A Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks

Chandramouli, Ramaswamy; Singhal, Anoop; Wijesekera, Duminda; Liu, Changwei

NISTIR 8221 (Draft)

Obsoleted on June 05, 2019 by NISTIR 8221.

A Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks

Date Published: September 2018
Comments Due: October 12, 2018 (public comment period is CLOSED)
Email Questions to: nistir8221@nist.gov

Author(s)

Ramaswamy Chandramouli (NIST), Anoop Singhal (NIST), Duminda Wijesekera (NIST), Changwei Liu (NIST)

Announcement

Hardware/Server Virtualization is now an integral feature of the infrastructure of data centers used for cloud computing services as well as for enterprise computing. One of the key strategies for vulnerability management of the core software that provides virtualization (i.e., hypervisor) is devising a methodology for determining forensic data requirements for detecting attacks on this software. This document outlines one such methodology by developing a profile of vulnerabilities in terms of hypervisor functionality (attack vectors), attack type and attack source, performing attacks using predominant vulnerabilities and identifying the available and missing data for reconstructing the attack execution path.

Abstract

Hardware/Server Virtualization is a key feature of data centers used for cloud computing services and enterprise computing that enables ubiquitous access to shared system resources. Server virtualization is typically performed by a hypervisor, which provides mechanisms to abstract hardware and system resources from an operating system. Hypervisors are large pieces of software with several thousand lines of code and are therefore known to have vulnerabilities. This document analyzes the recent vulnerabilities associated with two open-source hypervisors—Xen and KVM—as reported by the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD), and develops a profile of those vulnerabilities in terms of hypervisor functionality, attack type, and attack source. Based on the predominant number of vulnerabilities in a hypervisor functionality (attack vector), two sample attacks using those attack vectors were launched to exploit those vulnerabilities, and the associated system calls were logged. The objective was to determine the evidence coverage for detecting and reconstructing those attacks and identify techniques required to gather missing evidence.

Keywords

cloud computing; forensic analysis; hypervisors; KVM; vulnerabilities; Xen

Control Families

None selected

Documentation

Publication:
Draft NISTIR 8221

Supplemental Material:
None available

Document History:
09/21/18: NISTIR 8221 (Draft)
06/05/19: NISTIR 8221 (Final)

Topics

Security and Privacy
vulnerability management

Technologies
cloud & virtualization

Applications
forensics