Protecting Files Hosted on Virtual Machines With Out-of-Guest Access Control

Abstract

When an operating system (OS) runs on a virtual machine (VM), a hypervisor, the software that facilitates virtualization of computer hardware, provides a service called introspection, which is used for monitoring the internal state of the VM. However, a VM still shares all of the vulnerabilities of its resident OS and software. At some point in time, it will likely be the victim of a successful exploitation. In this research, we develop a security solution, leveraging introspection and enforcement of a separate shadow access control list (SACL) in the hypervisor to protect critical user files hosted on a VM against a range of zero-day attacks. The main security features of our solution include 1) zero-footprint in the guest VM by maintaining an out-of-guest SACL and other required security information in the hypervisor; 2) protection of critical user files from unauthorized access even if an attacker has managed to obtain root privileges on the VM; 3) application white listing to thwart malware execution; and 4) kernel protection by denying both kernel reboot and runtime addition of kernel modules. We conclude that our solution can successfully protect user files against unauthorized access. The observed performance overhead, although significant, remains within usable levels and is mainly attributed to the context switch between the hypervisor and the VM.

Document Details

Document Type

Technical Report

Publication Date

Dec 01, 2017

Accession Number

AD1053395

Entities

Tags