A novel approach for a file-system integrity monitor tool of Xen virtual machine

Nguyen Anh Quynh; Yoshiyasu Takefuji

doi:10.1145/1229285.1229313

A novel approach for a file-system integrity monitor tool of Xen virtual machine

Nguyen Anh Quynh, Yoshiyasu Takefuji

Faculty of Environment and Information Studies

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

32 Citations (Scopus)

Abstract

File-system integrity tools (FIT) are commonly deployed host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. While FIT are widely used, this kind of HIDS has many drawbacks: the intrusion detection is not done in real-time manner, which might render the whole scheme useless if the attacker can somehow take over the system with privileged access in the time between. The administrator also has a lot of problems to keep the base-line database updating. Besides, the database and the FIT itself are vulnerable if the attacker gains local privileged access.This paper presents a novel approach to address the outstanding problems of the current FIT. We propose a design and implementation of a tool named XenFIT for Xen virtual machines. XenFIT can monitor and fires alarms on intrusion in real-time manner, and our approach does not require to create and update the database like in the legacy methods. XenFIT works by dynamically patching memory of the protected machine, so it is not necessary to install any kernel code or user-space application into the protected machines. As a result, XenFIT is almost effortless to deploy and maintain. In addition, thanks to the advantage introduced by Xen, the security polices as well as the detection process are put in a secure machine, so XenFIT is tamper-resistant with attack, even in case the attacker takes over the whole VM he is penetrating in. Finally, if deploying strictly, XenFIT is able to function very stealthily to avoid the suspect of the intruder.

Original language	English
Title of host publication	Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07
Pages	194-202
Number of pages	9
DOIs	https://doi.org/10.1145/1229285.1229313
Publication status	Published - 2007
Event	2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07 - Singapore, Singapore Duration: 2007 Mar 20 → 2007 Mar 22

Other

Other	2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07
Country	Singapore
City	Singapore
Period	07/3/20 → 07/3/22

Fingerprint

Intrusion detection

Space applications

Law enforcement

Virtual machine

Fires

Data storage equipment

Keywords

Intrusion detection
Linux
Rootkit
Xen virtual machine

ASJC Scopus subject areas

Computer Networks and Communications
Software

Cite this

Quynh, N. A., & Takefuji, Y. (2007). A novel approach for a file-system integrity monitor tool of Xen virtual machine. In Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07 (pp. 194-202) https://doi.org/10.1145/1229285.1229313

A novel approach for a file-system integrity monitor tool of Xen virtual machine. / Quynh, Nguyen Anh; Takefuji, Yoshiyasu.

Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07. 2007. p. 194-202.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Quynh, NA & Takefuji, Y 2007, A novel approach for a file-system integrity monitor tool of Xen virtual machine. in Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07. pp. 194-202, 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07, Singapore, Singapore, 07/3/20. https://doi.org/10.1145/1229285.1229313

Quynh NA, Takefuji Y. A novel approach for a file-system integrity monitor tool of Xen virtual machine. In Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07. 2007. p. 194-202 https://doi.org/10.1145/1229285.1229313

Quynh, Nguyen Anh ; Takefuji, Yoshiyasu. / A novel approach for a file-system integrity monitor tool of Xen virtual machine. Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07. 2007. pp. 194-202

@inproceedings{dcc15e099b2a46b79ad48e6de4182f77,

title = "A novel approach for a file-system integrity monitor tool of Xen virtual machine",

