6533b7d7fe1ef96bd1267860

RESEARCH PRODUCT

HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication

Raz Ben YehudaNezer Jacob ZaidenbergMichael Kiperberg

subject

021110 strategic defence & security studiesSoftware_OPERATINGSYSTEMSNetwork securitybusiness.industryComputer scienceNetwork packet0211 other engineering and technologiesHypervisor02 engineering and technologyAttack surfaceComputer securitycomputer.software_genreOperator (computer programming)Trusted computing baseDisk encryptionKernel (image processing)020204 information systems0202 electrical engineering electronic engineering information engineeringbusinesscomputer

description

Malicious programs vary widely in their functionality, from key-logging to disk encryption. However, most malicious programs communicate with their operators, thus revealing themselves to various security tools. The security tools incorporated within an operating system are vulnerable to attacks due to the large attack surface of the operating system kernel and modules. We present a kernel module that demonstrates how kernel-mode access can be used to bypass any security mechanism that is implemented in kernel-mode. External security tools, like firewalls, lack important information about the origin of the intercepted packets, thus their filtering policy is usually insufficient to prevent communication between the malicious program and its operator. We propose to use a thin hypervisor, which we call “HyperWall”, to prevent malicious communication. The proposed system is effective against an attacker who has gained access to kernel-mode. Our performance evaluation shows that the system incurs insignificant (\(\approx \)1.64% on average) performance degradation in real-world applications.

yearjournalcountryeditionlanguage
2020-01-01
https://doi.org/10.1007/978-3-030-65745-1_5