hInjector

Update: This tool is no longer maintained and supported.

hInjector is a tool for injecting hypercall attacks in virtualized environments for the purpose of evaluating hypercall security mechanisms - intrusion detection systems and mandatory access control mechanisms. hInjector injects hypercall attacks during regular operation of guest virtual machines, crafted with respect to representative attack models. The current implementation of hInjector is for the Xen hypervisor, which can be ported to other open-source hypervisors, such as KVM.

For more information, please contact Aleksandar Milenkoski.

Links:

Source Code @ Github

Mailing List

Publications

2019[ to top ]

Towards Testing the Software Aging Behavior of Hypervisor Hypercall Interfaces. L. Beierlieb; L. Iffländer; A. Milenkoski; C. F. Goncalves; N. Antunes; S. Kounev; in 2019 {IEEE} International Symposium on Software Reliability Engineering Workshops ({ISSREW}) (2019).
- [ Abstract ]
- [ BibTeX ]
- [ EndNote ]
With the continuing rise of cloud technology hypervisors play a vital role in the performance and reliability of current services. As long-running applications, they are susceptible to software aging. Hypervisors offer so-called hypercall interfaces for communication with the hosted virtual machines. These interfaces require thorough robustness to assure performance, security, and reliability. Existing research either deals with the aging properties of hypervisors in general without considering the hypercalls or focuses on finding hypercall-related vulnerabilities. In this work, we discuss open challenges regarding hypercall interfaces. To address these challenges, we propose an extensive framework architecture to perform robustness testing on hypercall interfaces. This framework supports extensive test campaigns as well as the modeling of hypercall interfaces.

@inproceedings{Beierlieb_2019_TowardsTestingtheSoftwareAgingBehaviorofHypervisorHypercallInterfaces, abstract = {With the continuing rise of cloud technology hypervisors play a vital role in the performance and reliability of current services. As long-running applications, they are susceptible to software aging. Hypervisors offer so-called hypercall interfaces for communication with the hosted virtual machines. These interfaces require thorough robustness to assure performance, security, and reliability. Existing research either deals with the aging properties of hypervisors in general without considering the hypercalls or focuses on finding hypercall-related vulnerabilities. In this work, we discuss open challenges regarding hypercall interfaces. To address these challenges, we propose an extensive framework architecture to perform robustness testing on hypercall interfaces. This framework supports extensive test campaigns as well as the modeling of hypercall interfaces.}, author = {Beierlieb, Lukas and Iffländer, Lukas and Milenkoski, Aleksandar and Goncalves, Charles F. and Antunes, Nuno and Kounev, Samuel}, booktitle = {2019 {IEEE} International Symposium on Software Reliability Engineering Workshops ({ISSREW})}, keywords = {t_workshop}, month = 11, organization = {{IEEE}}, title = {Towards Testing the Software Aging Behavior of Hypervisor Hypercall Interfaces}, year = 2019 }

%0 Conference Paper %1 Beierlieb_2019_TowardsTestingtheSoftwareAgingBehaviorofHypervisorHypercallInterfaces %A Beierlieb, Lukas %A Iffländer, Lukas %A Milenkoski, Aleksandar %A Goncalves, Charles F. %A Antunes, Nuno %A Kounev, Samuel %B 2019 {IEEE} International Symposium on Software Reliability Engineering Workshops ({ISSREW}) %D 2019 %T Towards Testing the Software Aging Behavior of Hypervisor Hypercall Interfaces %X With the continuing rise of cloud technology hypervisors play a vital role in the performance and reliability of current services. As long-running applications, they are susceptible to software aging. Hypervisors offer so-called hypercall interfaces for communication with the hosted virtual machines. These interfaces require thorough robustness to assure performance, security, and reliability. Existing research either deals with the aging properties of hypervisors in general without considering the hypercalls or focuses on finding hypercall-related vulnerabilities. In this work, we discuss open challenges regarding hypercall interfaces. To address these challenges, we propose an extensive framework architecture to perform robustness testing on hypercall interfaces. This framework supports extensive test campaigns as well as the modeling of hypercall interfaces.
Towards Testing the Performance Influence of Hypervisor Hypercall Interface Behavior. L. Beierlieb; L. Iffländer; S. Kounev; A. Milenkoski; in Proceedings of the 10th Symposium on Software Performance 2019 (SSP’19) (2019).
- [ Abstract ]
- [ BibTeX ]
- [ EndNote ]
With the continuing rise of cloud technology hypervisors play a vital role in the performance and reliability of current services. Hypervisors offer so-called hypercall interfaces for communication with the hosted virtual machines. These interfaces require thorough robustness to assure performance, security, and reliability. Existing research focusses on finding hypercall-related vulnerabilities. In this work, we discuss open challenges regarding hypercall interfaces. To address these challenges, we propose an extensive framework architecture to perform robustness testing on hypercall interfaces. This framework supports test campaigns and modeling of hypercall interfaces.

