Infrastructure for Intrusion Detection on Xen Virtualization

Abstract

The ideal secure system requires that the system is running on top of a secure base. The base of any application is the Operating System. Unfortunately operating systems are programs with huge code bases which contain many bugs. These buggy programs can be exploited to break the security of the system. To avoid access of a computer system by an unauthorized person Intrusion Detection Systems (IDS) are used. The currently available IDSs have a aw that is inherent by the computer architecture. The existing IDS reside on the same kernel as the monitored host. Once an attack has occurred, the IDS or the monitored host OS can be modi ed or attacked by the attacker to hide its intrusive activities, making the IDS unreliable. The above problem is the reason for the proper functionality of the IDS cannot be trusted. The desirable properties of security provided by virtualization can be used to imple- ment a reliable IDS. The monitor and the monitored host will be run on two di erent virtual machines. The monitor will access the memory of the vulnerable host to detect any integrity violations. The memory of the vulnerable VM will be mapped on to the memory of the monitoring VMs memory space. Accessing a memory address of another VM requires the manual address translation using the address translation logic employed on the VM and using memory management at the hypervisor level. The mapped memory is raw memory which doesnt have any semantics associated. This semantic-less raw memory will be transformed into the semantically sound kernel data structures that they really represent. After the semantics of the mapped memory have been provided, the recreated kernel data structures are monitored to detect any attack on the kernels System call table. The intergrity monitor successfully detected all changes being made to the system call table without any performance penalty.