Software is prone to contain bugs and vulnerabilities. To protect it, researchers normally go to a lower layer, such as protecting the applications from the kernel or protecting the operating systems from the hypervisor, because the upper layer is controlled and depends on the lower layer. However, even a small hypervisor, which partitions the system hardware resources into different domains to support and isolate multiple virtual machines, may contain some vulnerabilities and is hard to protect within itself.
In this dissertation, we use a hardware-assisted method to monitor the integrity of the software running on top it. We present HyperCheck, a hardware-assisted tampering detection framework designed to protect the integrity of hypervisors or operating systems (OS). HyperCheck leverages the CPU System Management Mode (SMM), present in x86 systems and a dedicated commercial network card, to securely generate and transmit the full state of the protected machine to an external server. Using HyperCheck, we were able to ferret-out rootkits that targeted the integrity of both the Xen hypervisor and traditional OSes. Moreover, HyperCheck is robust against attacks that aim to disable or block its operation. Our experimental results show that HyperCheck can produce and communicate a scan of the state of the protected software in less than 40ms.
In addition to detecting the intrusion, another promising approach to protect the end user's computer is to separate sensitive tasks, such as financial-related activities, from unsensitive tasks. For this purpose, we designed a system which has two operating systems installed: one trusted and the other untrusted. The trusted OS runs only the trusted applications and is guaranteed to be separated from the untrusted OS. Without using a hypervisor, we leverage the commercial hardware and the BIOS to enforce the isolation between the two OSes. By utilizing the standard ACPI S3 sleep, we also achieve a short delay when switching between the two OSes.
|School:||George Mason University|
|School Location:||United States -- Virginia|
|Source:||DAI-B 72/11, Dissertation Abstracts International|
|Keywords:||Digital forensics, Hardware-assisted protection, Hypervisor security, Integrity monitor, Isolation|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be