TY - GEN
T1 - Active file integrity monitoring using paravirtualized filesystems
AU - Velten, Michael
AU - Wessel, Sascha
AU - Stumpf, Frederic
AU - Eckert, Claudia
PY - 2013
Y1 - 2013
N2 - Monitoring file integrity and preventing illegal modifications is a crucial part of improving system security. Unfortunately, current research focusing on isolating monitoring components from supervised systems can often still be thwarted by tampering with the hooks placed inside of Virtual Machines (VMs), thus resulting in critical file operations not being noticed. In this paper, we present an approach of relocating a supervised VM's entire filesystem into the isolated realm of the host. This way, we can enforce that all file operations originating from a VM (e.g., read and write operations) must necessarily be routed through the hypervisor, and thus can be tracked and even be prevented. Disabling hooks in the VM then becomes pointless as this would render a VM incapable of accessing or manipulating its own filesystem. This guarantees secure and complete active file integrity monitoring of VMs. The experimental results of our prototype implementation show the feasibility of our approach.
AB - Monitoring file integrity and preventing illegal modifications is a crucial part of improving system security. Unfortunately, current research focusing on isolating monitoring components from supervised systems can often still be thwarted by tampering with the hooks placed inside of Virtual Machines (VMs), thus resulting in critical file operations not being noticed. In this paper, we present an approach of relocating a supervised VM's entire filesystem into the isolated realm of the host. This way, we can enforce that all file operations originating from a VM (e.g., read and write operations) must necessarily be routed through the hypervisor, and thus can be tracked and even be prevented. Disabling hooks in the VM then becomes pointless as this would render a VM incapable of accessing or manipulating its own filesystem. This guarantees secure and complete active file integrity monitoring of VMs. The experimental results of our prototype implementation show the feasibility of our approach.
KW - Active File Integrity Monitoring
KW - File Integrity Protection
KW - Paravirtualized Filesystem
UR - http://www.scopus.com/inward/record.url?scp=84893071187&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-03491-1_4
DO - 10.1007/978-3-319-03491-1_4
M3 - Conference contribution
AN - SCOPUS:84893071187
SN - 9783319034904
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 53
EP - 69
BT - Trusted Systems - 5th International Conference, INTRUST 2013, Proceedings
T2 - 5th International Conference on Trusted Systems, INTRUST 2013
Y2 - 4 December 2013 through 5 December 2013
ER -