We have implemented a proof-of-concept prototype on the Windows platform, which can acquire the process data, raw memory, and I/O data, such as keystrokes and network traffic. The reliability is improved in three ways: reducing Trusted Computing Base (TCB) size by leveraging a lightweight architecture, collecting evidence directly from the hardware, and protecting the evidence and other sensitive files with Filesafe module. In this paper, we propose a special purpose hypervisor, called ForenVisor, which is dedicated to reliable live forensics. However, some modules of a general purpose hypervisor, such as device drivers, are indeed unnecessary for forensics. Furthermore, traditional general purpose hypervisors are vulnerable due to their huge code size. The tools in the target OS are not reliable, since they might be deceived by the compromised OS. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. Live forensics is an important technique in cloud security but is facing the challenge of reliability. We discuss the isolation strength as well as the performance penalty of our system based on the practical case. Evaluation of our prototype includes a real-world remote control application, which is partitioned and protected in Coir-enabled hypervisor on unmodified Windows XP. We have implemented a prototype of our system, named Coir, based on commodity hypervisor Xen. The virtual machine monitor intercepts all the code context switches transparently without requiring the application to explicitly use IPC as privilege context transition. Instead, we leverage virtualization to enforce the isolation of sensitive portions from other untrusted code. To ameliorate these problems, we propose to perform privilege separation without partitioning application into two processes. Meanwhile, the frequent inter-process communications between separated processes inevitably incur notable overhead. However, since they this approach relies on process isolation to ensure security assurance, malware exploiting against kernel components can easily compromise. Conventional privilege separation can effectively reduce the TCB size by granting privilege to only the privileged compartments.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |