35th Annual Computer Security Applications Conference (ACSAC 2019)

Full Program »
Paper
View File
ACM
Presentation
View File
pdf

TF-BIV: Transparent and Fine-grained Binary Integrity Verification in the Cloud

With the emergence of virtualization technologies, various services have been migrated to the cloud. Beyond the tenants' own security controls implemented in the virtual machine (VM), the binary integrity verification mechanism in the virtual machine manager (VMM) provides stronger protections against malware. Unfortunately, none of existing integrity verification mechanisms in the cloud provides complete transparency and fine-grained efficiency. Some schemes selectively check the integrity of sensitive binaries, but they require modifications to the VMs (e.g., integrating monitoring libraries) to trigger verification. Others, although need no modification to the VMs, have to enforce checking on all the binaries, because they cannot distinguish binary images for the sensitive processes from the binaries for insensitive ones, leading to significant performance overheads. In this paper, we present TF-BIV, a transparent and fine-grained binary integrity verification scheme, which does not require any modification or software/driver installation in the VM. TF-BIV identifies the sensitive processes at the creation, and checks the integrity of the binaries (including the guest OS kernel and the dependant binaries) related to these processes. The provided transparency and efficiency are achieved by leveraging existing hardware virtualization supports (i.e., Intel extended page table) and debugging features (i.e., monitor trap flag). We have implemented the TF-BIV prototype based on QEMU-KVM. To demonstrate the usability of TF-BIV, we adopted it for cloud-based cryptographic services, to achieve the strict invoking controls. In addition to the password-based authentication, TF-BIV further achieves process-level authorization to the invokers. Intensive evaluation shows that TF-BIV implements the designed binary integrity verification with only about 3.6% performance overhead.

Fangjie Jiang
Institute of Information Engineering, Chinese Academy of Sciences, School of Cyber Security, University of Chinese Academy of Sciences

Quanwei Cai
Institute of Information Engineering, Chinese Academy of Sciences

Jingqiang Lin
Institute of Information Engineering, Chinese Academy of Sciences

Bo Luo
The University of Kansas

Le Guan
University of Georgia

Ziqiang Ma
Institute of Information Engineering, Chinese Academy of Sciences, School of Cyber Security, University of Chinese Academy of Sciences

 



Powered by OpenConf®
Copyright©2002-2020 Zakon Group LLC