Secure Offloading of User-level IDS with VM-compatible OS Emulation Layers for Intel SGX

Since virtual machines (VMs) provided by Infrastructure-as-a-Service clouds often suffer from attacks, they need to be monitored using intrusion detection systems (IDS). For secure execution of host-based IDS (HIDS), IDS offloading is used to run IDS outside target VMs, but offloaded IDS can still b...

Full description

Saved in:
Bibliographic Details
Main Authors: Kawamura, Takumi, Kourai, Kenichi
Format: Conference Proceeding
Language:English
Subjects:
Cloud computing
Emulation
Intel SGX
intrusion detection systems
Memory management
proc filesystem
Program processors
Programming
Virtual machine monitors
virtual machines
Virtual machining
VM introspection
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Since virtual machines (VMs) provided by Infrastructure-as-a-Service clouds often suffer from attacks, they need to be monitored using intrusion detection systems (IDS). For secure execution of host-based IDS (HIDS), IDS offloading is used to run IDS outside target VMs, but offloaded IDS can still be attacked. To address this issue, secure IDS offloading using Intel SGX has been proposed. However, IDS development requires kernel-level programming, which is difficult for most IDS developers. This paper proposes SCwatcher for enabling user-level HIDS running on top of the operating system (OS) to be securely offloaded using VM-compatible OS emulation layers for SGX. SCwatcher provides the standard OS interface used in a target VM to in-enclave IDS. Especially, the virtual proc filesystem called vProcFS analyzes OS data using VM introspection and returns the system information inside the target VM. We have implemented SCwatcher using Xen supporting SGX virtualization and two types of OS emulation layers for SGX called SCONE and Occlum. Then, we confirmed that SCwatcher could offload legacy HIDS and showed that the performance could be comparable to insecure IDS offloading.
ISSN:2159-6190
DOI:10.1109/CLOUD55607.2022.00035