The Experts below are selected from a list of 3123 Experts worldwide ranked by ideXlab platform
Ramesh Karri - One of the best experts on this subject based on the ideXlab platform.
-
detecting kernel control flow modifying rootkits
Network Science and Cybersecurity, 2014Co-Authors: Xueyang Wang, Ramesh KarriAbstract:Kernel Control-flow Modifying Rootkits are the most common kernel rootkits and pose the most threat to system security. Existing host-based and virtual machine monitor (VMM) based techniques have limitations in security and suffer from system performance overhead. We propose a VMM-based framework to detect control-flow modifying kernel rootkits in a guest virtual machine (VM) by checking the number of certain hardware events that occur during the execution of a system call. Our technique leverages the Hardware Performance Counters (HPCs) to securely and efficiently count the monitored hardware events. By using HPCs, the checking cost is significantly reduced and the temper-resistance is enhanced.
-
numchecker detecting kernel control flow modifying rootkits by using hardware performance counters
Design Automation Conference, 2013Co-Authors: Xueyang Wang, Ramesh KarriAbstract:This paper presents NumChecker, a new virtual machine monitor (VMM) based framework to detect control-flow modifying kernel rootkits in a guest virtual machine (VM). NumChecker detects malicious modifications to a system call in the guest VM by checking the number of certain hardware events that occur during the system call's execution. To automatically count these events, NumChecker leverages the Hardware Performance Counters (HPCs), which exist in most modern processors. By using HPCs, the checking cost is significantly reduced and the tamper-resistance is enhanced. We implement a prototype of NumChecker on Linux with the Kernel-based virtual machine (KVM). Our evaluation demonstrates its practicality and effectiveness.
Hai Jin - One of the best experts on this subject based on the ideXlab platform.
-
a vmm based intrusion prevention system in cloud computing environment
The Journal of Supercomputing, 2013Co-Authors: Hai Jin, Deqing Zou, Guofu Xiang, Feng Zhao, Weide ZhengAbstract:With the development of information technology, cloud computing becomes a new direction of grid computing. Cloud computing is user-centric, and provides end users with leasing service. Guaranteeing the security of user data needs careful consideration before cloud computing is widely applied in business. virtualization provides a new approach to solve the traditional security problems and can be taken as the underlying infrastructure of cloud computing. In this paper, we propose an intrusion prevention system, VMFence, in a virtualization-based cloud computing environment, which is used to monitor network flow and file integrity in real time, and provide a network defense and file integrity protection as well. Due to the dynamicity of the virtual machine, the detection process varies with the state of the virtual machine. The state transition of the virtual machine is described via Definite Finite Automata (DFA). We have implemented VMFence on an open-source virtual machine monitor platform--Xen. The experimental results show our proposed method is effective and it brings acceptable overhead.
-
vsa an offline scheduling analyzer for xen virtual machine monitor
Future Generation Computer Systems, 2013Co-Authors: Zhiyuan Shao, Hai JinAbstract:Nowadays, it is an important trend in the system domain to use the software-based virtualization technology to build the execution environments (e.g., the Clouds). After introducing the virtualization layer, there exist two schedulers: One in the hypervisor and the other inside the Guest Operating System (GOS). To fully understand the virtualized system and identify the possible reasons for performance problems incurred by the virtualization technology, it is very important for the system administrators and engineers to know the scheduling behavior of the hypervisor, in addition to understanding the scheduler inside the GOS. In this paper, we develop a virtualization scheduling analyzer, called VSA, to analyze the trace data of the Xen virtual machine monitor. With VSA, one can easily obtain the scheduling data associated with virtual processors (i.e., VCPUs) and physical processors (i.e., PCPUs), and further conduct the scheduling analysis for a group of interacting VCPUs running in the same domain.
-
vrfps a novel virtual machine based real time file protection system
International Conference on Software Engineering, 2009Co-Authors: Feng Zhao, Hai Jin, Guofu Xiang, Yali Jiang, Wenbin JiangAbstract:With the development of virtualization technology, file protection in virtual machine, especially in guest OS, becomes more and more important. Traditional host-based file protection system resides the critical modules in monitored system, which is easily explored and destroyed by malwares. Moreover, in order to protect the multiple operation systems running on the same platform, it is necessary to install independent file protection system for each of them, which greatly wastes computing resources and brings serious performance overhead. In this paper, a novel VM-based real-time file protection system, named VRFPS, is proposed to solve these problems. First, virtual machine monitor introspects all file operations of guest OS. Then, semantic gap between disk block and logic files is narrowed by blktap. Finally, a virtual sandbox is implemented in privileged domain to prevent protected files in guest domain from modifying illegally. Our approach is highly isolated, transparent and without modification on virtual machine monitor and guest OS. The experimental results show that the presented system is validate and of low performance overhead.