abstract = "File-system integrity tools (FIT) are commonly deployed host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. While FIT are widely used, this kind of HIDS has many drawbacks: the intrusion detection is not done in real-time manner, which might render the whole scheme useless if the attacker can somehow take over the system with privileged access in the time between. The administrator also has a lot of problems to keep the base-line database updating. Besides, the database and the FIT itself are vulnerable if the attacker gains local privileged access.This paper presents a novel approach to address the outstanding problems of the current FIT. We propose a design and implementation of a tool named XenFIT for Xen virtual machines. XenFIT can monitor and fires alarms on intrusion in real-time manner, and our approach does not require to create and update the database like in the legacy methods. XenFIT works by dynamically patching memory of the protected machine, so it is not necessary to install any kernel code or user-space application into the protected machines. As a result, XenFIT is almost effortless to deploy and maintain. In addition, thanks to the advantage introduced by Xen, the security polices as well as the detection process are put in a secure machine, so XenFIT is tamper-resistant with attack, even in case the attacker takes over the whole VM he is penetrating in. Finally, if deploying strictly, XenFIT is able to function very stealthily to avoid the suspect of the intruder.",

keywords = "Intrusion detection, Linux, Rootkit, Xen virtual machine",

author = "Quynh, {Nguyen Anh} and Yoshiyasu Takefuji",

year = "2007",

doi = "10.1145/1229285.1229313",

language = "English",

isbn = "1595935746",

pages = "194--202",

booktitle = "Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07",

}

TY - GEN

T1 - A novel approach for a file-system integrity monitor tool of Xen virtual machine

AU - Quynh, Nguyen Anh

AU - Takefuji, Yoshiyasu

PY - 2007

Y1 - 2007

N2 - File-system integrity tools (FIT) are commonly deployed host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. While FIT are widely used, this kind of HIDS has many drawbacks: the intrusion detection is not done in real-time manner, which might render the whole scheme useless if the attacker can somehow take over the system with privileged access in the time between. The administrator also has a lot of problems to keep the base-line database updating. Besides, the database and the FIT itself are vulnerable if the attacker gains local privileged access.This paper presents a novel approach to address the outstanding problems of the current FIT. We propose a design and implementation of a tool named XenFIT for Xen virtual machines. XenFIT can monitor and fires alarms on intrusion in real-time manner, and our approach does not require to create and update the database like in the legacy methods. XenFIT works by dynamically patching memory of the protected machine, so it is not necessary to install any kernel code or user-space application into the protected machines. As a result, XenFIT is almost effortless to deploy and maintain. In addition, thanks to the advantage introduced by Xen, the security polices as well as the detection process are put in a secure machine, so XenFIT is tamper-resistant with attack, even in case the attacker takes over the whole VM he is penetrating in. Finally, if deploying strictly, XenFIT is able to function very stealthily to avoid the suspect of the intruder.

AB - File-system integrity tools (FIT) are commonly deployed host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. While FIT are widely used, this kind of HIDS has many drawbacks: the intrusion detection is not done in real-time manner, which might render the whole scheme useless if the attacker can somehow take over the system with privileged access in the time between. The administrator also has a lot of problems to keep the base-line database updating. Besides, the database and the FIT itself are vulnerable if the attacker gains local privileged access.This paper presents a novel approach to address the outstanding problems of the current FIT. We propose a design and implementation of a tool named XenFIT for Xen virtual machines. XenFIT can monitor and fires alarms on intrusion in real-time manner, and our approach does not require to create and update the database like in the legacy methods. XenFIT works by dynamically patching memory of the protected machine, so it is not necessary to install any kernel code or user-space application into the protected machines. As a result, XenFIT is almost effortless to deploy and maintain. In addition, thanks to the advantage introduced by Xen, the security polices as well as the detection process are put in a secure machine, so XenFIT is tamper-resistant with attack, even in case the attacker takes over the whole VM he is penetrating in. Finally, if deploying strictly, XenFIT is able to function very stealthily to avoid the suspect of the intruder.

KW - Intrusion detection

KW - Linux

KW - Rootkit

KW - Xen virtual machine

UR - http://www.scopus.com/inward/record.url?scp=34748834684&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34748834684&partnerID=8YFLogxK

U2 - 10.1145/1229285.1229313

DO - 10.1145/1229285.1229313

M3 - Conference contribution

AN - SCOPUS:34748834684

SN - 1595935746

SN - 9781595935748

SP - 194

EP - 202

BT - Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07

ER -

Access to Document

10.1145/1229285.1229313