Raluca Brasoveanu, Yusuf Karabulut, Ivan Pashchenko
Vulnerable software often originates from insufficient attention to security in the software development lifecycle. However, current maturity models provide limited support for the teams to assess the security maturity of their software development practices. In this paper, we propose a security maturity self-assessment framework for software development lifecycle. The proposed framework is based on three well-known and industry-accepted models that focus on increasing the security maturity of software products: OWASP DevSecOps Maturity Model (DSOMM), OWASP Software assurance Maturity Model (SAMM), and Building Security In Maturity Model (BSIMM). The preliminary validation with software developers suggests that the proposed framework helps teams to understand the security posture of their software products and to identify which security practices need improvements.
{"title":"Security Maturity Self-Assessment Framework for Software Development Lifecycle","authors":"Raluca Brasoveanu, Yusuf Karabulut, Ivan Pashchenko","doi":"10.1145/3538969.3543806","DOIUrl":"https://doi.org/10.1145/3538969.3543806","url":null,"abstract":"Vulnerable software often originates from insufficient attention to security in the software development lifecycle. However, current maturity models provide limited support for the teams to assess the security maturity of their software development practices. In this paper, we propose a security maturity self-assessment framework for software development lifecycle. The proposed framework is based on three well-known and industry-accepted models that focus on increasing the security maturity of software products: OWASP DevSecOps Maturity Model (DSOMM), OWASP Software assurance Maturity Model (SAMM), and Building Security In Maturity Model (BSIMM). The preliminary validation with software developers suggests that the proposed framework helps teams to understand the security posture of their software products and to identify which security practices need improvements.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114618594","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mikołaj Komisarek, M. Pawlicki, Marian Mihailescu, Darius Mihai, M. Cărăbaş, R. Kozik, M. Choraś
In this day and age of widespread Internet access, more and more aspects of the economy are becoming dependent on various aspects of network technologies. Cybercrimes are on the rise and massive numbers of network security breaches occur every year. This paper presents network data collected in the Netflow format and its application to detect network attacks. The paper proposes a refined, real-world dataset collected from an academic network. The dataset is a direct result from the experience gained by working on and with the SIMARGL2021 dataset. The applicability of the new dataset is demonstrated on several machine learning algorithms. This novel dataset is open-sourced for researchers to download and use in scientific work.
{"title":"A novel, refined dataset for real-time Network Intrusion Detection","authors":"Mikołaj Komisarek, M. Pawlicki, Marian Mihailescu, Darius Mihai, M. Cărăbaş, R. Kozik, M. Choraś","doi":"10.1145/3538969.3544486","DOIUrl":"https://doi.org/10.1145/3538969.3544486","url":null,"abstract":"In this day and age of widespread Internet access, more and more aspects of the economy are becoming dependent on various aspects of network technologies. Cybercrimes are on the rise and massive numbers of network security breaches occur every year. This paper presents network data collected in the Netflow format and its application to detect network attacks. The paper proposes a refined, real-world dataset collected from an academic network. The dataset is a direct result from the experience gained by working on and with the SIMARGL2021 dataset. The applicability of the new dataset is demonstrated on several machine learning algorithms. This novel dataset is open-sourced for researchers to download and use in scientific work.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116859511","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Chrystel Gaber, Ghada Arfaoui, Y. Carlinet, N. Perrot, Laurent Valleyre, M. Lacoste, Jean-Philippe Wary, Yacine Anser, Rafal Artych, Aleksandra Podlasek, Edgardo Montes de Oca, Vinh Hoa La, Vincent Lefebvre, Gürkan Gür
The adoption of 5G services depends on the capacity to provide high-value services. In addition to enhanced performance, the capacity to deliver Security Service Level Agreements (SSLAs) and demonstrate their fulfillment would be a great incentive for the adoption of 5G services for critical 5G Verticals (e.g., service suppliers like Energy or Intelligent Transportation Systems) subject to specific industrial safety, security or service level rules and regulations (e.g., NIS or SEVESO Directives). Yet, responsibilities may be difficult to track and demonstrate because 5G infrastructures are interconnected and complex, which is a challenge anticipated to be exacerbated in future 6G networks. This paper describes a demonstrator and a use case that shows how 5G Service Providers can deliver SSLAs to their customers (Service Owners) by leveraging a set of network enablers developed in the INSPIRE-5Gplus project to manage their accountability, liability and trust placed in subcomponents of a service (subcontractors). The elaborated enablers are in particular a novel sTakeholder Responsibility, AccountabIity and Liability deScriptor (TRAILS), a Liability-Aware Service Management Referencing Service (LASM-RS), an anomaly detection tool (IoT-MMT), a Root Cause Analysis tool (IoT-RCA), two Remote Attestation mechanisms (Systemic and Deep Attestation), and two Security-by-Orchestration enablers (one for the 5G Core and one for the MEC).
