Safe side effects commitment for OS-level virtualization

Authors:
Zhiyong Shan;Xin Wang;Tzi-cker Chiueh;Xiaofeng Meng
Affiliations:
Key Laboratory of Data Engineering and Knowledge Engineering (Renmin University of China), MOE, Stony Brook University, Beijing, China;Stony Brook University, Stony Brook, NY, USA;Stony Brook University, Stony Brook, NY, USA;Key Laboratory of Data Engineering and Knowledge Engineering (Renmin University of China), MOE, Beijing, China
Venue:
Proceedings of the 8th ACM international conference on Autonomic computing
Year:
2011

Citing 21
Cited 0

Backtracking intrusions

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management

LISA '04 Proceedings of the 18th USENIX conference on System administration
Solaris Zones: Operating System Support for Consolidating Commercial Workloads

LISA '04 Proceedings of the 18th USENIX conference on System administration
A feather-weight virtual machine for windows applications

Proceedings of the 2nd international conference on Virtual execution environments
Back to the Future: A Framework for Automatic Malware Removal and System Repair

ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Usable Mandatory Integrity Protection for Operating Systems

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Behavior-based spyware detection

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors

Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007
Flight data recorder: monitoring persistent-state interactions to improve systems management

OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Panorama: capturing system-wide information flow for malware detection and analysis

Proceedings of the 14th ACM conference on Computer and communications security
Applications of a feather-weight virtual machine

Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Remus: high availability via asynchronous virtual machine replication

NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Learning and Classification of Malware Behavior

DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Os-level virtualization and its applications

Os-level virtualization and its applications
Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Effective and efficient malware detection at the end host

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Automatic generation of remediation procedures for malware infections

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Commercial Antivirus Software Effectiveness: An Empirical Study

Computer
Tracer: enforcing mandatory access control in commodity OS with the support of light-weight intrusion detection and tracing

Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Optimizing the Performance of Virtual Machine Synchronization for Fault Tolerance

IEEE Transactions on Computers
COTS diversity based intrusion detection and application to web servers

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Quantified Score

Hi-index	0.00

Visualization

Abstract

A common application of virtual machines (VM) is to use and then throw away, basically treating a VM like a completely isolated and disposable entity. The disadvantage of this approach is that if there is no malicious activity, the user has to re-do all of the work in her actual workspace since there is no easy way to commit (i.e., merge) only the benign updates within the VM back to the host environment. In this work, we develop a VM commitment system called Secom to automatically eliminate malicious state changes when merging the contents of an OS-level VM to the host. Secom consists of three steps: grouping state changes into clusters, distinguishing between benign and malicious clusters, and committing benign clusters. Secom has three novel features. First, instead of relying on a huge volume of log data, it leverages OS-level information flow and malware behavior information to recognize malicious changes. As a result, the approach imposes a smaller performance overhead. Second, different from existing intrusion detection and recovery systems that detect compromised OS objects one by one, Secom classifies objects into clusters and then identifies malicious objects on a cluster by cluster basis. Third, to reduce the false positive rate when identifying malicious clusters, it simultaneously considers two malware behaviors that are of different types and the origin of the processes that exhibit these behaviors, rather than considers a single behavior alone as done by existing malware detection methods. We have successfully implemented Secom on the Feather-weight Virtual Machine (FVM) system, a Windows-based OS-level virtualization system. Experiments show that the prototype can effectively eliminate malicious state changes while committing a VM with small performance degradation. Moreover, compared with the commercial anti-malware tools, the Secom prototype has a smaller number of false negatives and thus can more thoroughly clean up malware side effects. In addition, the number of false positives of the Secom prototype is also lower than that achieved by the on-line behavior-based approach of the commercial tools.