Using Virtual Machine Introspection for Operating Systems Security Education

Abstract

Historically, hands-on cybersecurity exercises helped reinforce the basic cybersecurity concepts. However, most of them focused on the user level attacks and defenses and did not provide a convenient way of studying the kernel level security. Since OS kernels provide foundations for applications, any compromise to OS kernels will lead to a computer that cannot be trusted. Moreover, there has been a great interest in using virtualization to profile, characterize, and observe kernel events including security incidents. Virtual Machine Introspection (VMI) is a technique that has been deeply investigated in intrusion detection, malware analysis, and memory forensics. Inspired by the great success of VMI, we used it to develop hands-on labs for teaching kernel level security. In this work, we present three VMI-based labs on (1) stack-based buffer over-flow, (2) direct kernel object manipulation (DKOM), and (3) kernel integrity checker which have been made available online. Then, we analyze the differences in approaches taken by VMI-based labs and traditional labs and conclude that VMI-based labs are better as opposed to traditional labs from a teaching standpoint because they provide more visibility than the traditional labs and superior ability to manipulate kernel memory which provides more insight into kernel security concepts.