Tamper-resistant, application-aware blocking of malicious network connections

Abstract

Application-level firewalls block traffic based on the process that is sending or receiving the network flow. They help detect bots, worms, and backdoors that send or receive malicious packets without the knowledge of users. Recent attacks show that these firewalls can be disabled by knowledgeable attackers. To counter this threat, we develop VMwall, a fine-grained tamper-resistant process-oriented firewall. VMwall's design blends the process knowledge of application-level firewalls with the isolation of traditional stand-alone firewalls. VMwall uses the Xen hypervisor to provide protection from malware, and it correlates TCP or UDP traffic with process information using virtual machine introspection. Experiments show that VMwall successfully blocks numerous real attacks-bots, worms, and backdoors-against a Linux system while allowing all legitimate network flows. VMwall is performant, imposing only a 0-1 millisecond delay on TCP connection establishment, less than a millisecond delay on UDP connections, and a 1-7% slowdown on network-bound applications. Our attack analysis argues that with the use of appropriate external protection of guest kernels, VMwall's introspection remains robust and helps identify malicious traffic. © 2008 Springer-Verlag Berlin Heidelberg.