@inproceedings{Beierlieb_2019_TowardsTestingthePerformanceInfluenceofHypervisorHypercallInterfaceBehavior, abstract = {With the continuing rise of cloud technology hypervisors play a vital role in the performance and reliability of current services. Hypervisors offer so-called hypercall interfaces for communication with the hosted virtual machines. These interfaces require thorough robustness to assure performance, security, and reliability. Existing research focusses on finding hypercall-related vulnerabilities. In this work, we discuss open challenges regarding hypercall interfaces. To address these challenges, we propose an extensive framework architecture to perform robustness testing on hypercall interfaces. This framework supports test campaigns and modeling of hypercall interfaces.}, author = {Beierlieb, Lukas and Iffländer, Lukas and Kounev, Samuel and Milenkoski, Aleksandar}, booktitle = {Proceedings of the 10th Symposium on Software Performance 2019 (SSP'19)}, keywords = {t_workshop}, month = 11, title = {Towards Testing the Performance Influence of Hypervisor Hypercall Interface Behavior}, year = 2019 }

%0 Conference Paper %1 Beierlieb_2019_TowardsTestingthePerformanceInfluenceofHypervisorHypercallInterfaceBehavior %A Beierlieb, Lukas %A Iffländer, Lukas %A Kounev, Samuel %A Milenkoski, Aleksandar %B Proceedings of the 10th Symposium on Software Performance 2019 (SSP'19) %D 2019 %T Towards Testing the Performance Influence of Hypervisor Hypercall Interface Behavior %X With the continuing rise of cloud technology hypervisors play a vital role in the performance and reliability of current services. Hypervisors offer so-called hypercall interfaces for communication with the hosted virtual machines. These interfaces require thorough robustness to assure performance, security, and reliability. Existing research focusses on finding hypercall-related vulnerabilities. In this work, we discuss open challenges regarding hypercall interfaces. To address these challenges, we propose an extensive framework architecture to perform robustness testing on hypercall interfaces. This framework supports test campaigns and modeling of hypercall interfaces.

2015[ to top ]

{Evaluation of Intrusion Detection Systems in Virtualized Environments Using Attack Injection}. A. Milenkoski; B. D. Payne; N. Antunes; M. Vieira; S. Kounev; A. Avritzer; M. Luft; in The 18th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID 2015) (2015).
- [ Abstract ]
- [ BibTeX ]
- [ EndNote ]
- [ URL ]
{The evaluation of intrusion detection systems (IDSes) is an active research area with many open challenges, one of which is the generation of representative workloads that contain attacks. In this paper, we propose a novel approach for the rigorous evaluation of IDSes in virtualized environments, with a focus on IDSes designed to detect attacks leveraging or targeting the hypervisor via its hypercall interface. We present hInjector, a tool for generating IDS evaluation workloads by injecting such attacks during regular operation of a virtualized environment. We demonstrate the application of our approach and show its practical usefulness by evaluating a representative IDS designed to operate in virtualized environments. The virtualized environment of the industry-standard benchmark SPECvirt_sc2013 is used as a testbed, whose drivers generate workloads representative of workloads seen in production environments. This work enables for the first time the injection of attacks in virtualized environments for the purpose of generating representative IDS evaluation workloads.}

@inproceedings{MiPaAnViKoAvLu2015-RAID-Challenges, abstract = {{The evaluation of intrusion detection systems (IDSes) is an active research area with many open challenges, one of which is the generation of representative workloads that contain attacks. In this paper, we propose a novel approach for the rigorous evaluation of IDSes in virtualized environments, with a focus on IDSes designed to detect attacks leveraging or targeting the hypervisor via its hypercall interface. We present hInjector, a tool for generating IDS evaluation workloads by injecting such attacks during regular operation of a virtualized environment. We demonstrate the application of our approach and show its practical usefulness by evaluating a representative IDS designed to operate in virtualized environments. The virtualized environment of the industry-standard benchmark SPECvirt_sc2013 is used as a testbed, whose drivers generate workloads representative of workloads seen in production environments. This work enables for the first time the injection of attacks in virtualized environments for the purpose of generating representative IDS evaluation workloads.}}, author = {Milenkoski, Aleksandar and Payne, Bryan D. and Antunes, Nuno and Vieira, Marco and Kounev, Samuel and Avritzer, Alberto and Luft, Matthias}, booktitle = {The 18th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID 2015)}, keywords = {Virtualization}, month = {{November}}, note = {{Acceptance Rate: 23%.}}, publisher = {{Springer}}, title = {{Evaluation of Intrusion Detection Systems in Virtualized Environments Using Attack Injection}}, year = 2015 }

%0 Conference Paper %1 MiPaAnViKoAvLu2015-RAID-Challenges %A Milenkoski, Aleksandar %A Payne, Bryan D. %A Antunes, Nuno %A Vieira, Marco %A Kounev, Samuel %A Avritzer, Alberto %A Luft, Matthias %B The 18th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID 2015) %D 2015 %I {Springer} %T {Evaluation of Intrusion Detection Systems in Virtualized Environments Using Attack Injection} %U http://link.springer.com/chapter/10.1007/978-3-319-26362-5_22 %X {The evaluation of intrusion detection systems (IDSes) is an active research area with many open challenges, one of which is the generation of representative workloads that contain attacks. In this paper, we propose a novel approach for the rigorous evaluation of IDSes in virtualized environments, with a focus on IDSes designed to detect attacks leveraging or targeting the hypervisor via its hypercall interface. We present hInjector, a tool for generating IDS evaluation workloads by injecting such attacks during regular operation of a virtualized environment. We demonstrate the application of our approach and show its practical usefulness by evaluating a representative IDS designed to operate in virtualized environments. The virtualized environment of the industry-standard benchmark SPECvirt_sc2013 is used as a testbed, whose drivers generate workloads representative of workloads seen in production environments. This work enables for the first time the injection of attacks in virtualized environments for the purpose of generating representative IDS evaluation workloads.}

2014[ to top ]

{Experience Report: An Analysis of Hypercall Handler Vulnerabilities}. A. Milenkoski; B. D. Payne; N. Antunes; M. Vieira; S. Kounev; in {Proceedings of The 25th IEEE International Symposium on Software Reliability Engineering (ISSRE 2014) --- Research Track} (2014).
- [ Abstract ]
- [ BibTeX ]
- [ EndNote ]
- [ URL ]
{Hypervisors are becoming increasingly ubiquitous with the growing proliferation of virtualized data centers. As a result, attackers are exploring vectors to attack hypervisors, against which an attack may be executed via several attack vectors such as device drivers, virtual machine exit events, or hypercalls. Hypercalls enable intrusions in hypervisors through their hypercall interfaces. Despite the importance, there is very limited publicly available information on vulnerabilities of hypercall handlers and attacks triggering them, which significantly hinders advances towards monitoring and securing these interfaces. In this paper, we characterize the hypercall attack surface based on analyzing a set of vulnerabilities of hypercall handlers. We systematize and discuss the errors that caused the considered vulnerabilities, and activities for executing attacks triggering them. We also demonstrate attacks triggering the considered vulnerabilities and analyze their effects. Finally, we suggest an action plan for improving the security of hypercall interfaces.}

