ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Efficiently tracking application interactions using lightweight virtualization
Full text PdfPdf (399 KB)
Source
Conference on Computer and Communications Security archive
Proceedings of the 1st ACM workshop on Virtual machine security table of contents
Alexandria, Virginia, USA
SESSION: Portability & recovery table of contents
Pages 19-28  
Year of Publication: 2008
ISBN:978-1-60558-298-6
Authors
Yih Huang  George Mason University, Fairfax, VA, USA
Angelos Stavrou  George Mason University, Fairfax, VA, USA
Anup K. Ghosh  George Mason University, Fairfax, VA, USA
Sushil Jajodia  George Mason University, Fairfax, VA, USA
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 19,   Downloads (12 Months): 158,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1456482.1456486
What is a DOI?

ABSTRACT

In this paper, we propose a general-purpose framework that harnesses the power of lightweight virtualization to track applications interactions in a scalable an efficient manner. Our goal is to use our framework for application auditing, intrusion detection, analysis, and system recovery from both malicious attacks and programmatic faults. In our framework, we construct each virtualized environment (VE) in a novel way that limits the scope and type of application events that need to be monitored.

Our approach maintains the VE and system integrity, having as primarily focused on the interactions among VEs and system resources including the file system, memory, and network. Only events that are pertinent to the integrity of an application and its interactions with the operating system are recorded. We attempt to minimize the system overhead both in terms of system events we have to store and the resources required. Even though we cannot provide application replay, we keep enough information for a wide range of other uses including system recovery and information tracking among others. As a proof of concept, we have implemented a prototype based on OpenVZ[35], a lightweight virtualization tool. Our preliminary results show that, compared to state-of-the-art event recording systems, we can reduce the amount of event recorded per application by almost an order of magnitude.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Stephen T. Jones , Andrea C. Arpaci-Dusseau , Remzi H. Arpaci-Dusseau, VMM-based hidden process detection and identification using Lycosid, Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, March 05-07, 2008, Seattle, WA, USA  [doi>10.1145/1346256.1346269]
2
Xuxian Jiang , Xinyuan Wang , Dongyan Xu, Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315262]
 
3
Reiner Sailer , Trent Jaeger , Enriquillo Valdez , Ramon Caceres , Ronald Perez , Stefan Berger , John Linwood Griffin , Leendert van Doorn, Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor, Proceedings of the 21st Annual Computer Security Applications Conference, p.276-285, December 05-09, 2005  [doi>10.1109/CSAC.2005.13]
 
4
T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2003.
5
George W. Dunlap , Samuel T. King , Sukru Cinar , Murtaza A. Basrai , Peter M. Chen, ReVirt: enabling intrusion analysis through virtual-machine logging and replay, ACM SIGOPS Operating Systems Review, v.36 n.SI, Winter 2002  [doi>10.1145/844128.844148]
6
Samuel T. King , Peter M. Chen, Backtracking intrusions, ACM Transactions on Computer Systems (TOCS), v.23 n.1, p.51-76, February 2005  [doi>10.1145/1047915.1047918]
 
7
Payne, B.D.; de Carbone, M.D.P.; Wenke Lee, "Secure and Flexible Monitoring of Virtual Machines," Annual Computer Security Applications Conference (ACSAC), 2007. pp.385--397, Dec. 2007.
 
8
Stephen T. Jones , Andrea C. Arpaci-Dusseau , Remzi H. Arpaci-Dusseau, Antfarm: tracking processes in a virtual machine environment, Proceedings of the annual conference on USENIX '06 Annual Technical Conference, p.1-1, May 30-June 03, 2006, Boston, MA
9
Tal Garfinkel , Ben Pfaff , Jim Chow , Mendel Rosenblum , Dan Boneh, Terra: a virtual machine-based platform for trusted computing, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
 
10
Samuel T. King , George W. Dunlap , Peter M. Chen, Debugging operating systems with time-traveling virtual machines, Proceedings of the annual conference on USENIX Annual Technical Conference, p.1-1, April 10-15, 2005, Anaheim, CA
11
Oren Laadan , Ricardo A. Baratto , Dan B. Phung , Shaya Potter , Jason Nieh, DejaView: a personal virtual computer recorder, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
 
12
X. Jiang and X. Wang. "Out-of-the-box monitoring of VM-based high-interaction honeypots," In 10th International Symposium on Recent Advances in Intrusion Detection (RAID), Surfers Paradise, Australia, Sept. 2007.
 
