Cited By
View all- Krishnan SSnow KMonrose FAl-Shaer EKeromytis AShmatikov V(2010)Trail of bytesProceedings of the 17th ACM conference on Computer and communications security10.1145/1866307.1866314(50-60)Online publication date: 4-Oct-2010
TimeCapsule: secure recording of accesses to a protected datastore
Pages 23 - 32
Abstract
We present an approach for transparently recording accesses to protected storage. In particular, we provide a framework for data monitoring in a virtualized environment using only the abstractions exposed by the hypervisor. To achieve our goals, we explore techniques for efficiently harvesting application code pages resident in memory at the time disk operations hit the I/O ring, and subsequently apply novel heuristics to overcome the "semantic gap" issue between file-system objects and disk blocks. Our forensic layer records all transactions in a version-based audit log that allows for faithful reconstruction of accesses to the datastore over time. We provide an empirical evaluation of our design that shows our approach to be promising, and very accurate in mapping application to block level access patterns---even under very noisy conditions.
References
[1]
K. Adams and O. Agesen. A Comparison of Software and Hardware Techniques for x86 Virtualization. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 2--13, New York, NY, USA, 2006. ACM.
[2]
W. A. Arbaugh, D. J. Farber, and J. M. Smith. A Secure and Reliable Bootstrap Architecture. In Proceedings of the IEEE Symposium on Security and Privacy, page 65. IEEE Computer Society, 1997.
[3]
AutoIt v3. See http://www.autoitscript.com/autoit3/, 2008.
[4]
P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles, pages 164--177, New York, NY, USA, 2003. ACM Press.
[5]
S. Berger, R. Cáceres, K. A. Goldman, R. Perez, R. Sailer, and L. van Doorn. vTPM: Virtualizing the Trusted Platform Module. In Proceedings of the 15th conference on USENIX Security Symposium, Berkeley, CA, USA, 2006. USENIX Association.
[6]
D. P. Berrange. Taking Full Advantage of QEMU in the Xen Userspace. See http://people.redhat.com/berrange/xen-summit-2007-sj/xen-summit-xenite-report.pdf, 2007.
[7]
P. Chen and B. Noble. When Virtual is Better than Real. In Proceedings of the Workshop on Hot Topics in Operating Systems (HotOS), pages 133--138, May. 2001.
[8]
X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports. Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems. In International Conference on Architectural Support for Programming Languages and Operating Systems, May 2008.
[9]
G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. Revirt: enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation, pages 211--224, New York, NY, USA, 2002. ACM.
[10]
D. Farmer and W. Venema. Forensic Discovery. Addison-Wesley, 2006.
[11]
J. Franklin, A. Perrig, V. Paxson, and S. Savage. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. In Proceedings of the 14th ACM conference on Computer and communications security, pages 375--388, New York, NY, USA, 2007. ACM.
[12]
T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A Virtual Machine-Based Platform for Trusted Computing. In Proceedings of ACM Symposium on Operating System Principles, pages 193--206, 2003.
[13]
A. Goel, K. Po, K. Farhadi, Z. Li, and E. de Lara. The Taser Intrusion Detection System. In Proceedings of Symposium on Operating Systems Principles, Oct. 2005.
[14]
R. Goldberg. Survey of Virtual Machine Research. IEEE Computer Magazine, 7(6):34--35, 1974.
[15]
A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical Taint-based Protection using Demand Emulation. SIGOPS Oper. Syst. Rev., 40:29--41, 2006.
[16]
J. E. Holt. Logcrypt: Forward Security and Public Verification for Secure Audit Logs. In Proceedings of ACM Australasian Workshop on Grid Computing and E-research, pages 203--211, 2006.
[17]
A. Ionescu. Visual Basic NTFS Programmer's Guide. See http://www.alex-ionescu.com/NTFS.pdf, 2004.
[18]
S. Jain, F. Shafique, V. Djeric, and A. Goel. Application-Level Isolation and Recovery with Solitude. In Proceedings of EuroSys, pages 95--107, Apr. 2008.
[19]
C. Jay, M. Glencross, and R. Hubbold. Modeling the Effects of Delayed Haptic and Visual Feedback in a Collaborative Virtual Environment. ACM Transactions on Computer-Human Interaction, 14(2):8, 2007.