@inproceedings{MiPaAnViKo2014-ISSRE-AnAnalHypHanVulns, abstract = {{Hypervisors are becoming increasingly ubiquitous with the growing proliferation of virtualized data centers. As a result, attackers are exploring vectors to attack hypervisors, against which an attack may be executed via several attack vectors such as device drivers, virtual machine exit events, or hypercalls. Hypercalls enable intrusions in hypervisors through their hypercall interfaces. Despite the importance, there is very limited publicly available information on vulnerabilities of hypercall handlers and attacks triggering them, which significantly hinders advances towards monitoring and securing these interfaces. In this paper, we characterize the hypercall attack surface based on analyzing a set of vulnerabilities of hypercall handlers. We systematize and discuss the errors that caused the considered vulnerabilities, and activities for executing attacks triggering them. We also demonstrate attacks triggering the considered vulnerabilities and analyze their effects. Finally, we suggest an action plan for improving the security of hypercall interfaces.}}, address = {{Washington DC, USA}}, author = {Milenkoski, Aleksandar and Payne, Bryan D. and Antunes, Nuno and Vieira, Marco and Kounev, Samuel}, booktitle = {{Proceedings of The 25th IEEE International Symposium on Software Reliability Engineering (ISSRE 2014) — Research Track}}, keywords = {Reliability}, month = 11, note = {Acceptance Rate: 25\%, <b>Best Paper Award Nomination</b>}, organization = {IEEE}, publisher = {IEEE Computer Society}, title = {{Experience Report: An Analysis of Hypercall Handler Vulnerabilities}}, year = 2014 }

%0 Conference Paper %1 MiPaAnViKo2014-ISSRE-AnAnalHypHanVulns %A Milenkoski, Aleksandar %A Payne, Bryan D. %A Antunes, Nuno %A Vieira, Marco %A Kounev, Samuel %B {Proceedings of The 25th IEEE International Symposium on Software Reliability Engineering (ISSRE 2014) --- Research Track} %C {Washington DC, USA} %D 2014 %I IEEE Computer Society %T {Experience Report: An Analysis of Hypercall Handler Vulnerabilities} %U http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6982618 %X {Hypervisors are becoming increasingly ubiquitous with the growing proliferation of virtualized data centers. As a result, attackers are exploring vectors to attack hypervisors, against which an attack may be executed via several attack vectors such as device drivers, virtual machine exit events, or hypercalls. Hypercalls enable intrusions in hypervisors through their hypercall interfaces. Despite the importance, there is very limited publicly available information on vulnerabilities of hypercall handlers and attacks triggering them, which significantly hinders advances towards monitoring and securing these interfaces. In this paper, we characterize the hypercall attack surface based on analyzing a set of vulnerabilities of hypercall handlers. We systematize and discuss the errors that caused the considered vulnerabilities, and activities for executing attacks triggering them. We also demonstrate attacks triggering the considered vulnerabilities and analyze their effects. Finally, we suggest an action plan for improving the security of hypercall interfaces.}
{Technical Information on Vulnerabilities of Hypercall Handlers} A. Milenkoski; M. Vieira; B. D. Payne; N. Antunes; S. Kounev; (2014).
- [ Abstract ]
- [ BibTeX ]
- [ EndNote ]
{Modern virtualized service infrastructures expose attack vectors that enable attacks of high severity, such as attacks targeting hypervisors. A malicious user of a guest VM (virtual machine) may execute an attack against the underlying hypervisor via hypercalls, which are software traps from a kernel of a fully or partially paravirtualized guest VM to the hypervisor. The exploitation of a vulnerability of a hypercall handler may have severe consequences such as altering hypervisor's memory, which may result in the execution of malicious code with hypervisor privilege. Despite the importance of vulnerabilities of hypercall handlers, there is not much publicly available information on them. This significantly hinders advances towards securing hypercall interfaces. In this work, we provide in-depth technical information on publicly disclosed vulnerabilities of hypercall handlers. Our vulnerability analysis is based on reverse engineering the released patches fixing the considered vulnerabilities. For each analyzed vulnerability, we provide background information essential for understanding the vulnerability, and information on the vulnerable hypercall handler and the error causing the vulnerability. We also show how the vulnerability can be triggered and discuss the state of the targeted hypervisor after the vulnerability has been triggered.}

