Secure Offloading of User-level IDS with VM-compatible OS Emulation Layers for Intel SGX

Q1 Computer Science IEEE Cloud Computing Pub Date : 2022-07-01 DOI:10.1109/CLOUD55607.2022.00035

Takumi Kawamura, Kenichi Kourai

{"title":"Secure Offloading of User-level IDS with VM-compatible OS Emulation Layers for Intel SGX","authors":"Takumi Kawamura, Kenichi Kourai","doi":"10.1109/CLOUD55607.2022.00035","DOIUrl":null,"url":null,"abstract":"Since virtual machines (VMs) provided by Infrastructure-as-a-Service clouds often suffer from attacks, they need to be monitored using intrusion detection systems (IDS). For secure execution of host-based IDS (HIDS), IDS offloading is used to run IDS outside target VMs, but offloaded IDS can still be attacked. To address this issue, secure IDS offloading using Intel SGX has been proposed. However, IDS development requires kernel-level programming, which is difficult for most IDS developers. This paper proposes SCwatcher for enabling user-level HIDS running on top of the operating system (OS) to be securely offloaded using VM-compatible OS emulation layers for SGX. SCwatcher provides the standard OS interface used in a target VM to in-enclave IDS. Especially, the virtual proc filesystem called vProcFS analyzes OS data using VM introspection and returns the system information inside the target VM. We have implemented SCwatcher using Xen supporting SGX virtualization and two types of OS emulation layers for SGX called SCONE and Occlum. Then, we confirmed that SCwatcher could offload legacy HIDS and showed that the performance could be comparable to insecure IDS offloading.","PeriodicalId":54281,"journal":{"name":"IEEE Cloud Computing","volume":"197 1","pages":"157-166"},"PeriodicalIF":0.0000,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Cloud Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CLOUD55607.2022.00035","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"Computer Science","Score":null,"Total":0}

引用次数: 1

Abstract

Since virtual machines (VMs) provided by Infrastructure-as-a-Service clouds often suffer from attacks, they need to be monitored using intrusion detection systems (IDS). For secure execution of host-based IDS (HIDS), IDS offloading is used to run IDS outside target VMs, but offloaded IDS can still be attacked. To address this issue, secure IDS offloading using Intel SGX has been proposed. However, IDS development requires kernel-level programming, which is difficult for most IDS developers. This paper proposes SCwatcher for enabling user-level HIDS running on top of the operating system (OS) to be securely offloaded using VM-compatible OS emulation layers for SGX. SCwatcher provides the standard OS interface used in a target VM to in-enclave IDS. Especially, the virtual proc filesystem called vProcFS analyzes OS data using VM introspection and returns the system information inside the target VM. We have implemented SCwatcher using Xen supporting SGX virtualization and two types of OS emulation layers for SGX called SCONE and Occlum. Then, we confirmed that SCwatcher could offload legacy HIDS and showed that the performance could be comparable to insecure IDS offloading.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

安全卸载用户级IDS与vm兼容的操作系统仿真层为英特尔SGX

由于基础设施即服务云提供的虚拟机(vm)经常遭受攻击，因此需要使用入侵检测系统(IDS)对其进行监控。为了安全执行基于主机的IDS (host-based IDS)， IDS卸载用于在目标虚拟机之外运行IDS，但卸载后的IDS仍然可能受到攻击。为了解决这个问题，已经提出了使用Intel SGX的安全IDS卸载。然而，IDS开发需要内核级编程，这对大多数IDS开发人员来说是困难的。本文提出了使用SGX的vm兼容的操作系统仿真层，使运行在操作系统(OS)之上的用户级HIDS能够安全地卸载的SCwatcher。SCwatcher提供了在目标VM中使用的标准操作系统接口来封装IDS。特别是，名为vProcFS的虚拟进程文件系统使用VM自省分析操作系统数据，并返回目标VM内的系统信息。我们使用支持SGX虚拟化的Xen实现了SCwatcher，并为SGX提供了两种类型的操作系统仿真层，称为SCONE和Occlum。然后，我们证实了SCwatcher可以卸载遗留的IDS，并表明性能可以与不安全的IDS卸载相媲美。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IEEE Cloud Computing Computer Science-Computer Networks and Communications

CiteScore

11.20

自引率

0.00%

发文量

期刊介绍： Cessation. IEEE Cloud Computing is committed to the timely publication of peer-reviewed articles that provide innovative research ideas, applications results, and case studies in all areas of cloud computing. Topics relating to novel theory, algorithms, performance analyses and applications of techniques are covered. More specifically: Cloud software, Cloud security, Trade-offs between privacy and utility of cloud, Cloud in the business environment, Cloud economics, Cloud governance, Migrating to the cloud, Cloud standards, Development tools, Backup and recovery, Interoperability, Applications management, Data analytics, Communications protocols, Mobile cloud, Private clouds, Liability issues for data loss on clouds, Data integration, Big data, Cloud education, Cloud skill sets, Cloud energy consumption, The architecture of cloud computing, Applications in commerce, education, and industry, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), Business Process as a Service (BPaaS)