A Security Management Architecture for the Protection of Kernel Virtual Machines

Virtualization is being pervasively adopted in a variety of scenarios ranging from regular desktop PCs to server farms and clusters. Indeed, the security of guest virtual machines and of the applications and services they host can be improved by leveraging the additional architectural layer introduced by such a technology. This paper discusses security management for virtualized environments and provides several contributions. First, a novel architecture (Kvm-SMA) with the following features is detailed: it can protect guest integrity from both remote and local attacks such as root-kits, viruses, and worms; it is not circumventable and it is completely transparent to guest machines; it can asynchronously analyze guest data and monitor guest system behavior. Second, the proposed architecture has been implemented entirely on open source software and can be replicated to both Linux and Windows guests. Third the effectiveness and efficiency of the proposed architecture is shown. The former is proved showing the results of root-kit detection test, while the latter is supported by standard performance tests showing that the introduced overhead is small. Finally, a distinguishing feature of our monitoring system proposal is that it is immune to timing attacks: that is, an adversary cannot notice the monitoring system is active by analyzing the time required to perform system calls. We believe that security management of both single virtualized hosts and distributed virtualized systems can benefit from our proposal.