research-article

Public Access

Using Virtual Machine Introspection for Operating Systems Security Education

Authors:

Zhiqiang LinAuthors Info & Claims

SIGCSE '18: Proceedings of the 49th ACM Technical Symposium on Computer Science Education

Pages 396 - 401

https://doi.org/10.1145/3159450.3159606

Published: 21 February 2018 Publication History

Abstract

Historically, hands-on cybersecurity exercises helped reinforce the basic cybersecurity concepts. However, most of them focused on the user level attacks and defenses and did not provide a convenient way of studying the kernel level security. Since OS kernels provide foundations for applications, any compromise to OS kernels will lead to a computer that cannot be trusted. Moreover, there has been a great interest in using virtualization to profile, characterize, and observe kernel events including security incidents. Virtual Machine Introspection (VMI) is a technique that has been deeply investigated in intrusion detection, malware analysis, and memory forensics. Inspired by the great success of VMI, we used it to develop hands-on labs for teaching kernel level security. In this work, we present three VMI-based labs on (1) stack-based buffer over-flow, (2) direct kernel object manipulation (DKOM), and (3) kernel integrity checker which have been made available online. Then, we analyze the differences in approaches taken by VMI-based labs and traditional labs and conclude that VMI-based labs are better as opposed to traditional labs from a teaching standpoint because they provide more visibility than the traditional labs and superior ability to manipulate kernel memory which provides more insight into kernel security concepts.

References

[1]

Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. 2003. Xen and the art of virtualization. In ACM SIGOPS operating systems review, Vol. 37. ACM, 164--177.

Digital Library

[2]

Erick Bauman, Gbadebo Ayoade, and Zhiqiang Lin. 2015. A Survey on Hypervisor Based Monitoring: Approaches, Applications, and Evolutions. Comput. Surveys 48, 1, Article 10 (Aug. 2015), 33 pages.

Digital Library

[3]

Manish Bhatt. 2017 (accessed August 18, 2017). VMI Exercises. https://gitlab.com/ mbhatt1/VMITool

[4]

Stephen D. Burd, Xin Luo, and Alessandro F Seazzu. 2013. Cloud-based virtual computing laboratories. In System Sciences (HICSS), 2013 46th Hawaii International Conference on. IEEE, 5079--5088.

Digital Library

[5]

C. Cavanagh and R. Albert. 2011. Goals, Models, and Progress towards Establishing a Virtual Information Security Laboratory in Maine. In Proceedings of the SAM '11 Conference. 496--500.

[6]

Peter M. Chen and Brian D. Noble. 2001. When virtual is better than real {operating system relocation to virtual machines}. In Hot Topics in Operating Systems, 2001. Proceedings of the Eighth Workshop on. IEEE, 133--138.

Digital Library

[7]

Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. 2011. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Security and Privacy (SP), 2011 IEEE Symposium on. IEEE, 297--312.

Digital Library

[8]

Wenliang Du. 2011. SEED: hands-on lab exercises for computer security education. IEEE Security & Privacy 9, 5 (2011), 70--73.

Digital Library

[9]

Wenliang Du and Ronghua Wang. 2008. SEED: A suite of instructional laboratories for computer security education. Journal on Educational Resources in Computing (JERIC) 8, 1 (2008), 3.

Digital Library

[10]

Shimon Even, Oded Goldreich, and Silvio Micali. 1989. On-line/off-line digital signatures. In Conference on the theory and Application of Cryptology. Springer, 263--275.

Digital Library

[11]

Yangchun Fu and Zhiqiang Lin. 2012. Space Traveling across VM: Automatically Bridging the Semantic-Gap in Virtual Machine Introspection via Online Kernel Data Redirection. In Proceedings of the 2012 IEEE Symposium on Security and Privacy. San Francisco, CA.

Digital Library

[12]

Yangchun Fu and Zhiqiang Lin. 2013. Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery. ACM SIGPLAN Notices 48, 7 (2013), 97--110.

Digital Library

[13]

Yangchun Fu, Junyuan Zeng, and Zhiqiang Lin. 2014. HYPERSHELL: A Practical Hypervisor Layer Guest OS Shell for Automated In-VM Management. In USENIX Annual Technical Conference. 85--96.

