research-article

Hot-hardening: getting more out of your security settings

Authors:

Sebastian Biedermann,

Stefan Katzenbeisser,

Jakub SzeferAuthors Info & Claims

ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

Pages 6 - 15

https://doi.org/10.1145/2664243.2664246

Published: 08 December 2014 Publication History

Abstract

Applying optimized security settings to applications is a difficult and laborious task. Especially in cloud computing, where virtual servers with various pre-installed software packages are leased, selecting optimized security settings is very difficult. In particular, optimized security settings are not identical in every setup. They depend on characteristics of the setup, on the ways an application is used or on other applications running on the same system. Configuring optimized settings given these interdependencies is a complex and time-consuming task. In this work, we present an autonomous agent which improves security settings of applications which run in virtual servers. The agent retrieves custom-made security settings for a target application by investigating its specific setup, it tests and transparently changes settings via introspection techniques unbeknownst from the perspective of the virtual server. During setting selection, the application's operation is not disturbed nor any user interaction is needed. Since optimal settings can change over time or they can change depending on different tasks the application handles, the agent can continuously adapt settings as well as improve them periodically. We call this approach hot-hardening and present results of an implementation that can hot-harden popular networking applications such as Apache2 and OpenSSH.

References

[1]

#PeerJacking - SSL Ecosystem Attacks Against Online Commerce. http://www.unrest.ca/peerjacking.

[2]

F. Baiardi and D. Sgandurra. Building Trustworthy Intrusion Detection through VM Introspection. In Proceedings of the Third International Symposium on Information Assurance and Security (IAS), pages 209--214, 2007.

Digital Library

[3]

P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP), pages 164--177, 2003.

Digital Library

[4]

C. Benninger, S. Neville, Y. Yazir, C. Matthews, and Y. Coady. Maitland: Lighter-weight vm introspection to support cyber-security in the cloud. In Proceedings of the 5th IEEE International Conference on Cloud Computing (CLOUD), pages 471--478, 2012.

Digital Library

[5]

S. Biedermann and E. Tews. How to enable Live Cloning of Virtual Machines using the Xen Hypervisor. Technical report, 2013.

[6]

C. Clark, K. Fraser, S. Hand, J. G. Hansen, E. Jul, C. Limpach, I. Pratt, and A. Warfield. Live migration of virtual machines. In Proceedings of the Symposium on Networked Systems Design & Implementation, pages 273--286, 2005.

Digital Library

[7]

B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), pages 297--312, 2011.

Digital Library

[8]

T. Fraser, M. Evenson, and W. Arbaugh. Vici: Virtual machine introspection for cognitive immunity. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), pages 87--96, 2008.

Digital Library

[9]

Y. Fu and Z. Lin. Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), pages 586--600, 2012.

Digital Library

[10]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS), pages 191--206, 2003.

[11]

Z. Gu, Z. Deng, D. Xu, and X. Jiang. Process implanting: A new active introspection framework for virtualization. In Proceedings of the 30th IEEE Symposium on Reliable Distributed Systems (SRDS), pages 147--156, 2011.

Digital Library

[12]

H. Huang, W.-T. Tsai, and Y. Chen. Autonomous hot patching for web-based applications. In Proceedings of the 29th Annual International Computer Software and Applications Conference (COMPSAC), volume 2, pages 51--56, 2005.

Digital Library

[13]

M. Payer and T. Gross. Hot-patching a web server: A case study of asap code repair. In Proceedings of the 11th Annual International Conference on Privacy, Security and Trust (PST), pages 143--150, 2013.

[14]

B. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), pages 233--247, 2008.

Digital Library

[15]

B. Payne, M. de Carbone, and W. Lee. Secure and flexible monitoring of virtual machines. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), pages 385--397, 2007.

[16]

A. Ramaswamy, S. Bratus, S. Smith, and M. Locasto. Katana: A Hot Patching Framework for ELF Executables. In Proceedings of the International Conference on Availability, Reliability, and Security (ARES), pages 507--512, 2010.

[17]

Y. Sun, Y. Luo, X. Wang, Z. Wang, B. Zhang, H. Chen, and X. Li. Fast Live Cloning of Virtual Machine Based on Xen. In Proceedings of the 11th IEEE International Conference on High Performance Computing and Communications (HPCC), pages 392--399, 2009.

Digital Library

Cited By

Hanna CPetke J(2023)Hot Patching Hot Fixes: Reflection and Perspectives2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00021(1781-1786)Online publication date: 11-Sep-2023
https://doi.org/10.1109/ASE56229.2023.00021
Nair VYu ZMenzies TSiegmund NApel S(2020)Finding Faster Configurations Using FLASHIEEE Transactions on Software Engineering10.1109/TSE.2018.287089546:7(794-811)Online publication date: 1-Jul-2020
https://doi.org/10.1109/TSE.2018.2870895
Hebbal YLaniepce SMenaud J(2015)Virtual Machine IntrospectionProceedings of the 2015 10th International Conference on Availability, Reliability and Security10.1109/ARES.2015.43(676-685)Online publication date: 24-Aug-2015
https://dl.acm.org/doi/10.1109/ARES.2015.43

Recommendations

P2V Migration with Post-Copy Hot Cloning for Service Downtime Reduction
CGC '13: Proceedings of the 2013 International Conference on Cloud and Green Computing

We propose a post-copy hot cloning mechanism to reduce service downtime of physical to virtual (P2V) migration. The conventional P2V migration requires to copy disk images from a physical to a virtual machine with stopping the system to ensure the ...
Migration Cost Aware Mitigating Hot Nodes in the Cloud
CLOUDCOM-ASIA '13: Proceedings of the 2013 International Conference on Cloud Computing and Big Data

Cloud enables dynamic resource sharing among different applications. Live virtual machine (VM) migration is an important way to reconfigure workloads in the Cloud. However, reconfiguration cost using live VM migration is always ignored. In fact, ...
Leveraging virtual machine introspection for hot-hardening of arbitrary cloud-user applications
HotCloud'14: Proceedings of the 6th USENIX conference on Hot Topics in Cloud Computing

Correctly applying security settings of various different applications is a time-consuming and in some cases a very difficult task. Moreover, with explosion in cloud computing popularity, cloud users are able to download and run pre-packaged virtual ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

December 2014

492 pages

ISBN:9781450330053

DOI:10.1145/2664243

Conference Chairs:
Charles N. Payne
Adventium Labs
,
Adam Hahn
Washington State University
,
Program Chairs:
Kevin Butler
University of Florida
,
Micah Sherr
Georgetown University

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 December 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Bundesministerium für Bildung und Forschung

Conference

ACSAC '14

Sponsor:

ACSA

ACSAC '14: Annual Computer Security Applications Conference

December 8 - 12, 2014

Louisiana, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
235
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)1

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hanna CPetke J(2023)Hot Patching Hot Fixes: Reflection and Perspectives2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00021(1781-1786)Online publication date: 11-Sep-2023
https://doi.org/10.1109/ASE56229.2023.00021
Nair VYu ZMenzies TSiegmund NApel S(2020)Finding Faster Configurations Using FLASHIEEE Transactions on Software Engineering10.1109/TSE.2018.287089546:7(794-811)Online publication date: 1-Jul-2020
https://doi.org/10.1109/TSE.2018.2870895
Hebbal YLaniepce SMenaud J(2015)Virtual Machine IntrospectionProceedings of the 2015 10th International Conference on Availability, Reliability and Security10.1109/ARES.2015.43(676-685)Online publication date: 24-Aug-2015
https://dl.acm.org/doi/10.1109/ARES.2015.43

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents