Secure Offloading of Legacy IDSes Using Remote VM Introspection

Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted IaaS Clouds Kenichi Kourai Kazuki Juda Kyushu Institute of Technology

IDS Offloading [Garfinkel+'03] Run intrusion detection systems (IDSes) outside target virtual machines (VMs) securely E.g, in the management VM Intruders cannot disable offloaded IDSes Use VM introspection (VMI) Directly obtain information inside VMs E.g., memory, storage, and networks management VM target VM VMI offloaded IDS IDS

Abusing VMI by Insiders Semi-trusted clouds 28% of cyber crimes are caused by insiders [PwC'14] An engineer in Google violated user's privacy [TechSpot News'10] 35% of admins access sensitive information [CyberArk'09] VMI can be abused by insiders Sensitive information inside VMs are leaked management VM target VM insider VMI

Secure VM Execution Reduce the risk of insider attacks Secure runtime environment [Li+'10], VMCrypt [Tadokoro+'12] Encrypt VM's memory against insiders Self-service cloud [Butt+'12] Prevent insiders from accessing user's VMs management VM target VM ? insider VMI

Obstacles to Secure IDS Offloading Secure VM execution cannot coexist with IDS offloading Offloaded IDSes need to access VM's memory Secure VM execution prevents such access Insiders can disable offloaded IDSes Stop IDSes or tamper with their configuration management VM target VM ? offloaded IDS VMI

IDS Remote Offloading Run IDSes at remote hosts outside semi-trusted clouds Offloaded IDSes can securely introspect VMs inside remote clouds Insiders cannot disable offloaded IDSes Offloaded IDSes can detect DoS attacks easily remote host management VM target VM offloaded IDS remote VMI cloud

Remote VMI Introspect remote VMs using a VMI engine Run a minimal VMI engine in the hypervisor Bypass secure VM execution by the hypervisor Preserve the integrity and confidentiality of introspected data Between the VMI engine and remote hosts management VM target VM remote host insider VMI IDS VMI engine hypervisor

Threat Model Trust cloud providers and hardware The integrity of the hypervisor is guaranteed by Remote attestation with TPM at boot time PCI card [Petroni+'04] or SMM [Wang+'10] at runtime Not trust all the admins in clouds Insiders tamper with only the management VM management VM target VM admin trusted remote host trusted hypervisor trusted hardware

RemoteTrans A system for achieving IDS remote offloading An untrusted server relays communication Support legacy IDSes using Transcall [Iida+] Provide an execution environment for legacy IDSes E.g., system call emulation and shadow filesystems remote host management VM target VM legacy IDS RT server Transcall RT runtime VMI engine hypervisor

Remote Memory Introspection The VMI engine returns requested data via the RemoteTrans server Translate virtual into physical addresses Encrypt data and calculate the MAC The RemoteTrans runtime caches obtained data Freshness vs. performance management VM target VM remote host RT server IDS data RT runtime VMI engine hypervisor

Remote Network Introspection The VMI engine forwards captured packets Analyze interactions between a target VM and a virtual NIC in the management VM Monitor events sent between them Capture packets in the shared memory Calculate the MAC remote host management VM target VM shared memory RT server IDS virtual NIC tap RT runtime VMI engine hypervisor event

Remote Storage Introspection RemoteTrans provides protected storage to remote hosts The target VM encrypts storage by dm-crypt The password is securely passed at boot time using FBCrypt [Egawa+'12] or SCCrypt [Kourai+'15] The remote host decrypts it using the same password management VM target VM remote host disk IDS RT server dm-crypt RT runtime pass word FBCrypt hypervisor

Experiments We examined the security and performance of IDS remote offloading Prevention of insider attacks Performance of remote VMI Performance of offloaded legacy IDSes vCPU: 1 Memory: 4 GB Gigabit Ethernet IDS VM CPU: Intel Xeon E3-1290 Memory: 16 GB Linux 3.2.0 CPU: Intel Xeon E3-1290 Memory: 16 GB Xen 4.1.3

Prevention of Insider Attacks We tampered with memory requests/responses The RemoteTrans runtime failed MAC verification We tampered with forwarded packets The runtime failed MAC verification We searched a disk image for passwords Full-disk encryption prevented this attempt management VM target VM remote host disk malicious RT server IDS MAC RT runtime hypervisor

Performance of Remote VMI We compared remote VMI with local VMI Memory introspection: 92% degradation Due to the overhead of communication and encryption Storage introspection: 36% degradation Network introspection: no packet loss storage memory 125 125 remote VMI remote VMI 100 100 75 75 MB/s MB/s local VMI local VMI 50 50 in-VM in-VM 25 25 0 0

Performance of Legacy IDSes We compared IDS remote offloading with local offloading chkrootkit: 60% faster Because of no virtualization at a remote host Tripwire: 13% faster Snort: only 5ms longer detection time chkrootkit 250 Tripwire 100 200 80 time (sec) time (sec) remote local in-VM remote local in-VM 150 60 100 40 50 20 0 0

Related Work Using remote hosts with IDSes Copilot [Petroni et al.'04] Send the result of integrity checking using a PCI card HyperCheck [Wang et al.'10] Send the raw memory using SMM in x86 Secure execution of local IDSes Flicker [McCune et al.'08] Execute IDSes using Intel TXT and AMD SVM Self-service cloud [Butt et al.'12] Execute IDSes in VMs that cannot be disabled by admins

Conclusion IDS remote offloading with remote VMI Securely run legacy IDSes at trusted remote hosts outside semi-trusted clouds Coexist with secure VM execution by a VMI engine in the trusted hypervisor Achieve efficient execution of offloaded IDSes Future work Performance evaluation when many VMs are monitored Performance improvement under large network delay