[20]
X. Jiang, X. Wang, and D. Xu. Stealthy Malware Detection through VMM-based "out-of-the-box" Semantic View Reconstruction. In Proceedings of the 14th ACM conference on Computer and Communications Security, pages 128--138. ACM, 2007.
[21]
S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Antfarm: Tracking Processes in a Virtual Machine Environment. In Proceedings of the USENIX Annual Technical Conference. USENIX Association, 2006.
[22]
S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Geiger: Monitoring the Buffer Cache in a Virtual Machine Environment. SIGPLAN Not., 41(11):14--24, 2006.
[23]
G. H. Kim and E. H. Spafford. The Design and Implementation of Tripwire: a File System Integrity Checker. In Proceedings of the 2nd ACM Conference on Computer and Communications Security, pages 18--29, New York, NY, USA, 1994. ACM.
[24]
Leung. Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization. See http://www.intel.com/technology/itj/2006/v10i3/1-hardware/1-abstract.htm, 2009.
[25]
Linux NTFS Project. See http://www.linux-ntfs.org/doku.php, 2009.
[26]
L. Litty, H. Lagar-Cavilla, and D. Lie. Hypervisor Support for Identifying Covertly Executing Binaries. In Proceedings of USENIX Security Symposium, pages 243--257, Aug. 2008.
[27]
A.-Q. Nguyen and Y. Takefuji. Towards a Tamper-Resistant Kernel Rootkit Detector. In ACM Symposium on Applied Computing, pages 276--283. ACM, 2007.
[28]
NIST. National Software Reference Library, 2009. http://www.nsrl.nist.gov/.
[29]
R. Perez, L. van Doorn, and R. Sailer. Virtualization and Hardware-Based Security. IEEE Security and Privacy, 6(5):24--31, Sept.-Oct. 2008.
[30]
N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The Ghost in the Browser: Analysis of Web-based Malware. In First Workshop on Hot Topics in Understanding Botnets, 2006.
[31]
S. Quinlan and S. Dorward. Venti: A New Approach to Archival Data Storage. In Proceedings of the USENIX Conference on File and Storage Technologies, pages 89--101, 2002.
[32]
B. Schneier and J. Kelsey. Secure Audit Logs to Support Computer Forensics. ACM Transactions of Information and System Security, 1(3), 1999.
[33]
A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In ACM Symposium on Operating Systems Principles, pages 335--350. ACM, 2007.
[34]
B. Shneiderman. Response Time and Display Rate in Human Performance with Computers. ACM Computing Surveys, 16(3):265--285, 1984.
[35]
A. Slowinska and H. Bos. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. In Proceedings of EuroSys, Apr. 2009.
[36]
The Iometer Project. See http://www.iometer.org/, 2001.
Index Terms
- TimeCapsule: secure recording of accesses to a protected datastore
Recommendations
Shrinking the hypervisor one subsystem at a time: a userspace packet switch for virtual machines
VEE '14Efficient and secure networking between virtual machines is crucial in a time where a large share of the services on the Internet and in private datacenters run in virtual machines. To achieve this efficiency, virtualization solutions, such as Qemu/KVM, ...
Unikernels as Processes
SoCC '18: Proceedings of the ACM Symposium on Cloud ComputingSystem virtualization (e.g., the virtual machine abstraction) has been established as the de facto standard form of isolation in multi-tenant clouds. More recently, unikernels have emerged as a way to reuse VM isolation while also being lightweight by ...
Shrinking the hypervisor one subsystem at a time: a userspace packet switch for virtual machines
VEE '14: Proceedings of the 10th ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsEfficient and secure networking between virtual machines is crucial in a time where a large share of the services on the Internet and in private datacenters run in virtual machines. To achieve this efficiency, virtualization solutions, such as Qemu/KVM, ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © 2009 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 November 2009
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
CCS '09
Sponsor:
CCS '09: 16th ACM Conference on Computer and Communications Security 2009
November 9, 2009
Illinois, Chicago, USA
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 278Total Downloads
- Downloads (Last 12 months)2
- Downloads (Last 6 weeks)0
Reflects downloads up to 03 Jan 2025
Other Metrics
Citations
Cited By
View all- Krishnan SSnow KMonrose FAl-Shaer EKeromytis AShmatikov V(2010)Trail of bytesProceedings of the 17th ACM conference on Computer and communications security10.1145/1866307.1866314(50-60)Online publication date: 4-Oct-2010
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in