Security Services in Virtualized Environments

Project Goal: To build an infrastructure for providing a rich set of security services that are based on the secure foundation of virtualization infrastructure. Specifically, this project aims at ensuring safe introspection API's and based on it, integrity protection of critical resources, deployment of in-partition agents, and cross platform support.

Virtualization enables

• On-demand, centralized security services

• Centralization (reduced security footprint, sharing of knowledge)

• Isolation (improve the tamper-resistance of solutions)

• Visibility (examine virtual networks and virtual machines)

• Scalability (grow/shrink security footprint based on load)

• Advanced Remediation (integrate with infrastructure APIs)

• Reduction of security sprawl across virtual infrastructures

Use case: Anti-Rootkit System based on Virtual Machine Introspection

Use case summary: A protected Security virtual machine (SVM) uses virtual machine introspection to monitor critical OS data structures in guests for changes made by rootkits and other types of malware. We develop the Anti-Rootkit System in collaboration with the IBM Zurich Research Lab.

Exemplary attack scenario: Rootkit takes a hold in the guest, e.g., by exploiting a web browser vulnerability Rootkit attempts to hide itself by manipulating guest kernel data structures SVM security agent detects OS tampering and detects or reverts tampering using introspection SVM security agent performs clean-up of rootkit

Last updated 25 Feb 2009