Abstract
Controlling when and how a process runs is essential to the security of a system. In virtualized environments, an out-of-guest approach to process control is attractive because it allows fine-grained in-guest inspection and enforcement from the relative safety of the hypervisor, which makes in-guest misconfiguration by users or deliberate interference by malware more difficult. However, prior work in this area is incomplete, either lacking policy enforcement, missing certain types of malicious code due to insufficient coverage, or being unable to scale to many simultaneous guests. This work introduces Goalkeeper, a hypervisor-based security system that focuses on asynchronous, stateless, and lightweight Virtual Machine Introspection (VMI) techniques to enforce comprehensive guest process security policies at scale across tens to hundreds of guests per hypervisor. Running beneath each guest, Goalkeeper uses policy rules to ensure only whitelisted guest processes are allowed to execute, and terminates policy violators using a customizable set of VMI-based process termination techniques. In an evaluation across a population of 100 Linux virtual desktops, Goalkeeper is shown to catch malicious code that is missed by prior work while imposing a comparable performance overhead.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
