ferify: A Virtual Machine File Protection System against Zero-Day Attacks
share
Most existing solutions for protecting VMs assume known attack patterns or signatures and focus on detecting malicious manipulations of system files and kernel level memory structures. In this research we develop a system called ferify, which leverages VM introspection (VMI) to protect user files hosted on a VM against unauthorized access even after an attacker has managed to obtain root privileges on the VM. ferify maintains in the hypervisor domain a shadow file access control list (SACL) that is totally transparent to the VM. It uses the SACL to perform independent access control on all system calls that may operate on the target files. Further, ferify prevents kernel modification, ensures the integrity of process ownership, and supports hypervisor based user authentication. We have developed a ferify prototype for Linux and through a set of controlled experiments we show that the system is able to mitigate a range of zero-day attacks that otherwise may evade signature-based solutions. In addition, we analyze the root cause of the observed high processing overhead from trapping of system calls, and propose a general solution that can potentially cut that overhead by half.
READ FULL TEXT