ferify: A Virtual Machine File Protection System against Zero-Day Attacks
This addresses security vulnerabilities in VMs for cloud computing and data centers, offering a novel approach to file protection against unknown attacks, though it is incremental in building on existing VM introspection techniques.
The researchers tackled the problem of protecting virtual machine (VM) user files from zero-day attacks, even after attackers gain root privileges, by developing ferify, a system that uses VM introspection and a shadow access control list to enforce independent access control, and they demonstrated its ability to mitigate such attacks while analyzing and proposing a solution to reduce processing overhead by half.
Most existing solutions for protecting VMs assume known attack patterns or signatures and focus on detecting malicious manipulations of system files and kernel level memory structures. In this research we develop a system called ferify, which leverages VM introspection (VMI) to protect user files hosted on a VM against unauthorized access even after an attacker has managed to obtain root privileges on the VM. ferify maintains in the hypervisor domain a shadow file access control list (SACL) that is totally transparent to the VM. It uses the SACL to perform independent access control on all system calls that may operate on the target files. Further, ferify prevents kernel modification, ensures the integrity of process ownership, and supports hypervisor based user authentication. We have developed a ferify prototype for Linux and through a set of controlled experiments we show that the system is able to mitigate a range of zero-day attacks that otherwise may evade signature-based solutions. In addition, we analyze the root cause of the observed high processing overhead from trapping of system calls, and propose a general solution that can potentially cut that overhead by half.