{"title":"The Owner, the Provider and the Subcontractors: How to Handle Accountability and Liability Management for 5G End to End Service","authors":"Chrystel Gaber, Ghada Arfaoui, Y. Carlinet, N. Perrot, Laurent Valleyre, M. Lacoste, Jean-Philippe Wary, Yacine Anser, Rafal Artych, Aleksandra Podlasek, Edgardo Montes de Oca, Vinh Hoa La, Vincent Lefebvre, Gürkan Gür","doi":"10.1145/3538969.3544465","DOIUrl":"https://doi.org/10.1145/3538969.3544465","url":null,"abstract":"The adoption of 5G services depends on the capacity to provide high-value services. In addition to enhanced performance, the capacity to deliver Security Service Level Agreements (SSLAs) and demonstrate their fulfillment would be a great incentive for the adoption of 5G services for critical 5G Verticals (e.g., service suppliers like Energy or Intelligent Transportation Systems) subject to specific industrial safety, security or service level rules and regulations (e.g., NIS or SEVESO Directives). Yet, responsibilities may be difficult to track and demonstrate because 5G infrastructures are interconnected and complex, which is a challenge anticipated to be exacerbated in future 6G networks. This paper describes a demonstrator and a use case that shows how 5G Service Providers can deliver SSLAs to their customers (Service Owners) by leveraging a set of network enablers developed in the INSPIRE-5Gplus project to manage their accountability, liability and trust placed in subcomponents of a service (subcontractors). The elaborated enablers are in particular a novel sTakeholder Responsibility, AccountabIity and Liability deScriptor (TRAILS), a Liability-Aware Service Management Referencing Service (LASM-RS), an anomaly detection tool (IoT-MMT), a Root Cause Analysis tool (IoT-RCA), two Remote Attestation mechanisms (Systemic and Deep Attestation), and two Security-by-Orchestration enablers (one for the 5G Core and one for the MEC).","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115467816","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Aleksandra Pawlicka, M. Pawlicki, R. Renk, R. Kozik, M. Choraś
Nowadays, cloud technology is assuming immense significance, being treated as a critical infrastructure, and is also a buzzword. Nevertheless, the technology has also brought about a number of new adverse phenomena and threats; it has attracted criminals, as well. Whenever the questions of “good” and “bad” arise, the ethical issues arise alongside them; the cybersecurity of cloud technology is no exception. This paper deals with the ethical dilemmas of cloud technology. It discusses a collection of the ethical issues of the cloud technology presented from the perspective of cybersecurity, based on the state-of-the-art literature. The main contribution of this work is that it gathers, synthesizes and organises the cybersecurity-related ethical dilemmas of cloud technology, thus offering the most extensive collection thereof. In addition, the work presents a comprehensive list of recommendations and suggestions which may help solve or prevent these ethical issues, and are a good starting point for anyone designing an ethical cybersecurity strategy.
