Protecting Critical Files Using Target-Based Virtual Machine Introspection Approach

Dongyang ZHAN  Lin YE  Binxing FANG  Xiaojiang DU  Zhikai XU  

IEICE TRANSACTIONS on Information and Systems   Vol.E100-D   No.10   pp.2307-2318
Publication Date: 2017/10/01
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2016INP0009
Type of Manuscript: Special Section PAPER (Special Section on Security, Privacy and Anonymity in Computation, Communication and Storage Systems)
Category: Operating system and network Security
Monitoring,  VMI,  target-based,  filesystem,  

Full Text: PDF(904KB)
>>Buy this Article | Errata[Uploaded on June 1,2018]

Protecting critical files in operating system is very important to system security. With the increasing adoption of Virtual Machine Introspection (VMI), designing VMI-based monitoring tools become a preferential choice with promising features, such as isolation, stealthiness and quick recovery from crash. However, these tools inevitably introduce high overhead due to their operation-based characteristic. Specifically, they need to intercept some file operations to monitor critical files once the operations are executed, regardless of whether the files are critical or not. It is known that file operation is high-frequency, so operation-based methods often result in performance degradation seriously. Thus, in this paper we present CFWatcher, a target-based real-time monitoring solution to protect critical files by leveraging VMI techniques. As a target-based scheme, CFWatcher constraints the monitoring into the operations that are accessing target files defined by users. Consequently, the overhead depends on the frequency of target files being accessed instead of the whole filesystem, which dramatically reduces the overhead. To validate our solution, a prototype system is built on Xen with full virtualization, which not only is able to monitor both Linux and Windows virtual machines, but also can take actions to prevent unauthorized access according to predefined policies. Through extensive evaluations, the experimental results demonstrate that the overhead introduced by CFWatcher is acceptable. Especially, the overhead is very low in the case of a few target files.