Digital Library

[14]

Tal Garfinkel, Mendel Rosenblum, and others. 2003. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Ndss, Vol. 3. 191--206.

[15]

Mariano Graziano, Lorenzo Flore, Andrea Lanzi, and Davide Balzarotti. 2016. Subverting Operating System Properties through Evolutionary DKOM Attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 3--24.

Digital Library

[16]

Brian Hay, Kara Nance, and C. Hecker. 2006. Evolution of the ASSERT computer security lab. In Proceedings of the 10th Colloquium for Information Systems Security Education. Adelphi, MD.

[17]

Ashlesha Joshi, Samuel T. King, George W. Dunlap, and Peter M. Chen. 2005. Detecting past and present intrusions through vulnerability-specific predicates. In ACM SIGOPS Operating Systems Review, Vol. 39. ACM, 91--104.

Digital Library

[18]

Daniel Joyce, Deborah Knox, Jill Gerhardt-Powals, Elliot Koffman, Wolfgang Kreuzer, Cary Laxer, Kenneth Loose, Erkki Sutinen, and R. Alan Whitehurst. 1997. Developing laboratories for the SIGCSE computing laboratory repository: guidelines, recommendations, and sample labs (report of the ITiCSE'97 working group on designing laboratory materials for computing courses). In the supplemental proceedings of the conference on Integrating technology into computer science education: working group reports and supplemental proceedings. ACM, 1--12.

Digital Library

[19]

Zhiqiang Lin. 2013. Toward guest OS writable virtual machine introspection. VMware Technical Journal 2, 2 (2013), 9--14.

[20]

Kara Nance, Brian Hay, Ronald Dodge, James Wrubel, Steve Burd, and Alex Seazzu. 2009. Replicating and sharing computer security laboratory environments. In System Sciences, 2009. HICSS'09. 42nd Hawaii International Conference on. IEEE, 1--10.

Digital Library

[21]

Bryan D. Payne. 2011. LibVMI. Technical Report. Sandia National Laboratories.

[22]

Bryan D. Payne, Martim Carbone, Monirul Sharif, and Wenke Lee. 2008. Lares: An architecture for secure active monitoring using virtualization. In Security and Privacy, 2008. SP 2008. IEEE Symposium on. IEEE, 233--247.

Digital Library

[23]

Gerald J. Popek and Robert P. Goldberg. 1974. Formal requirements for virtualizable third generation architectures. Commun. ACM 17, 7 (1974), 412--421.

Digital Library

[24]

Marco Prandini and Marco Ramilli. 2012. Return-oriented programming. IEEE Security & Privacy 10, 6 (2012), 84--87.

Digital Library

[25]

Mark E. Russinovich, David A. Solomon, and Alex Ionescu. 2012. Windows internals. Pearson Education.

Digital Library

Cited By

Fernalld KOConnor TSudhakaran SNur N(2023)Lightweight Symphony: Towards Reducing Computer Science Student Anxiety with Standardized Docker EnvironmentsProceedings of the 24th Annual Conference on Information Technology Education10.1145/3585059.3611432(15-21)Online publication date: 11-Oct-2023
https://dl.acm.org/doi/10.1145/3585059.3611432
Abdelraoof ATaubmann BDangl TReiser H(2021)Introspect Virtual Machines Like It Is the Linux Kernel!Detection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-030-80825-9_13(258-277)Online publication date: 9-Jul-2021
https://doi.org/10.1007/978-3-030-80825-9_13
Zheng YKhazanchi DSiy HGrispos GKwaku Setor T(2020)SIGITE and SIGCSE SymposiumsProceedings of the 21st Annual Conference on Information Technology Education10.1145/3368308.3415400(132-137)Online publication date: 7-Oct-2020
https://dl.acm.org/doi/10.1145/3368308.3415400
Show More Cited By

Index Terms

Using Virtual Machine Introspection for Operating Systems Security Education

Recommendations

Virtual Machine Introspection in Virtualization: A Security Perspective
IC3-2021: Proceedings of the 2021 Thirteenth International Conference on Contemporary Computing