{"title":"The cybersecurity-related ethical issues of cloud technology and how to avoid them","authors":"Aleksandra Pawlicka, M. Pawlicki, R. Renk, R. Kozik, M. Choraś","doi":"10.1145/3538969.3544456","DOIUrl":"https://doi.org/10.1145/3538969.3544456","url":null,"abstract":"Nowadays, cloud technology is assuming immense significance, being treated as a critical infrastructure, and is also a buzzword. Nevertheless, the technology has also brought about a number of new adverse phenomena and threats; it has attracted criminals, as well. Whenever the questions of “good” and “bad” arise, the ethical issues arise alongside them; the cybersecurity of cloud technology is no exception. This paper deals with the ethical dilemmas of cloud technology. It discusses a collection of the ethical issues of the cloud technology presented from the perspective of cybersecurity, based on the state-of-the-art literature. The main contribution of this work is that it gathers, synthesizes and organises the cybersecurity-related ethical dilemmas of cloud technology, thus offering the most extensive collection thereof. In addition, the work presents a comprehensive list of recommendations and suggestions which may help solve or prevent these ethical issues, and are a good starting point for anyone designing an ethical cybersecurity strategy.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114957237","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In the past years Internet of Things (IoT) has received increasing attention by academia and industry due to the potential use in several human activities; however, IoT devices are vulnerable to various types of attacks. Many existing intrusion detection proposals in the IoT leverage complex machine learning architectures, which may provide one separate model per device or per attack. These solutions are not suited to the dynamicity and scale of modern IoT environments. This paper proposes an initial analysis of the problem in the context of deep autoencoders and the detection of botnet attacks. Our findings, obtained by means of the N-BaIoT dataset, indicate that it is relatively easy to achieve impressive detection results by training-testing separate and minimal deep autoenconders on the top of the data individual IoT devices. More important, our all-in-one deep autoencoding proposal, which consists in training a single model with the benign traffic collected from different IoT devices, allows to preserve the overall detection performance obtained through separate autoencoders. The all-in-one model can pave the way for more scalable intrusion detection solutions in the context of IoT.
{"title":"Botnet Detection in the Internet of Things through All-in-one Deep Autoencoding","authors":"Marta Catillo, A. Pecchia, Umberto Villano","doi":"10.1145/3538969.3544460","DOIUrl":"https://doi.org/10.1145/3538969.3544460","url":null,"abstract":"In the past years Internet of Things (IoT) has received increasing attention by academia and industry due to the potential use in several human activities; however, IoT devices are vulnerable to various types of attacks. Many existing intrusion detection proposals in the IoT leverage complex machine learning architectures, which may provide one separate model per device or per attack. These solutions are not suited to the dynamicity and scale of modern IoT environments. This paper proposes an initial analysis of the problem in the context of deep autoencoders and the detection of botnet attacks. Our findings, obtained by means of the N-BaIoT dataset, indicate that it is relatively easy to achieve impressive detection results by training-testing separate and minimal deep autoenconders on the top of the data individual IoT devices. More important, our all-in-one deep autoencoding proposal, which consists in training a single model with the benign traffic collected from different IoT devices, allows to preserve the overall detection performance obtained through separate autoencoders. The all-in-one model can pave the way for more scalable intrusion detection solutions in the context of IoT.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124281152","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Intelligent Transport Systems (ITS) are crucial to support Situation Awareness (SA), which aims to keep a safe and efficient driving experience. While promising, ITS use for SA brings several security challenges, including enforcing access control policies in distributed environments with stringent computational constraints in terms of availability, consistency, and latency. Consequently, traditional mechanisms used to enforce authorization policies cannot be reused off-the-shelf but need to be carefully adapted to the particular requirements and minimize the overhead of access control enforcement. In this paper, we propose a distributed architecture for access control enforcement for ITS capable of satisfying the requirements of SA scenarios based on the idea of dynamically compiling a high-level specification of access control policies (written in the Attribute-Based Access Control model) into a set of low-level Access Control Lists that are easier to enforce. We discuss how to realize it by reusing well-known techniques developed in the field of distributed systems. To evaluate the applicability of the proposed approach, we build a prototype that we use to conduct an experimental evaluation in the context of two practical use case scenarios.