13
Xuxian Jiang , Dongyan Xu, Collapsar: a VM-based architecture for network attack detention center, Proceedings of the 13th conference on USENIX Security Symposium, p.2-2, August 09-13, 2004, San Diego, CA
14
Michael Vrable , Justin Ma , Jay Chen , David Moore , Erik Vandekieft , Alex C. Snoeren , Geoffrey M. Voelker , Stefan Savage, Scalability, fidelity, and containment in the potemkin virtual honeyfarm, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
15
Kurniadi Asrigo , Lionel Litty , David Lie, Using VMM-based sensors to monitor honeypots, Proceedings of the 2nd international conference on Virtual execution environments, June 14-16, 2006, Ottawa, Ontario, Canada  [doi>10.1145/1134760.1134765]
 
16
Alexander Moshchuk , Tanya Bragin , Damien Deville , Steven D. Gribble , Henry M. Levy, SpyProxy: execution-based detection of malicious web content, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
 
17
Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
 
18
Steven A. Hofmeyr , Stephanie Forrest , Anil Somayaji, Intrusion detection using sequences of system calls, Journal of Computer Security, v.6 n.3, p.151-180, August 1998
 
19
D. Mutz,W. Robertson, G. Vigna, and R. Kemmerer. "Exploiting execution context for the detection of anomalous system calls," In 10th International Symposium on Recent Advances in Intrusion Detection (RAID), Surfers Paradise, Australia, Sept. 2007.
 
20
J. T. Giffin, S. Jha, and B. P. Miller. "Efficient context-sensitive intrusion detection," In Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2004.
 
21
Sriranjani Sitaraman , S. Venkatesan, Forensic Analysis of File System Intrusions Using Improved Backtracking, Proceedings of the Third IEEE International Workshop on Information Assurance, p.154-163, March 23-24, 2005  [doi>10.1109/IWIA.2005.9]
 
22
Ashvin Goel , Wu-chang Feng , David Maier , Wu-chi Feng , Jonathan Walpole, Forensix: A Robust, High-Performance Reconstruction System, Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05), p.155-162, June 06-10, 2005  [doi>10.1109/ICDCSW.2005.62]
 
23
Ashvin Goel , Wu-chang Feng , Wu-chi Feng , David Maier, Automatic high-performance reconstruction and recovery, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.5, p.1361-1377, April, 2007  [doi>10.1016/j.comnet.2006.09.013]
24
Ashvin Goel , Kenneth Po , Kamran Farhadi , Zheng Li , Eyal de Lara, The taser intrusion recovery system, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
25
Feng Qin , Joseph Tucek , Jagadeesan Sundaresan , Yuanyuan Zhou, Rx: treating bugs as allergies---a safe method to survive software failures, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
 
26
R. J. Creasy. The origin of the VM/370 time-sharing system. IBM J. Research and Development, 25(5):483--490, September 1981.
 
27
VMware, http://www.vmware.com.
28
Paul Barham , Boris Dragovic , Keir Fraser , Steven Hand , Tim Harris , Alex Ho , Rolf Neugebauer , Ian Pratt , Andrew Warfield, Xen and the art of virtualization, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
 
29
Jeff Dike, A user-mode port of the linux kernel, Proceedings of the 4th annual Linux Showcase & Conference, p.7-7, October 10-14, 2000, Atlanta, Georgia
 
30
KVM (Kernel-based Virtual Machine). http://kvm.qumranet.com/kvmwiki/Front_Page.
 
31
Jon Watson, VirtualBox: bits and bytes masquerading as machines, Linux Journal, v.2008 n.166, p.1, February 2008
 
32
Poul-Henning Kamp and Robert N. M. Watson. Jails: Confining the omnipotent root. In Proc. of 2nd Intl. SANE Conference, May 2000.
33
Stephen Soltesz , Herbert Pötzl , Marc E. Fiuczynski , Andy Bavier , Larry Peterson, Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors, Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007, March 21-23, 2007, Lisbon, Portugal
34
Steven Osman , Dinesh Subhraveti , Gong Su , Jason Nieh, The design and implementation of Zap: a system for migrating computing environments, Proceedings of the 5th symposium on Operating systems design and implementation

Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading

, December 09-11, 2002, Boston, Massachusetts  [doi>10.1145/1060289.1060323]
 
35
Daniel Price , Andrew Tucker, Solaris Zones: Operating System Support for Consolidating Commercial Workloads, Proceedings of the 18th USENIX conference on System administration, November 14-19, 2004, Atlanta, GA
 
36
http://openvz.org: OpenVZ server virtualization open-source project.
37
Charles P. Wright , Jay Dave , Puja Gupta , Harikesavan Krishnan , David P. Quigley , Erez Zadok , Mohammad Nayyer Zubair, Versatility and Unix semantics in namespace unification, ACM Transactions on Storage (TOS), v.2 n.1, p.74-105, February 2006  [doi>10.1145/1138041.1138045]
 
38
Unionfs: http://www.am-utils.org/project-unionfs.html

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Information flow controls

Additional Classification:
  C. Computer Systems Organization
  C.0 GENERAL
      Subjects: System architectures


General Terms:
Experimentation, Measurement, Performance, Security


Keywords:
applications, interractions, lightweight, tracking, virtualization

Collaborative Colleagues:
Yih Huang: colleagues
Angelos Stavrou: colleagues
Anup K. Ghosh: colleagues
Sushil Jajodia: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player