HYBRID: Retrofitting LBR Profiling to Support Virtual Machine Introspection

Project Portal

Introduction

Cloud security auditing is a well established industrial practice for assuring the transparency and accountability for a service provider to tenants. However, the multi-tenancy and self-service nature coupled with the sheer size of a cloud implies many unique challenges to cloud forensics. Although Virtual Machine Introspection (VMI) is a powerful tool for cloud auditing due to the isolation and high-privilege of the Hypervisor, the stealthiness of state-of-the-art attacks and the lack of precise information to bridge the semantic gap make existing auditing solutions are difficult to fulfill real-time forensics when tracking enormous suspicious behaviors.

In this project, we propose an instruction-level tracing framework for inspecting the presence of attacks by dynamically tracking shared processor hardware event patterns and analyzing the attack traces. To overcome the challenges of real-time detection and auditing, we bring Last Branch Record profiling back to life, to extract the suspicious execution flows. Accurate forensic data can be reverse-engineered and high-level forensic semantics can be recovered fully.