@techreport{MiViPaAnKo2014-TechReport-TechInformation, abstract = {{Modern virtualized service infrastructures expose attack vectors that enable attacks of high severity, such as attacks targeting hypervisors. A malicious user of a guest VM (virtual machine) may execute an attack against the underlying hypervisor via hypercalls, which are software traps from a kernel of a fully or partially paravirtualized guest VM to the hypervisor. The exploitation of a vulnerability of a hypercall handler may have severe consequences such as altering hypervisor's memory, which may result in the execution of malicious code with hypervisor privilege. Despite the importance of vulnerabilities of hypercall handlers, there is not much publicly available information on them. This significantly hinders advances towards securing hypercall interfaces. In this work, we provide in-depth technical information on publicly disclosed vulnerabilities of hypercall handlers. Our vulnerability analysis is based on reverse engineering the released patches fixing the considered vulnerabilities. For each analyzed vulnerability, we provide background information essential for understanding the vulnerability, and information on the vulnerable hypercall handler and the error causing the vulnerability. We also show how the vulnerability can be triggered and discuss the state of the targeted hypervisor after the vulnerability has been triggered.}}, address = {{7001 Heritage Village Plaza Suite 225, Gainesville, VA 20155, USA}}, author = {Milenkoski, Aleksandar and Vieira, Marco and Payne, Bryan D. and Antunes, Nuno and Kounev, Samuel}, institution = {SPEC Research Group - IDS Benchmarking Working Group, Standard Performance Evaluation Corporation (SPEC)}, keywords = {Reliability}, month = {08}, title = {{Technical Information on Vulnerabilities of Hypercall Handlers}}, type = {{Technical Report SPEC-RG-2014-001 v.1.0}}, year = 2014 }

%0 Report %1 MiViPaAnKo2014-TechReport-TechInformation %A Milenkoski, Aleksandar %A Vieira, Marco %A Payne, Bryan D. %A Antunes, Nuno %A Kounev, Samuel %C {7001 Heritage Village Plaza Suite 225, Gainesville, VA 20155, USA} %D 2014 %T {Technical Information on Vulnerabilities of Hypercall Handlers} %X {Modern virtualized service infrastructures expose attack vectors that enable attacks of high severity, such as attacks targeting hypervisors. A malicious user of a guest VM (virtual machine) may execute an attack against the underlying hypervisor via hypercalls, which are software traps from a kernel of a fully or partially paravirtualized guest VM to the hypervisor. The exploitation of a vulnerability of a hypercall handler may have severe consequences such as altering hypervisor's memory, which may result in the execution of malicious code with hypervisor privilege. Despite the importance of vulnerabilities of hypercall handlers, there is not much publicly available information on them. This significantly hinders advances towards securing hypercall interfaces. In this work, we provide in-depth technical information on publicly disclosed vulnerabilities of hypercall handlers. Our vulnerability analysis is based on reverse engineering the released patches fixing the considered vulnerabilities. For each analyzed vulnerability, we provide background information essential for understanding the vulnerability, and information on the vulnerable hypercall handler and the error causing the vulnerability. We also show how the vulnerability can be triggered and discuss the state of the targeted hypervisor after the vulnerability has been triggered.}

2013[ to top ]

{HInjector: Injecting Hypercall Attacks for Evaluating VMI-based Intrusion Detection Systems}. A. Milenkoski; B. D. Payne; N. Antunes; M. Vieira; S. Kounev; in The 2013 Annual Computer Security Applications Conference (ACSAC 2013) (2013).
- [ BibTeX ]
- [ EndNote ]
- [ URL ]
@inproceedings{MiPaAnViKo2013-ACSAC-HInjector, address = {Maryland, USA}, author = {Milenkoski, Aleksandar and Payne, Bryan D. and Antunes, Nuno and Vieira, Marco and Kounev, Samuel}, booktitle = {The 2013 Annual Computer Security Applications Conference (ACSAC 2013)}, keywords = {Reliability}, month = {03}, publisher = {{Applied Computer Security Associates (ACSA)}}, title = {{HInjector: Injecting Hypercall Attacks for Evaluating VMI-based Intrusion Detection Systems}}, year = 2013 }

%0 Conference Paper %1 MiPaAnViKo2013-ACSAC-HInjector %A Milenkoski, Aleksandar %A Payne, Bryan D. %A Antunes, Nuno %A Vieira, Marco %A Kounev, Samuel %B The 2013 Annual Computer Security Applications Conference (ACSAC 2013) %C Maryland, USA %D 2013 %I {Applied Computer Security Associates (ACSA)} %T {HInjector: Injecting Hypercall Attacks for Evaluating VMI-based Intrusion Detection Systems} %U https://www.acsac.org/2013/program-files/p65.html

2012[ to top ]

{Towards Benchmarking Intrusion Detection Systems for Virtualized Cloud Environments}. A. Milenkoski; S. Kounev; in Proceedings of the 7th International Conference for Internet Technology and Secured Transactions (ICITST 2012) (2012). 562–563.
- [ Abstract ]
- [ BibTeX ]
- [ EndNote ]
- [ URL ]
{Many recent research works propose novel architectures of intrusion detection systems specifically designed to operate in virtualized environments. However, little attention has been given to the evaluation and benchmarking of such architectures with respect to their performance and dependability. In this paper, we present a research roadmap towards developing a framework for benchmarking intrusion detection systems for cloud environments in a scientifically rigorous and a representative manner.}

@inproceedings{MiKo2011-ICITST-TowardsBenchmarking, abstract = {{Many recent research works propose novel architectures of intrusion detection systems specifically designed to operate in virtualized environments. However, little attention has been given to the evaluation and benchmarking of such architectures with respect to their performance and dependability. In this paper, we present a research roadmap towards developing a framework for benchmarking intrusion detection systems for cloud environments in a scientifically rigorous and a representative manner.}}, address = {New York, USA}, author = {Milenkoski, Aleksandar and Kounev, Samuel}, booktitle = {Proceedings of the 7th International Conference for Internet Technology and Secured Transactions (ICITST 2012)}, keywords = {Virtualization}, month = 12, pages = {562–563}, publisher = {IEEE}, title = {{Towards Benchmarking Intrusion Detection Systems for Virtualized Cloud Environments}}, year = 2012 }

%0 Conference Paper %1 MiKo2011-ICITST-TowardsBenchmarking %A Milenkoski, Aleksandar %A Kounev, Samuel %B Proceedings of the 7th International Conference for Internet Technology and Secured Transactions (ICITST 2012) %C New York, USA %D 2012 %I IEEE %P 562--563 %T {Towards Benchmarking Intrusion Detection Systems for Virtualized Cloud Environments} %U http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6470873 %X {Many recent research works propose novel architectures of intrusion detection systems specifically designed to operate in virtualized environments. However, little attention has been given to the evaluation and benchmarking of such architectures with respect to their performance and dependability. In this paper, we present a research roadmap towards developing a framework for benchmarking intrusion detection systems for cloud environments in a scientifically rigorous and a representative manner.}

Your E-mail address:
Your Name (optional):

Update: This tool is no longer maintained and supported.

hInjector

Mailing List

Bildnachweise