Since failures and attacks are inevitable in large-scale Internet-enabled systems, efficient monitoring is key to achieving resiliency. Continuous monitoring, however, usually comes with a high performance cost to the target systems. In addition, because of the apparent dissimilarity between security and reliability, tools to detect and recover from different classes of failures and attacks are usually designed and implemented differently. That makes integration of support for reliability and security in a single framework a significant challenge.
In this talk, I will present HyperTap, our solution to address those research challenges in the context of virtualization environments. HyperTap is a hypervisor-level framework that facilitates the building of efficient reliability and security monitors for virtual machines (VM). Unlike most VM-monitoring techniques, HyperTap employs hardware architectural invariants to establish the root of trust for monitoring. Hardware invariants are properties defined and enforced by a hardware platform (for example, the x86 instruction set architecture). Additionally, HyperTap supports continuous, event-driven VM monitoring, which enables both capture of the system state and rapid response to actions of interest.
We demonstrated the effectiveness of HyperTap through (i) a monitor to detect operating system hangs in a VM, (ii) a monitor to detect hidden rootkits, and (iii) a monitor to detect privilege escalation attacks. Experimental evaluation of the three monitors showed that they are effective in detecting hangs (caused by injecting bugs in the guest operating system), real-world rootkits, and privilege escalation attacks while causing less than 5% and 2% performance overhead for disk I/O and CPU-intensive workloads, respectively.
Cuong Pham is a Ph.D. student in the Department of Electrical and Computer Engineering (ECE) at UIUC. He is a member of the DEPEND research group (http://depend.csl.illinois.edu/) in the Coordinated Science Laboratory (CSL). His research interests are in designing and building resilient computer systems. For his Ph.D. research, Pham focuses on providing monitoring techniques for enhancing the resiliency of cloud computing infrastructure against both accidental failures and malicious attacks. His virtual machine monitoring work received the inaugural Best Paper Award at the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). Additionally, Pham was recognized for his outstanding Ph.D. research in the dependability area and was awarded the William C. Carter Award at DSN.