Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/20/2010
03:22 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

NC State, IBM Researchers Create 'Stealth' Hypervisor Security Tool

Tool will ultimately be offered as open source

Researchers at NC State University and IBM have built a prototype security tool that operates in stealth mode to determine the security of a hypervisor so as not to tip off attackers.

The so-called HyperSentry software runs outside the hypervisor to verify in real time whether it has been compromised by malware or an attacker. Because the hypervisor handles multiple virtual machines within a physical machine, an attack against the hypervisor could compromise multiple applications and, in the case of cloud computing services, potentially multiple customers' systems and applications. The attacker then could steal user information, spread malware, or deploy the cloud's computing resources for other attacks.

Dr. Peng Ning, one of the researchers who developed HyperSentry and a professor of computer science at NC State, says the prototype tool measures a hypervisor's integrity without the hypervisor knowing it's being measured in case an attacker has wrested control of it. The software also has a full view of all elements of the hypervisor, including the internal memory of the CPUs running it, according to Ning. "It gives you peace of mind about the [cloud computing] system's integrity: At least you can be more confident that the system is better protected," Ning says.

Hypervisor attacks are rare today. "But if there is one, the consequences would be quite serious. Think about Amazon [cloud computing service] with so many machines running so many things [being attacked]," Peng says.

Sophisticated malware can be camouflaged to hide from security software that only views the memory where the hypervisor is stationed, and can modify pieces of the CPU and move the infected software where it can't be detected. HyperSentry is able to see where the hypervisor is located, even if it has been relocated by an attacker, according to the researchers.

"It makes sure it's really measuring the hypervisor," Ning says. Existing security tools can be defeated by hypervisor hacks, he says.

"The hypervisor is usually the highest-privileged software on the system. If the hypervisor is compromised, the attacker ... can change how the program is supposed to run. It can replace itself with a previously known version, and if a vulnerability exists, an attacker can come back and attack it again," he says.

Ning and his fellow colleagues built their prototype for the Xen hypervisor and will present their work next month at the 17th ACM Conference on Computer and Communications Security in Chicago.

The HyperSentry prototype uses the Intelligent Platform Management Interface (IPMI) on the server to set up the "out-of-band" channel that separates the tool from the hypervisor. It then invokes a System Management Interrupt (SMI) to trigger HyperSentry. "We're also working on a version to measure the Linux KVM" virtual environment, Ning says.

HyperSentry ultimately will become an open-source offering. The researchers are looking at other applications of the technology, as well. "We are having conversations with IBM and Red Hat to see if it can be applied to enterprise systems management. So if this works out, hopefully in two to three years you will see HyperSentry used in an enterprise environment," Ning says. "HyperSentry is currently shaped for server platforms."

NC State researchers earlier this year built another hypervisor security tool called HyperSafe that blocks any new code -- namely malware -- from getting into the hypervisor and restricts alterations to the hypervisor's code. Ning says HyperSafe is complementary to HyperSentry.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15150
PUBLISHED: 2019-08-19
In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function.
CVE-2017-18550
PUBLISHED: 2019-08-19
An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.
CVE-2017-18551
PUBLISHED: 2019-08-19
An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.
CVE-2017-18552
PUBLISHED: 2019-08-19
An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.
CVE-2018-20976
PUBLISHED: 2019-08-19
An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.