Cite This        Tampung        Export Record
Judul A Dynamic Analysis with Static Source Code Instrumentation for the Guest Monitoring Problem in Virtualization Environments / Ady Wahyudi Paundu
Pengarang Ady Wahyudi Paundu
Penerbitan Graduate School of Information Science Nara Institute of Science and Technology : Graduate School of Information Science Nara Institute of Science and Technology, 2019
Subjek virtualization technology, cloud security, hypervisor operation, machine learning, program analysis, virtual machine monitoring
Abstrak Even though the cloud technology shows the trend of rapid development and decreasing cost, it still has not been fully embraced by organizations and industries around the world. This reluctance mostly stems from the cloud system security issues. One of the main potential attack vectors in a cloud system is the guest Virtual Machine (VM). Therefore, it is necessary to provide a system to monitor the guest VM operations. In the public cloud model, there are several operational requirements for the monitoring program. First, the monitoring system must work separately outside of the guest VM. Separating the monitoring process and the monitored system can deny any malicious processes in the monitored system from compromising the monitoring agent. However, this separation requirement could lead to the semantic gap problem. A good monitoring system isexpectedtochoosetheobservationdatathatpreservethesemanticinformation as much as it can. Second, the monitoring system must be able to work without any cooperation from the guest VM. The guest VM should not even realize the existence of the monitoring program. Therefore, for the third requirement, the monitoring program should cost, in terms of computation resources usage, as e?cient as possible. In this thesis, we investigate a guest VM monitoring method that can work independently outside the monitored guest VM, without losing much of the semantic information and without high computation cost for either the host and the guest VM. We propose a method that embeds multiple tracepoints inside the source code of the hypervisor (Static Instrumentation). During the hypervisor operation, we collect the tracepoints execution data to dynamically monitor the operational ?ow of a guest VM (Dynamic Source Code Analysis). Since the instrumentation was carried out within the underlying process of the instances of guest VM, we believe that the dynamic pattern of the tracepoints sequences can indirectly describe the operations of the VM. We ?rst applied this dynamic source code analysis with a static instrumentation method to the user space of the Qemu-KVM hypervisor. We captured the tracepoints from the Qemu operation and used it for an Anomaly Detection System. Weemulated aweb serverVM and multipleattack scenarios, such asDDoS fornetwork-basedattackandFlush-Reloadattackforvirtualization-basedattack. Wefactoredinthemimicryattackscenario. Wecomparedseveralmachinelearning algorithms for the monitoring data analysis process. Finally, we compared our detection result with system-call data analysis. Our evaluation showed that monitoring guest VM using dynamic source code analysis with the static instrumentationmethodgavebetterdetectionresultscomparedtothesystem-calldata, with minimum computation cost. However, we had subpar results when trying to detect malicious activities that work upon the host CPU. That is because, on Qemu-KVM combination, CPU operations are performed natively through the KVM kernel module. We investigated further this dynamic source code analysis with the static instrumentation method at the kernel layer by instrumenting the KVM module. We used this method to implement a signature-based intrusion detection system and try to detect multiple variants of Cache-based Side-Channel Attack (CSCA) including a new stealthier variant called Flush+Flush attack. In our evaluation phase, we showed that our proposed approach is the ?rst successful attempt to detect this Flush+Flush attack in the virtualization environment.
Bahasa Tidak tersedia
Bentuk Karya Bukan fiksi atau tidak didefinisikan
Target Pembaca Tidak diketahui / tidak ditentukan

 
No Barcode No. Panggil Akses Lokasi Ketersediaan
Tag Ind1 Ind2 Isi
001 INLIS000000000055662
005 20200214082959
007 ta
008 200214###########################0######
035 # # $a 0010-0220000336
100 0 # $a Ady Wahyudi Paundu
245 1 # $a A Dynamic Analysis with Static Source Code Instrumentation for the Guest Monitoring Problem in Virtualization Environments /$c Ady Wahyudi Paundu
260 # # $a Graduate School of Information Science Nara Institute of Science and Technology :$b Graduate School of Information Science Nara Institute of Science and Technology,$c 2019
520 # # $a Even though the cloud technology shows the trend of rapid development and decreasing cost, it still has not been fully embraced by organizations and industries around the world. This reluctance mostly stems from the cloud system security issues. One of the main potential attack vectors in a cloud system is the guest Virtual Machine (VM). Therefore, it is necessary to provide a system to monitor the guest VM operations. In the public cloud model, there are several operational requirements for the monitoring program. First, the monitoring system must work separately outside of the guest VM. Separating the monitoring process and the monitored system can deny any malicious processes in the monitored system from compromising the monitoring agent. However, this separation requirement could lead to the semantic gap problem. A good monitoring system isexpectedtochoosetheobservationdatathatpreservethesemanticinformation as much as it can. Second, the monitoring system must be able to work without any cooperation from the guest VM. The guest VM should not even realize the existence of the monitoring program. Therefore, for the third requirement, the monitoring program should cost, in terms of computation resources usage, as e?cient as possible. In this thesis, we investigate a guest VM monitoring method that can work independently outside the monitored guest VM, without losing much of the semantic information and without high computation cost for either the host and the guest VM. We propose a method that embeds multiple tracepoints inside the source code of the hypervisor (Static Instrumentation). During the hypervisor operation, we collect the tracepoints execution data to dynamically monitor the operational ?ow of a guest VM (Dynamic Source Code Analysis). Since the instrumentation was carried out within the underlying process of the instances of guest VM, we believe that the dynamic pattern of the tracepoints sequences can indirectly describe the operations of the VM. We ?rst applied this dynamic source code analysis with a static instrumentation method to the user space of the Qemu-KVM hypervisor. We captured the tracepoints from the Qemu operation and used it for an Anomaly Detection System. Weemulated aweb serverVM and multipleattack scenarios, such asDDoS fornetwork-basedattackandFlush-Reloadattackforvirtualization-basedattack. Wefactoredinthemimicryattackscenario. Wecomparedseveralmachinelearning algorithms for the monitoring data analysis process. Finally, we compared our detection result with system-call data analysis. Our evaluation showed that monitoring guest VM using dynamic source code analysis with the static instrumentationmethodgavebetterdetectionresultscomparedtothesystem-calldata, with minimum computation cost. However, we had subpar results when trying to detect malicious activities that work upon the host CPU. That is because, on Qemu-KVM combination, CPU operations are performed natively through the KVM kernel module. We investigated further this dynamic source code analysis with the static instrumentation method at the kernel layer by instrumenting the KVM module. We used this method to implement a signature-based intrusion detection system and try to detect multiple variants of Cache-based Side-Channel Attack (CSCA) including a new stealthier variant called Flush+Flush attack. In our evaluation phase, we showed that our proposed approach is the ?rst successful attempt to detect this Flush+Flush attack in the virtualization environment.
650 # # $a virtualization technology, cloud security, hypervisor operation, machine learning, program analysis, virtual machine monitoring
No Nama File Nama File Format Flash Format File Action
1 Ady Wahyudi Paundu.pdf pdf Baca Online
Content Unduh katalog