TY - GEN
T1 - A novel approach for a file-system integrity monitor tool of Xen virtual machine
AU - Quynh, Nguyen Anh
AU - Takefuji, Yoshiyasu
PY - 2007/10/1
Y1 - 2007/10/1
N2 - File-system integrity tools (FIT) are commonly deployed host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. While FIT are widely used, this kind of HIDS has many drawbacks: the intrusion detection is not done in real-time manner, which might render the whole scheme useless if the attacker can somehow take over the system with privileged access in the time between. The administrator also has a lot of problems to keep the base-line database updating. Besides, the database and the FIT itself are vulnerable if the attacker gains local privileged access.This paper presents a novel approach to address the outstanding problems of the current FIT. We propose a design and implementation of a tool named XenFIT for Xen virtual machines. XenFIT can monitor and fires alarms on intrusion in real-time manner, and our approach does not require to create and update the database like in the legacy methods. XenFIT works by dynamically patching memory of the protected machine, so it is not necessary to install any kernel code or user-space application into the protected machines. As a result, XenFIT is almost effortless to deploy and maintain. In addition, thanks to the advantage introduced by Xen, the security polices as well as the detection process are put in a secure machine, so XenFIT is tamper-resistant with attack, even in case the attacker takes over the whole VM he is penetrating in. Finally, if deploying strictly, XenFIT is able to function very stealthily to avoid the suspect of the intruder.
AB - File-system integrity tools (FIT) are commonly deployed host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. While FIT are widely used, this kind of HIDS has many drawbacks: the intrusion detection is not done in real-time manner, which might render the whole scheme useless if the attacker can somehow take over the system with privileged access in the time between. The administrator also has a lot of problems to keep the base-line database updating. Besides, the database and the FIT itself are vulnerable if the attacker gains local privileged access.This paper presents a novel approach to address the outstanding problems of the current FIT. We propose a design and implementation of a tool named XenFIT for Xen virtual machines. XenFIT can monitor and fires alarms on intrusion in real-time manner, and our approach does not require to create and update the database like in the legacy methods. XenFIT works by dynamically patching memory of the protected machine, so it is not necessary to install any kernel code or user-space application into the protected machines. As a result, XenFIT is almost effortless to deploy and maintain. In addition, thanks to the advantage introduced by Xen, the security polices as well as the detection process are put in a secure machine, so XenFIT is tamper-resistant with attack, even in case the attacker takes over the whole VM he is penetrating in. Finally, if deploying strictly, XenFIT is able to function very stealthily to avoid the suspect of the intruder.
KW - Intrusion detection
KW - Linux
KW - Rootkit
KW - Xen virtual machine
UR - http://www.scopus.com/inward/record.url?scp=34748834684&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=34748834684&partnerID=8YFLogxK
U2 - 10.1145/1229285.1229313
DO - 10.1145/1229285.1229313
M3 - Conference contribution
AN - SCOPUS:34748834684
SN - 1595935746
SN - 9781595935748
T3 - Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07
SP - 194
EP - 202
BT - Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07
T2 - 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07
Y2 - 20 March 2007 through 22 March 2007
ER -