corners
Bryan D. Payne Banner Image

Research Summary

My current research focuses on techniques for integrating robust security into virtualization platforms. The figure below shows a high-level view of the system architecture that forms the foundation for my research. In this figure, multiple virtual machines (VMs) are running on a single hypervisor. Traditional applications are run in the VMs labeled A1 through An. Security and control functionality are each given a distinct VM. For example, the Xen hypervisor uses domain 0 as the control VM. This architecture is general enough to support a range of scenarios from end-user machines (where the application VMs could be used to separate tasks with different trust levels) to server platforms (where the application VMs could be different server workloads).

VM Security Diagram

The security VM is the key architectural feature for my research. Ideally, all security services could be run within this VM and the hypervisor could provide strong isolation properties to protect this VM. In practice, complete isolation makes effective security impossible. With this in mind, my research aims to find the best way to ensure the security of the application VMs.

The primary technique that I'm investigating is virtual machine introspection. This technique allows software in the security VM to view, and sometimes modify, the state of each application VM. Introspection allows the security VM to monitor and control the application VMs. The catch is that doing this properly is non-trivial. Some of the issues that must be resolved include:

  • Consistency: Introspection can view the state of application VMs while the VMs are running. This raises questions of consistency. Is the information being viewed in a consistent state? If you write to information in a running VM, how can you ensure that the write completes successfully and doesn't damage the running system?
  • Semantic Gap: Introspection views memory at the lowest level by looking at memory pages and the bytes on those pages. Meaningful applications would benefit from working at a higher level such as processes, application data, and kernel symbols. One challenge is to bridge this semantic gap in a way that survives system upgrades in the applications VMs.
  • Runtime Hooks: Introspection is limited to polling the state of an application VM. This provides attackers a narrow window of opportunity to execute attacks. An alternative to polling is to insert runtime hooks into the application VMs. However, this raises new concerns of how to properly protect those hooks.

I maintain some additional resources related to this research and my general interests in computer security. You can see what I have been reading and a list of upcoming conferences related to these fields. In addition, I am compiling an abridged record of the history of computer security research.

Publications

  • J Wei, BD Payne, J Giffin, and C Pu. Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense. To appear in Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC 2008), December 2008. pdf bibtex
  • BD Payne and WK Edwards. A Brief Introduction to Usable Security. In IEEE Internet Computing, Special Issue on Usable Security & Privacy, 12(3): 13 - 21, May/June 2008. bibtex
  • BD Payne, M Carbone, M Sharif, and W Lee. Lares: An Architecture for Secure Active Monitoring Using Virtualization. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland 2008), May 2008. pdf bibtex
  • BD Payne, M Carbone, and W Lee. Secure and Flexible Monitoring of Virtual Machines. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007), December 2007. pdf bibtex
  • BD Payne, R Sailer, R Caceres, R Perez, and W Lee. A Layered Approach to Simplified Access Control in Virtualized Systems. ACM SIGOPS Operating Systems Review, 41(4): 12 - 19, July 2007. pdf bibtex

Additional information, such as a listing of papers that cite my work, can be found on Google Scholar.