paper
also included methods of evaluating overhead and integrity of the file systems. The
research topic of this paper may not be directly useful but the methods used to
monitor and decipher incoming data to determining whether a threat exists could
be useful.
[18] (Journal Paper) Popek G., Goldberg R. (1973) Formal Requirement for
Virtualizable Third Generation Architectures. SOSP ’73 Proceedings of the 4th ACM
Symposium on Operating System Principles.
This paper is a primer on virtual machines. Operating system concepts such as traps,
privileged instructions, and virtual machine monitors are also discussed. The
machinery in focus are “third generation” models like the IBM 360, Honeywell 6000,
and DEC PDP-10. As a dated paper from the 1970s, this will most likely be used as a
reference for the introduction or background for the project report.
[19] (Unrefereed Paper) Liston T., Skoudis E. (2006) On the cutting Edge: Thwarting
Virtual Machine Detection.
This is a presentation discussing malicious attackers trying to determine the
presence of a virtual machine across a network. Virtual machines are useful in
preventing typical attacks on physical systems by monitoring potential threats, so
the goal of the attacker is to determine if a virtual machine is being used and try to
remain hidden. The paper discusses detection on both a local and remote system.
This presentation is directly related to the research topic and the tips and guidelines
provided should be very helpful.
[20] (Journal Paper) Garfinkel T., Rosenblum M. (2005) When Virtual is Harder than
Real: Security Challenges in Virtual Machine Based Computed Environments. HOTOS
’05 Proceedings of the 10th Conference on Hot Topics in Operating Systems, Vol. 10.
This paper focuses on the security problems facing virtual machines. Virtual
machines have been thought to be more advantageous than physical machines as
mentioned in other papers in the bibliography, but the author states that this is not
true since it could lead to unpredictable interactions with security mechanisms on
the physical machine. This paper provides no experimental results and only
discusses various problems, but it is useful to get a better understanding of the
system that will be implemented in the project.
[21] (Journal Paper) Mallach E. (1973) On the Relationship Between Virtual
Machines and Emulators. Proceedings of the Workshop on Virtual Computer
Systems.
This is an early virtualization paper discussing the similarities of virtual machines
and emulators. While emulators operated under software packages, virtual
machines operate under virtual machine monitors. The main point of the paper is to
show that it is possible to combine virtual machines and emulators in one system
but other than that, they are essentially the same. This paper will probably be most
useful as a reference for the introduction of the project report.
[22] (Journal Paper) Gueron, S., Seifert J.P. (2009) On the Impossibility of Detecting
Virtual Machine Monitors. In Proceedings of SEC’09, Vol. 297, pp. 143-151.
According to this paper, it is not possible to determine if a program is running in a
virtualized environment under a classical virtual machine model. This paper is
basically a sequence of theorems and proofs. But the authors of this paper
acknowledge that virtual machines in use are not perfect and that there exists
vulnerabilities that lead to information leaks. This probably means that it is possible
to determine if a program if running in a virtualized environment as long as these
systems remain imperfect and exploitable.
[23] (Journal Paper) Jones, S., Arpaci-Dusseau A., Arpaci-Dusseau R. (2006).
Antfarm: Tracking Processess in a Virtual Machine Environment. USENIX 2006
Annual Technical Conference Technical Program.
This paper discusses bridging the gap between the VMM layer and the native OS
layer by allowing the VMM to track the activities of operating system processes. The
implementation of the technique they use is called Antfarm. The authors were able
to use Antfarm in two virtualization environments and two operating system shows
and achieved promising results with very little overheard. Even though this article
goes in the reverse direction of our intended experiment, it is possible that some of
the techniques used could be applicable to the project.
[24] (Journal Paper) Santos J., Turner Y. (2008) Bridging the Gap between Software
and Hardware Techniques for I/O Virtualization. ATC’08 USENIX 2008 Annual
Technical Conference.
This paper explores the paravirtualization model that is popularly known for its use
in Xen. One of the drawbacks though is that device driver isolation and other
virtualization features come at the price of high overhead. So the authors propose a
Direct I/O method that leads to a 56% reduction in cost for network interface
controllers. The research results in this paper may not be useful for the intended
project but it may be a good idea to have a relatively solid background in
paravirtualization just in case.
[25] (Journal Paper) Paleari R., Martignoni L., Bruschi D. (2009) A Fistful of RedPills: How to Automatical Generate Procedures to Detect CPU Emulators. WOOT’09
Proceedings of the 3rd USENIX Conference on Offensive Technologies.
Malware faces a problem when dealing with virtual environments since they can be
analyzed in a system away from the target machine using the inherent isolation
feature of virtual machine monitors. In order for malware to maintain its existence,
it makes a series of checks to determine whether it is in a virtual environment and
modify its behavior. The authors refer to these tests and checks as red-pills and
implement a method to allow a program to automatically determine whether it is in
a physical or virtual environment. The environments used for testing are the
QUEMU and BOCHS CPU emulators and they were successfully able to discover redpills for detecting the emulators. This paper will probably be one of the more useful
ones for this project since it directly addresses the main problem.
Download