{"title":"Distributed Enforcement of Access Control policies in Intelligent Transportation System (ITS) for Situation Awareness","authors":"Tahir Ahmad, Umberto Morelli, Silvio Ranise","doi":"10.1145/3538969.3543792","DOIUrl":"https://doi.org/10.1145/3538969.3543792","url":null,"abstract":"Intelligent Transport Systems (ITS) are crucial to support Situation Awareness (SA), which aims to keep a safe and efficient driving experience. While promising, ITS use for SA brings several security challenges, including enforcing access control policies in distributed environments with stringent computational constraints in terms of availability, consistency, and latency. Consequently, traditional mechanisms used to enforce authorization policies cannot be reused off-the-shelf but need to be carefully adapted to the particular requirements and minimize the overhead of access control enforcement. In this paper, we propose a distributed architecture for access control enforcement for ITS capable of satisfying the requirements of SA scenarios based on the idea of dynamically compiling a high-level specification of access control policies (written in the Attribute-Based Access Control model) into a set of low-level Access Control Lists that are easier to enforce. We discuss how to realize it by reusing well-known techniques developed in the field of distributed systems. To evaluate the applicability of the proposed approach, we build a prototype that we use to conduct an experimental evaluation in the context of two practical use case scenarios.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130855052","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
T. Neubert, Antonio José Caballero Morcillo, C. Vielhauer
In view of the strong increase of targeted attacks on industrial control systems (ICS) of manufacturies and critical infrastructures, it can be noticed that for the concealment of communication, steganographic information hiding techniques become increasingly popular for attackers. Particularly in Advanced Persistent Threats, attackers focus on hiding network information flows between infected components from any possible detection mechanism in order to remain on the invaded system for as long as possible. In order to be able to detect these kinds of threats by hidden communication in future, defense concepts such as intrusion detection systems need to be supplemented by steganalytic detectors for ICS network traffic. First state-of-the-art detection mechanisms have been proposed and deliver decent but improvable results. This paper proposes a novel, convolutional neural network (CNN) based detection approach relying on a handcrafted feature space as CNN input layer. The detection approach is evaluated extensively in experiments. The evaluation results are compared to three state-of-the-art approaches in a laboratory ICS setup. We show that our novel approach is able to outperform all state-of-the-art approaches significantly. It delivers a performance of up to 94.3% correct classified test data samples.
{"title":"Improving Performance of Machine Learning based Detection of Network Steganography in Industrial Control Systems","authors":"T. Neubert, Antonio José Caballero Morcillo, C. Vielhauer","doi":"10.1145/3538969.3544427","DOIUrl":"https://doi.org/10.1145/3538969.3544427","url":null,"abstract":"In view of the strong increase of targeted attacks on industrial control systems (ICS) of manufacturies and critical infrastructures, it can be noticed that for the concealment of communication, steganographic information hiding techniques become increasingly popular for attackers. Particularly in Advanced Persistent Threats, attackers focus on hiding network information flows between infected components from any possible detection mechanism in order to remain on the invaded system for as long as possible. In order to be able to detect these kinds of threats by hidden communication in future, defense concepts such as intrusion detection systems need to be supplemented by steganalytic detectors for ICS network traffic. First state-of-the-art detection mechanisms have been proposed and deliver decent but improvable results. This paper proposes a novel, convolutional neural network (CNN) based detection approach relying on a handcrafted feature space as CNN input layer. The detection approach is evaluated extensively in experiments. The evaluation results are compared to three state-of-the-art approaches in a laboratory ICS setup. We show that our novel approach is able to outperform all state-of-the-art approaches significantly. It delivers a performance of up to 94.3% correct classified test data samples.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128923488","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Timi Heino, Robin Carlsson, Sampsa Rauti, V. Leppänen
Online services are increasingly being used to complete everyday tasks, and ordinary users with very little technical knowledge have learned to use web services and applications. At the same time, many user applications are gradually moving from the traditional desktop environment to the web. Because of these developments, it is not surprising that user privacy has become a very important consideration when developing web services. In the current study, we assess the privacy of 34 web services provided and maintained by Finnish public sector bodies. We perform a network traffic analysis in order to find out what kind of personal data the studied services deliver to third party analytics services. We then take a look at the privacy policy documents of these web services and gauge their transparency and clarity by comparing their contents to the actual network data sent out by the web services. Our findings reveal numerous inconsistencies between what is said about handling personal data in the analyzed privacy policies and the actual traffic of the studied web services. Another prominent finding is the sheer amount of analytics services employed by the studied websites. We conclude that there is still an obvious need for web developers and public sector bodies to improve their awareness of existing privacy regulations and personal information their online services deliver to third parties. A lot of work also remains to be done in clearly and transparently communicating privacy-related matters to users.
