BlockTapping: An Online Transparent Integrity Checker for Virtual Storage

The integrity of virtual storage has become a very important issue in the virtual computing environment (like Xen-based computing platform). Current integrity detection systems have some disadvantages, for example, they cannot protect themselves well or the dependence between the detection results and the target system is high. We refer to the problem as lack of transparency. This paper presents a novel online integrity checker, Block Tapping, which ensures its security benefiting from the isolation property of virtual machine. Block tapping monitors the block-level data streams transparently through block-to-file semantic-translation at the virtual block device layer. Based on the self-described information of virtual storages, Block Tapping detects the file-level malicious behaviors independent of the internal state of the compromised virtual machine. Experiments show that the prototype system successfully captures 13 typical user-mode root kit attacks against virtual storage, and the performance overhead is acceptable.