Vanguard: A Cache-Level Sensitive File Integrity Monitoring System in Virtual Machine Environment

Sensitive files in computer systems such as executable programs, configuration, and authorization information have a great importance of their own, in terms of both confidentiality and functionality. To protect sensitive files, an effective approach named as file integrity monitoring is proposed to detect aggressive behaviors by verifying all the actions on these sensitive files. However, due to semantic gap problems, current file integrity monitoring tools are incapable of monitoring files in memory, so that an illegal modification of a file may bypass the detection by deliberately hiding itself inside the cache without actually committing to the disk. In this paper, we propose a runtime sensitive file integrity monitoring system named Vanguard, to satisfy the requirement of cache-level file protection. It can monitor both IO operations and cache operations, thereby deterring the illegal file accesses. To achieve the cache-level monitoring, we explore the techniques to detect when sensitive files are loaded into and swapped out from the operating system page cache. Vanguard is isolated from the monitored system so it is hard to be subverted. We implement Vanguard on QEMU/KVM platform, and both Linux and Windows guest operating systems are supported. We conduct several experiments, and the experimental results show the effectiveness of Vanguard and imply that our method incurs acceptable overhead.