Checking Function-Level Kernel Control Flow Integrity for Cloud Computing

With the advancement of cloud computing, the control flow integrity (CFI) of virtual machines' kernel becomes more and more important for the security of cloud services. Many CFI checking and protecting approaches have been proposed. Among them, dynamic analysis approaches have the best detection capability, but they are rarely used because of the high overhead introduced to the virtual machines to be monitored. In this paper, we propose a function-level kernel CFI checking approach to meet the performance requirements in the cloud. By combining the static memory analysis and the dynamic tracing, our system can achieve high detection capability with low overhead. Since the analysis and tracing targets of our system are kernel functions, our system incurs lower overhead to the monitored virtual machines than the instruction-level monitors. We propose two models to describe the kernel control flows. After building the secure control flow database by learning the normal behaviors, we can detect abnormal control flows in real time. With the help of virtualization and virtual machine introspection techniques, we implement a prototype system in the hardware virtualization environment. From the evaluation, our system has high detection capability with reasonable overhead.