Arav

Abstract

Virtual Routers (VRs) are increasingly common in cloud environments. VRs route traffic between network segments and support network services. Routers, including VRs, have been the target of several recent high-profile attacks, emphasizing the need for more security measures, including security monitoring. However, existing agent-based monitoring systems are incompatible with a VR's temporary nature, stripped-down operating system, and placement in the cloud. As a result, VRs are often not monitored, leading to undetected security incidents. This paper proposes a new security monitoring design that leverages virtualization instead of in-guest agents. Its hypervisor-based system, Arav, scrutinizes VRs by novel application of Virtual Machine Introspection (VMI) breakpoint injection. Arav monitored and addressed security-related events in two common VRs, pfSense and VyOS, and detected four attacks against two popular VR services, Quagga and OpenVPN. Arav's performance overhead is negligible, less than 0.63%, demonstrating VMI's utility in monitoring virtual machines unsuitable for traditional security monitoring.