TY - JOUR
T1 - Virtualized network packet inspection
AU - Shlingbaum, Erez
AU - Yehuda, Raz Ben
AU - Kiperberg, Michael
AU - Zaidenberg, Nezer Jacob
N1 - Publisher Copyright:
© 2024 Elsevier B.V.
PY - 2024/9
Y1 - 2024/9
N2 - Network-based cyber attacks differ in their objectives, techniques, and levels of sophistication, yet they all maintain communication with their controllers. Current approaches to block unauthorized communication fall short or are susceptible to attacks at the kernel level. Our work showcases the feasibility of clandestine network transmissions across different network interface cards, utilizing solely data writes to physical pages. For certain cards, we employ a code-reuse attack to execute IO instructions. This paper presents Virtualized Packet Inspection (VPI), a virtualization-based solution for preventing malicious communication. VPI is embedded in QEMU-KVM, making it particularly suitable for private clouds. Being integrated into QEMU-KVM, VPI is not vulnerable to kernel-mode attacks. In addition, VPI's ability to monitor the activity of user-mode applications and the network card, allows it to block malicious communications initiated by kernel-mode malware. Our evaluation shows that VPI's performance overhead is ≈20% for monitored system calls, and is negligible in other cases.
AB - Network-based cyber attacks differ in their objectives, techniques, and levels of sophistication, yet they all maintain communication with their controllers. Current approaches to block unauthorized communication fall short or are susceptible to attacks at the kernel level. Our work showcases the feasibility of clandestine network transmissions across different network interface cards, utilizing solely data writes to physical pages. For certain cards, we employ a code-reuse attack to execute IO instructions. This paper presents Virtualized Packet Inspection (VPI), a virtualization-based solution for preventing malicious communication. VPI is embedded in QEMU-KVM, making it particularly suitable for private clouds. Being integrated into QEMU-KVM, VPI is not vulnerable to kernel-mode attacks. In addition, VPI's ability to monitor the activity of user-mode applications and the network card, allows it to block malicious communications initiated by kernel-mode malware. Our evaluation shows that VPI's performance overhead is ≈20% for monitored system calls, and is negligible in other cases.
KW - Hypervisor
KW - IDS
KW - Security
KW - Virtualization
UR - http://www.scopus.com/inward/record.url?scp=85197445902&partnerID=8YFLogxK
U2 - 10.1016/j.comnet.2024.110619
DO - 10.1016/j.comnet.2024.110619
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:85197445902
SN - 1389-1286
VL - 251
JO - Computer Networks
JF - Computer Networks
M1 - 110619
ER -