-
multi core computing resource management system based on virtual computing technology
2009Co-Authors: Hai Jin, Zhiyuan Shao, Huacai Chen, De Zhang, Xiaowen Lu, Jian Huang, Yong Li, Pengfei Yang, Minhao YuanAbstract:The invention relates to a multi-core system computer resource management system based on a virtual computer technology. The system comprises a plurality of virtual machines, a virtual machine monitor and a virtual machine manager. The virtual machine monitor monitors the load condition and the operation state of the virtual machine at real time. The virtual machine manager is a bond for communication between a virtual machine and a physical host. The virtual machine operates on the virtual machine manager and provides the user with a virtual platform. At the same time, the invention divides the virtual machine into three general categories, and different resource adjusting strategies are adopted for each category of the virtual machine respectively. The invention provides a practical and feasible way for the dynamic adjusting and distributing problem of multi-core computer resource and realizes the maximization of energy saving and resource utilization.
Xueyang Wang - One of the best experts on this subject based on the ideXlab platform.
-
detecting kernel control flow modifying rootkits
Network Science and Cybersecurity, 2014Co-Authors: Xueyang Wang, Ramesh KarriAbstract:Kernel Control-flow Modifying Rootkits are the most common kernel rootkits and pose the most threat to system security. Existing host-based and virtual machine monitor (VMM) based techniques have limitations in security and suffer from system performance overhead. We propose a VMM-based framework to detect control-flow modifying kernel rootkits in a guest virtual machine (VM) by checking the number of certain hardware events that occur during the execution of a system call. Our technique leverages the Hardware Performance Counters (HPCs) to securely and efficiently count the monitored hardware events. By using HPCs, the checking cost is significantly reduced and the temper-resistance is enhanced.
-
numchecker detecting kernel control flow modifying rootkits by using hardware performance counters
Design Automation Conference, 2013Co-Authors: Xueyang Wang, Ramesh KarriAbstract:This paper presents NumChecker, a new virtual machine monitor (VMM) based framework to detect control-flow modifying kernel rootkits in a guest virtual machine (VM). NumChecker detects malicious modifications to a system call in the guest VM by checking the number of certain hardware events that occur during the system call's execution. To automatically count these events, NumChecker leverages the Hardware Performance Counters (HPCs), which exist in most modern processors. By using HPCs, the checking cost is significantly reduced and the tamper-resistance is enhanced. We implement a prototype of NumChecker on Linux with the Kernel-based virtual machine (KVM). Our evaluation demonstrates its practicality and effectiveness.
Robert D Gardner - One of the best experts on this subject based on the ideXlab platform.
-
measuring cpu overhead for i o processing in the xen virtual machine monitor
USENIX Annual Technical Conference, 2005Co-Authors: Ludmila Cherkasova, Robert D GardnerAbstract:virtual machine monitors (VMMs) are gaining popularity in enterprise environments as a software-based solution for building shared hardware infrastructures via virtualization. In this work, using the Xen VMM, we present a light weight monitoring system for measuring the CPU usage of different virtual machines including the CPU overhead in the device driver domain caused by I/O processing on behalf of a particular virtual machine. Our performance study attempts to quantify and analyze this overhead for a set of I/O intensive workloads.
Tian Ronghua - One of the best experts on this subject based on the ideXlab platform.
-
novel approach for protecting integrity of kernel based on reference monitor
Journal of Computer Applications, 2006Co-Authors: Tian RonghuaAbstract:With concept of reference monitor and function of virtual machine monitor, a novel approach for protecting integrity of kernel was designed. In the design, a virtual machine monitor was used as reference monitor by our adding reference monitor module into it. Guest operating system kernel runs on the top of the reference monitor as non-privileged mode. When the non-privileged kernel attempts to write some resources, it is mandatory for the writing permission to be verified and approved by the reference monitor running in privileged mode. So, it prevents malicious code from tampering the kernel. Compared to the traditional defense methods against malicious code, these traditional methods only can detect integrity of kernel, but not prevent it from tampering the kernel.