Virtualization technology has gained enough attention in several fields such as Cloud Computing, the Internet of Things (IoT), and software defined networking (SDN), etc. However, security issues in virtualization impose several questions on the ...
Virtual Machine Introspection based Cloud Monitoring Platform
CompSysTech '18: Proceedings of the 19th International Conference on Computer Systems and Technologies

Virtual Machine Introspection (VMI) is an emerging family of techniques for extracting data from virtual machines without the use of active monitoring probes within the target machines themselves. In VMI based systems, the data is collected at the ...
Virtual Machine Introspection
SIN '14: Proceedings of the 7th International Conference on Security of Information and Networks

Due to exposure to the Internet, virtual machines (VMs) as forms of delivering virtualized infrastructures and resources represent a first point-of-target for security attackers who want to gain access into the virtualization environment. In-VM ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGCSE '18: Proceedings of the 49th ACM Technical Symposium on Computer Science Education

February 2018

1174 pages

ISBN:9781450351034

DOI:10.1145/3159450

General Chairs:
Tiffany Barnes
North Carolina State University, USA
,
Daniel Garcia
University of California, Berkeley, USA
,
Program Chairs:
Elizabeth K. Hawthorne
Union County College, USA
,
Manuel A. Pérez-Quiñones
UNC Charlotte, USA

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCSE: ACM Special Interest Group on Computer Science Education

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 February 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

NSF

Conference

SIGCSE '18

Sponsor:

SIGCSE

SIGCSE '18: The 49th ACM Technical Symposium on Computer Science Education

February 21 - 24, 2018

Maryland, Baltimore, USA

Acceptance Rates

SIGCSE '18 Paper Acceptance Rate 161 of 459 submissions, 35%;

Overall Acceptance Rate 1,595 of 4,542 submissions, 35%

Upcoming Conference

SIGCSE Virtual 2024

Sponsor:
sigcse

1st ACM Virtual Global Computing Education Conference

December 5 - 8, 2024

Virtual Event , NC , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
622
Total Downloads

Downloads (Last 12 months)73
Downloads (Last 6 weeks)10

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Fernalld KOConnor TSudhakaran SNur N(2023)Lightweight Symphony: Towards Reducing Computer Science Student Anxiety with Standardized Docker EnvironmentsProceedings of the 24th Annual Conference on Information Technology Education10.1145/3585059.3611432(15-21)Online publication date: 11-Oct-2023
https://dl.acm.org/doi/10.1145/3585059.3611432
Abdelraoof ATaubmann BDangl TReiser H(2021)Introspect Virtual Machines Like It Is the Linux Kernel!Detection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-030-80825-9_13(258-277)Online publication date: 9-Jul-2021
https://doi.org/10.1007/978-3-030-80825-9_13
Zheng YKhazanchi DSiy HGrispos GKwaku Setor T(2020)SIGITE and SIGCSE SymposiumsProceedings of the 21st Annual Conference on Information Technology Education10.1145/3368308.3415400(132-137)Online publication date: 7-Oct-2020
https://dl.acm.org/doi/10.1145/3368308.3415400
Deshpande PAhmed IHawthorne EPérez-Quiñones MHeckman SZhang J(2019)Topological Scoring of Concept Maps for Cybersecurity EducationProceedings of the 50th ACM Technical Symposium on Computer Science Education10.1145/3287324.3287495(731-737)Online publication date: 22-Feb-2019
https://dl.acm.org/doi/10.1145/3287324.3287495
Deshpande PLee CAhmed IHawthorne EPérez-Quiñones MHeckman SZhang J(2019)Evaluation of Peer Instruction for Cybersecurity EducationProceedings of the 50th ACM Technical Symposium on Computer Science Education10.1145/3287324.3287403(720-725)Online publication date: 22-Feb-2019
https://dl.acm.org/doi/10.1145/3287324.3287403
Navamani BYue CZhou X(2018)Discover and Secure (DaS): An Automated Virtual Machine Security Management Framework2018 IEEE 37th International Performance Computing and Communications Conference (IPCCC)10.1109/PCCC.2018.8711239(1-6)Online publication date: Nov-2018
https://doi.org/10.1109/PCCC.2018.8711239

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents