Visible to the public Arav: Monitoring a Cloud's Virtual Routers

TitleArav: Monitoring a Cloud's Virtual Routers
Publication TypeConference Paper
Year of Publication2017
AuthorsBushouse, Micah, Ahn, Sanghyun, Reeves, Douglas
Conference NameProceedings of the 12th Annual Conference on Cyber and Information Security Research
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4855-3
KeywordsCloud Security, Metrics, pubcrawl, resilience, Resiliency, Router Systems, Router Systems Security, security, virtual machine introspection, virtual routers

Virtual Routers (VRs) are increasingly common in cloud environments. VRs route traffic between network segments and support network services. Routers, including VRs, have been the target of several recent high-profile attacks, emphasizing the need for more security measures, including security monitoring. However, existing agent-based monitoring systems are incompatible with a VR's temporary nature, stripped-down operating system, and placement in the cloud. As a result, VRs are often not monitored, leading to undetected security incidents. This paper proposes a new security monitoring design that leverages virtualization instead of in-guest agents. Its hypervisor-based system, Arav, scrutinizes VRs by novel application of Virtual Machine Introspection (VMI) breakpoint injection. Arav monitored and addressed security-related events in two common VRs, pfSense and VyOS, and detected four attacks against two popular VR services, Quagga and OpenVPN. Arav's performance overhead is negligible, less than 0.63%, demonstrating VMI's utility in monitoring virtual machines unsuitable for traditional security monitoring.

Citation Keybushouse_arav:_2017