Virtualized network packet inspection

Erez Shlingbaum, Raz Ben Yehuda, Michael Kiperberg, Nezer Jacob Zaidenberg

Research output: Contribution to journalArticlepeer-review

Abstract

Network-based cyber attacks differ in their objectives, techniques, and levels of sophistication, yet they all maintain communication with their controllers. Current approaches to block unauthorized communication fall short or are susceptible to attacks at the kernel level. Our work showcases the feasibility of clandestine network transmissions across different network interface cards, utilizing solely data writes to physical pages. For certain cards, we employ a code-reuse attack to execute IO instructions. This paper presents Virtualized Packet Inspection (VPI), a virtualization-based solution for preventing malicious communication. VPI is embedded in QEMU-KVM, making it particularly suitable for private clouds. Being integrated into QEMU-KVM, VPI is not vulnerable to kernel-mode attacks. In addition, VPI's ability to monitor the activity of user-mode applications and the network card, allows it to block malicious communications initiated by kernel-mode malware. Our evaluation shows that VPI's performance overhead is ≈20% for monitored system calls, and is negligible in other cases.

Original languageEnglish
Article number110619
JournalComputer Networks
Volume251
DOIs
StatePublished - Sep 2024

Keywords

  • Hypervisor
  • IDS
  • Security
  • Virtualization

Fingerprint

Dive into the research topics of 'Virtualized network packet inspection'. Together they form a unique fingerprint.

Cite this