{"title":"Assessing discrepancies between network traffic and privacy policies of public sector web services","authors":"Timi Heino, Robin Carlsson, Sampsa Rauti, V. Leppänen","doi":"10.1145/3538969.3539003","DOIUrl":"https://doi.org/10.1145/3538969.3539003","url":null,"abstract":"Online services are increasingly being used to complete everyday tasks, and ordinary users with very little technical knowledge have learned to use web services and applications. At the same time, many user applications are gradually moving from the traditional desktop environment to the web. Because of these developments, it is not surprising that user privacy has become a very important consideration when developing web services. In the current study, we assess the privacy of 34 web services provided and maintained by Finnish public sector bodies. We perform a network traffic analysis in order to find out what kind of personal data the studied services deliver to third party analytics services. We then take a look at the privacy policy documents of these web services and gauge their transparency and clarity by comparing their contents to the actual network data sent out by the web services. Our findings reveal numerous inconsistencies between what is said about handling personal data in the analyzed privacy policies and the actual traffic of the studied web services. Another prominent finding is the sheer amount of analytics services employed by the studied websites. We conclude that there is still an obvious need for web developers and public sector bodies to improve their awareness of existing privacy regulations and personal information their online services deliver to third parties. A lot of work also remains to be done in clearly and transparently communicating privacy-related matters to users.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124030531","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Cryptojacking is one of the new threats that emerged several years ago with the growing popularity and increasing value of cryptocurrencies. In essence, it is a malicious technique where the attacker parasites on the victim’s resources like CPU time, memory, etc. to mine cryptocurrencies for his own benefit. Cryptojacking comes in two main flavors, i.e., as a malicious script embedded into the website or as a standalone malware residing on the compromised machine. As such threats are still widespread, in this paper, we perform a practical evaluation of the existing web browser blockers against real-world web-based cryptojacking solutions. The obtained experimental results reveal that in more than 60% of cases the tested defensive solutions fail in fighting this threat or can be easily fooled with a few simple modifications. This underlines the importance of further efforts toward developing effective countermeasures.
{"title":"Limitations of Web Cryptojacking Detection: A Practical Evaluation","authors":"Paweł Rajba, W. Mazurczyk","doi":"10.1145/3538969.3544466","DOIUrl":"https://doi.org/10.1145/3538969.3544466","url":null,"abstract":"Cryptojacking is one of the new threats that emerged several years ago with the growing popularity and increasing value of cryptocurrencies. In essence, it is a malicious technique where the attacker parasites on the victim’s resources like CPU time, memory, etc. to mine cryptocurrencies for his own benefit. Cryptojacking comes in two main flavors, i.e., as a malicious script embedded into the website or as a standalone malware residing on the compromised machine. As such threats are still widespread, in this paper, we perform a practical evaluation of the existing web browser blockers against real-world web-based cryptojacking solutions. The obtained experimental results reveal that in more than 60% of cases the tested defensive solutions fail in fighting this threat or can be easily fooled with a few simple modifications. This underlines the importance of further efforts toward developing effective countermeasures.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130350515","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Virtual machine introspection (VMI) is the process of extracting knowledge about the inner state of a virtual machine from the outside. Traditional passive introspection mechanisms have proved themselves ineffective in many application domains due to their low performance. As a remedy for this issue, caching at the level of the introspection application was introduced. However, this sacrificed the freshness of VMI and led to an inconsistent outside view. In this work, we propose a multi-purpose hybrid caching scheme with freshness and consistency guarantees that is interleaved with the guest’s MMU. This scheme can easily be integrated into existing applications and frameworks such as libvmi and Volatility 3. We demonstrate its feasibility by developing a prototype for such applications. Furthermore, the experimental evaluation of our approach suggests that it even significantly exceeds the performance of previous inconsistent caches.
{"title":"VMIFresh: Efficient and Fresh Caches for Virtual Machine Introspection","authors":"Thomas Dangl, Stewart Sentanoe, Hans P. Reiser","doi":"10.1145/3538969.3539002","DOIUrl":"https://doi.org/10.1145/3538969.3539002","url":null,"abstract":"Virtual machine introspection (VMI) is the process of extracting knowledge about the inner state of a virtual machine from the outside. Traditional passive introspection mechanisms have proved themselves ineffective in many application domains due to their low performance. As a remedy for this issue, caching at the level of the introspection application was introduced. However, this sacrificed the freshness of VMI and led to an inconsistent outside view. In this work, we propose a multi-purpose hybrid caching scheme with freshness and consistency guarantees that is interleaved with the guest’s MMU. This scheme can easily be integrated into existing applications and frameworks such as libvmi and Volatility 3. We demonstrate its feasibility by developing a prototype for such applications. Furthermore, the experimental evaluation of our approach suggests that it even significantly exceeds the performance of previous inconsistent caches.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122900813","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}