HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication

Michael Kiperberg; Raz Ben Yehuda; Nezer J. Zaidenberg

doi:10.1007/978-3-030-65745-1_5

HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication

Michael Kiperberg, Raz Ben Yehuda, Nezer J. Zaidenberg

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Malicious programs vary widely in their functionality, from key-logging to disk encryption. However, most malicious programs communicate with their operators, thus revealing themselves to various security tools. The security tools incorporated within an operating system are vulnerable to attacks due to the large attack surface of the operating system kernel and modules. We present a kernel module that demonstrates how kernel-mode access can be used to bypass any security mechanism that is implemented in kernel-mode. External security tools, like firewalls, lack important information about the origin of the intercepted packets, thus their filtering policy is usually insufficient to prevent communication between the malicious program and its operator. We propose to use a thin hypervisor, which we call “HyperWall”, to prevent malicious communication. The proposed system is effective against an attacker who has gained access to kernel-mode. Our performance evaluation shows that the system incurs insignificant (≈ 1.64% on average) performance degradation in real-world applications.

Original language	English
Title of host publication	Network and System Security - 14th International Conference, NSS 2020, Proceedings
Editors	Mirosław Kutyłowski, Jun Zhang, Chao Chen
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	79-93
Number of pages	15
ISBN (Print)	9783030657444
DOIs	https://doi.org/10.1007/978-3-030-65745-1_5
State	Published - 2020
Externally published	Yes
Event	14th International Conference on Network and System Security, NSS 2020 - Melbourne, Australia Duration: 25 Nov 2020 → 27 Nov 2020

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12570 LNCS

Conference

Conference	14th International Conference on Network and System Security, NSS 2020
Country/Territory	Australia
City	Melbourne
Period	25/11/20 → 27/11/20

Keywords

Hypervisors
Network security
Trusted computing base
Virtual machine monitors

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-030-65745-1_5

Cite this

Kiperberg, M., Yehuda, R. B., & Zaidenberg, N. J. (2020). HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication. In M. Kutyłowski, J. Zhang, & C. Chen (Eds.), Network and System Security - 14th International Conference, NSS 2020, Proceedings (pp. 79-93). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12570 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-65745-1_5

Kiperberg, Michael ; Yehuda, Raz Ben ; Zaidenberg, Nezer J. / HyperWall : A Hypervisor for Detection and Prevention of Malicious Communication. Network and System Security - 14th International Conference, NSS 2020, Proceedings. editor / Mirosław Kutyłowski ; Jun Zhang ; Chao Chen. Springer Science and Business Media Deutschland GmbH, 2020. pp. 79-93 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{7f1035b5450f4db488a17e14d0ff9cb3,

title = "HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication",

abstract = "Malicious programs vary widely in their functionality, from key-logging to disk encryption. However, most malicious programs communicate with their operators, thus revealing themselves to various security tools. The security tools incorporated within an operating system are vulnerable to attacks due to the large attack surface of the operating system kernel and modules. We present a kernel module that demonstrates how kernel-mode access can be used to bypass any security mechanism that is implemented in kernel-mode. External security tools, like firewalls, lack important information about the origin of the intercepted packets, thus their filtering policy is usually insufficient to prevent communication between the malicious program and its operator. We propose to use a thin hypervisor, which we call “HyperWall”, to prevent malicious communication. The proposed system is effective against an attacker who has gained access to kernel-mode. Our performance evaluation shows that the system incurs insignificant (≈ 1.64% on average) performance degradation in real-world applications.",

keywords = "Hypervisors, Network security, Trusted computing base, Virtual machine monitors",

author = "Michael Kiperberg and Yehuda, {Raz Ben} and Zaidenberg, {Nezer J.}",

note = "Publisher Copyright: {\textcopyright} 2020, Springer Nature Switzerland AG.; 14th International Conference on Network and System Security, NSS 2020 ; Conference date: 25-11-2020 Through 27-11-2020",

