Protecting Files Hosted on Virtual Machines With Out-of-Guest Access Control
Technical Report,03 Apr 2017,15 Dec 2017
Naval Postgraduate School Monterey United States
Pagination or Media Count:
When an operating system OS runs on a virtual machine VM, a hypervisor, the software that facilitates virtualization of computer hardware, provides a service called introspection, which is used for monitoring the internal state of the VM. However, a VM still shares all of the vulnerabilities of its resident OS and software. At some point in time, it will likely be the victim of a successful exploitation. In this research, we develop a security solution, leveraging introspection and enforcement of a separate shadow access control list SACL in the hypervisor to protect critical user files hosted on a VM against a range of zero-day attacks. The main security features of our solution include 1 zero-footprint in the guest VM by maintaining an out-of-guest SACL and other required security information in the hypervisor 2 protection of critical user files from unauthorized access even if an attacker has managed to obtain root privileges on the VM 3 application white listing to thwart malware execution and 4 kernel protection by denying both kernel reboot and runtime addition of kernel modules. We conclude that our solution can successfully protect user files against unauthorized access. The observed performance overhead, although significant, remains within usable levels and is mainly attributed to the context switch between the hypervisor and the VM.
- Computer Systems Management and Standards