2010 IEEE 34th Annual Computer Software and Applications Conference (2010)
Seoul, Korea (South)
July 19, 2010 to July 23, 2010
We propose HyperShield, which is a hypervisor that can be inserted into and removed from a running operating system, for improving security. While many existing security-oriented hypervisors require modifying or rebooting an overlying operating system, HyperShield does not require this. HyperShield is intended to be a general framework for various security mechanisms. The current implementation provides two mechanisms for preventing kernel-level buffer overflow. One detects the execution of user code with the kernel privilege, and the other detects malicious modification of a return address in a control stack. HyperShield is implemented on Linux as a loadable kernel module. When the module is inserted, it places itself under the operating system and executes as a hypervisor. The operating system is migrated into a virtual machine and managed by the hypervisor. HyperShield detects attacks by combining virtualization of memory management with a hardware-assisted execution-bit feature. We have confirmed through experiments that HyperShield successfully prevented kernel-level buffer overflow attacks.
Security, virtual machine monitors, hypervisors, operating systems
H. Eiraku, K. Kato, T. Shinagawa, T. Nomoto and Y. Oyama, "Using a Hypervisor to Migrate Running Operating Systems to Secure Virtual Machines," 2010 IEEE 34th Annual Computer Software and Applications Conference(COMPSAC), Seoul, Korea (South), 2010, pp. 37-46.