TWC: Small: Securing Cloud Infrastructure: Unobtrusive Techniques for Detecting Hypervisor Compromise

TWC：小：保护云基础设施：用于检测虚拟机管理程序泄露的不引人注目的技术

• 批准号: 1318399
• 负责人: Jordan Shropshire
• 金额: $ 10.87万
• 依托单位: Georgia Southern University Research and Service Foundation, Inc
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-10-01 至 2014-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1318399&HistoricalAwards=false
• 关键词: TWC; Small; Securing; Cloud; Infrastructure

Hypervisors are the building blocks of cloud computing. They host the virtualized operating systems and applications which provide highly-scalable, pervasive services on a continuous basis. These thin-layer, bare-metal operating systems create a prime target for attack. A compromised hypervisor grants access to hosted virtual machines and data stores. Its computing resources can be used for malicious purposes, including mounting additional attacks. To avoid detection, rooted hypervisors must not only avoid tripping internal alarms, but also convince external monitors that they are operating normally. To conceal illicit activities, they may underreport performance metrics. Although rootkits can hide unauthorized activity by understating system load, they cannot tamper with external measures of power usage. This research develops a new method for identifying compromised hypervisors which integrates energy usage statistics. This method correlates independent measures of server energy usage with hypervisor reports of system state to create models of power consumption. The detection process focuses on hypervisors which appear to use more power than expected, given reported performance metrics. Three out-of-band tests for detecting compromise are undergoing testing and refinement. The results of this research will indicate the effectiveness of energy correlation-approaches at identifying rooted hypervisors. If successful, this project will provide a platform-neutral method for cloud management monitors to identify compromised hypervisors. It reduces adoption risks for organizations and individual users of cloud services. In addition, it will provide opportunities for graduate and undergraduate students to developed advanced skills in cloud and data center security.

虚拟机管理程序是云计算的构建块。它们托管虚拟化的操作系统和应用程序，这些操作系统和应用程序连续提供高度可扩展的普及服务。这些薄层、裸金属操作系统成为攻击的主要目标。受损的虚拟机管理程序赠款对托管的虚拟机和数据存储的访问权限。其计算资源可用于恶意目的，包括发动额外攻击。为了避免被检测到，根管理程序不仅要避免触发内部警报，还要让外部监视器相信它们正在正常运行。为了掩盖非法活动，他们可能会少报业绩指标。虽然rootkit可以通过低估系统负载来隐藏未经授权的活动，但它们不能篡改电力使用的外部测量。这项研究开发了一种新的方法来识别受损的虚拟机管理程序，集成了能源使用统计数据。该方法将服务器能源使用的独立测量与系统状态的管理程序报告相关联，以创建功耗模型。根据报告的性能指标，检测过程将重点放在使用的功率似乎超过预期的虚拟机管理程序上。目前正在测试和完善三个用于检测泄密的带外测试。这项研究的结果将表明能量相关方法在识别根管理程序的有效性。如果成功，该项目将为云管理监视器提供一种平台中立的方法，以识别受损的虚拟机管理程序。它降低了组织和个人用户采用云服务的风险。此外，它还将为研究生和本科生提供机会，培养他们在云和数据中心安全方面的高级技能。