year = "2020",

doi = "10.1007/978-3-030-65745-1_5",

language = "الإنجليزيّة",

isbn = "9783030657444",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "79--93",

editor = "Miros{\l}aw Kuty{\l}owski and Jun Zhang and Chao Chen",

booktitle = "Network and System Security - 14th International Conference, NSS 2020, Proceedings",

address = "ألمانيا",

}

Kiperberg, M, Yehuda, RB & Zaidenberg, NJ 2020, HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication. in M Kutyłowski, J Zhang & C Chen (eds), Network and System Security - 14th International Conference, NSS 2020, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12570 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 79-93, 14th International Conference on Network and System Security, NSS 2020, Melbourne, Australia, 25/11/20. https://doi.org/10.1007/978-3-030-65745-1_5

HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication. / Kiperberg, Michael; Yehuda, Raz Ben; Zaidenberg, Nezer J.
Network and System Security - 14th International Conference, NSS 2020, Proceedings. ed. / Mirosław Kutyłowski; Jun Zhang; Chao Chen. Springer Science and Business Media Deutschland GmbH, 2020. p. 79-93 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12570 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - HyperWall

T2 - 14th International Conference on Network and System Security, NSS 2020

AU - Kiperberg, Michael

AU - Yehuda, Raz Ben

AU - Zaidenberg, Nezer J.

PY - 2020

Y1 - 2020

N2 - Malicious programs vary widely in their functionality, from key-logging to disk encryption. However, most malicious programs communicate with their operators, thus revealing themselves to various security tools. The security tools incorporated within an operating system are vulnerable to attacks due to the large attack surface of the operating system kernel and modules. We present a kernel module that demonstrates how kernel-mode access can be used to bypass any security mechanism that is implemented in kernel-mode. External security tools, like firewalls, lack important information about the origin of the intercepted packets, thus their filtering policy is usually insufficient to prevent communication between the malicious program and its operator. We propose to use a thin hypervisor, which we call “HyperWall”, to prevent malicious communication. The proposed system is effective against an attacker who has gained access to kernel-mode. Our performance evaluation shows that the system incurs insignificant (≈ 1.64% on average) performance degradation in real-world applications.

AB - Malicious programs vary widely in their functionality, from key-logging to disk encryption. However, most malicious programs communicate with their operators, thus revealing themselves to various security tools. The security tools incorporated within an operating system are vulnerable to attacks due to the large attack surface of the operating system kernel and modules. We present a kernel module that demonstrates how kernel-mode access can be used to bypass any security mechanism that is implemented in kernel-mode. External security tools, like firewalls, lack important information about the origin of the intercepted packets, thus their filtering policy is usually insufficient to prevent communication between the malicious program and its operator. We propose to use a thin hypervisor, which we call “HyperWall”, to prevent malicious communication. The proposed system is effective against an attacker who has gained access to kernel-mode. Our performance evaluation shows that the system incurs insignificant (≈ 1.64% on average) performance degradation in real-world applications.

KW - Hypervisors

KW - Network security

KW - Trusted computing base

KW - Virtual machine monitors

UR - http://www.scopus.com/inward/record.url?scp=85098249366&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-65745-1_5

DO - 10.1007/978-3-030-65745-1_5

M3 - منشور من مؤتمر

SN - 9783030657444

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 79

EP - 93

BT - Network and System Security - 14th International Conference, NSS 2020, Proceedings

A2 - Kutyłowski, Mirosław

A2 - Zhang, Jun

A2 - Chen, Chao

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 25 November 2020 through 27 November 2020

ER -

Kiperberg M, Yehuda RB, Zaidenberg NJ. HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication. In Kutyłowski M, Zhang J, Chen C, editors, Network and System Security - 14th International Conference, NSS 2020, Proceedings. Springer Science and Business Media Deutschland GmbH. 2020. p. 79-93. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-65745-1_5

HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication

Abstract

Publication series

Conference

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Cite this