7/21/2014 Katie Carr, CSL
Written by Katie Carr, CSL
In any computer system, reliability and security are both essential, but typically separate aspects of computing systems – reliability addressing accidental failures and security battling intentional attacks. The result is often separately designed solutions to each problem that are difficult to integrate under a common monitoring framework.
However, ECE graduate students Cuong Manh Pham, Zachary J Estrada and CS graduate student Phuong Cao, along with their advisors, ECE Professor Ravishankar K Iyer and CSL Research Professor Zbigniew Kalbarczyk, who are all part of CSL’s DEPEND research group, are working to achieve both reliability and security simultaneously via continuous monitoring of virtual machines, which are the basic building blocks of cloud computing.
[image:10211 class:fright]
“Conceptually, we try to do reliability and security together,” Pham said. “In every system, they’re both important, but in research, we usually address them separately. In our research group, we try to address them together. This is a new trend in thinking.”
Their solution, HyperTap, addresses both reliability and security in a monitoring framework in their paper titled “Reliability and Security Monitoring of Virtual Machines Using Hardware Architectural Invariants.” The team received the inaugural Best Paper Award at last month’s 2014 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). Additionally, Pham was recognized for his outstanding PhD research in this area and was awarded the William C. Carter Award at DSN. HyperTap is an important basis for Pham’s PhD research and also draws on the systems expertise of his collaborators, Estrada and Cao.
The Carter Award is given to a graduate student recognizing their PhD dissertation research and contributions to the field of dependable computing. This is the fourth time an Illinois student has won the Carter Award from one of the top conferences in the dependable computing research area. Additionally, this was the first time DSN had a best paper award category, which was determined by votes from conference attendees.
“This is a major international recognition of Cuong’s work and indeed brings lots of prestige to Illinois,” said Iyer, the George and Ann Fisher Distinguished Professor of Engineering and ECE Illinois faculty member. “Cuong’s work is one of the first research directions that explore both reliability and security jointly through a common framework called continuous monitoring. People have speculated about the value of this approach in the past, but this is the first time that it has been truly demonstrated and implemented.”
The HyperTap framework can be integrated into a virtual machine to ensure both reliability and security for the users. HyperTap is a hypervisor-level framework that efficiently supports both reliability and security monitoring in virtualization environments. It uses hardware invariants and active monitoring, which can be adapted to enforce a wide variety of reliability and security policies. The research group prototyped three detectors with HyperTap to identify malicious abnormal activities – Guest OS Hang Detection (GOSHD), Hidden RootKit Detection (HRKD) and Privilege Escalation Detection (PED).
GOSHD works to detect scenarios when an operating system cannot make progress. Furthermore, it is able to detect partial operating system hang, a mysterious new failure mode that created headaches for those who maintain the system, but had never previously been detected or studied.
HRKD detects all types of rootkit, which is malicious software that was developed to hide other malicious software. Both GOSHD and HRKD are used to show that a common event, such as context switching, can be simultaneously used for both reliability and security monitoring. PED is designed to showcase the advantage of active monitoring via detecting privilege escalation attacks, which is a basis of most recent multi-staged attacks observed in the field. Specifically, PED is able to defeat three new types of attacks, proposed by the paper, that existing tools cannot cope with.
“An important aspect of HyperTap is that it is transparent,” Pham said. “The virtual machine doesn’t need to be aware that it’s being monitored by HyperTap. Our framework just provides a service without making modifications to the virtual machine.”
Estrada added that the team tested the security monitors with real attacks, some of them lasting only single digit milliseconds.
“Our checks are triggered on fundamental operations, so unlike other monitoring systems, it's not about how fast or how slow you are as an attacker - we will always catch you,” Estrada said.
This research contributes to broader research being done on monitoring in virtual machines in hardware architecture invariants, which is something emphasized in Pham’s paper.
“A lot of people have done work on virtual machine monitoring, but the way they look at it is to use operating system invariants,” Pham said. “They use knowledge to extract information about what is happening in an operating system. That is OK for normal activities, but when the system is failing, that can affect the operating system as well.”
For example, Pham explained, if an attacker can get into a machine, it can compromise the operating system. Because of this, Pham proposes monitoring at the hardware level, where the events are generated by hardware. Since researchers don’t have access to physical hardware in virtual machines, Pham looks at the event generated by the hardware and extracts information to interpret what’s going on in the operating system.
“HyperTap benefits from a solid foundation, a new trend in thinking,” he said. “As a result, it helped us to detect a new failure mode and new types of attacks that existing monitoring tools cannot. We designed HyperTap to be extendable so that other people can implement their own monitoring policies following our principles.”
Pham and the other researchers are working with the U.S. Air Force to test the framework on their production systems, as this project is part of the Assured Cloud Computing Center in the Information Trust Institute, which is funded by the U.S. Air Force.
“The Carter Award and Best Paper Award presented to Cuong is a real recognition of the importance and novelty of the contribution,” Kalbarczyk said. “As cloud computing becomes more of a mainstream technology, providing a higher level of availability and security remains one of the biggest challenges. In addressing this challenge, the work led by Cuong, with Zak and Phuong, exploits virtualization to design and deploy a low-cost highly efficient monitoring framework (HyperTap) and the associated techniques that can transform a typical cloud environment into resilient computing infrastructure. His work shows, on a prototype, that smart monitoring is feasible and can scale to large cloud deployments.”