@article{bushouse_reeves_2018, title={Furnace: Self-service Tenant VMI for the Cloud}, volume={11050}, ISBN={["978-3-030-00469-9"]}, ISSN={["1611-3349"]}, DOI={10.1007/978-3-030-00470-5_30}, abstractNote={Although Virtual Machine Introspection (VMI) tools are increasingly capable, modern multi-tenant cloud providers are hesitant to expose the sensitive hypervisor APIs necessary for tenants to use them. Outside the cloud, VMI and virtualization-based security’s adoption rates are rising and increasingly considered necessary to counter sophisticated threats. This paper introduces Furnace, an open source VMI framework that outperforms prior frameworks by satisfying both a cloud provider’s expectation of security and a tenant’s desire to run their own custom VMI tools underneath their cloud VMs. Furnace’s flexibility and ease of use is demonstrated by porting four existing security and monitoring tools as Furnace VMI apps; these apps are shown to be resource efficient while executing up to 300x faster than those in previous VMI frameworks. Furnace’s security properties are shown to protect against the actions of malicious tenant apps.}, journal={RESEARCH IN ATTACKS, INTRUSIONS, AND DEFENSES, RAID 2018}, author={Bushouse, Micah and Reeves, Douglas}, year={2018}, pages={647–669} }
 @article{bushouse_reeves_2018, title={Goalkeeper: Comprehensive process enforcement from the hypervisor}, volume={73}, ISSN={["1872-6208"]}, DOI={10.1016/j.cose.2017.11.020}, abstractNote={Controlling when and how a process runs is essential to the security of a system. In virtualized environments, an out-of-guest approach to process control is attractive because it allows fine-grained in-guest inspection and enforcement from the relative safety of the hypervisor, which makes in-guest misconfiguration by users or deliberate interference by malware more difficult. However, prior work in this area is incomplete, either lacking policy enforcement, missing certain types of malicious code due to insufficient coverage, or being unable to scale to many simultaneous guests. This work introduces Goalkeeper, a hypervisor-based security system that focuses on asynchronous, stateless, and lightweight Virtual Machine Introspection (VMI) techniques to enforce comprehensive guest process security policies at scale across tens to hundreds of guests per hypervisor. Running beneath each guest, Goalkeeper uses policy rules to ensure only whitelisted guest processes are allowed to execute, and terminates policy violators using a customizable set of VMI-based process termination techniques. In an evaluation across a population of 100 Linux virtual desktops, Goalkeeper is shown to catch malicious code that is missed by prior work while imposing a comparable performance overhead.}, journal={COMPUTERS & SECURITY}, author={Bushouse, Micah and Reeves, Douglas}, year={2018}, month={Mar}, pages={459–473} }
 @article{bushouse_reeves_2018, title={Hyperagents: Migrating Host Agents to the Hypervisor}, DOI={10.1145/3176258.3176317}, abstractNote={Third-party software daemons called host agents are increasingly responsible for a modern host's security, automation, and monitoring tasks. Because of their location within the host, these agents are at risk of manipulation by malware and users. Additionally, in virtualized environments where multiple adjacent guests each run their own set of agents, the cumulative resources that agents consume adds up rapidly. Consolidating agents onto the hypervisor can address these problems, but places a technical burden on agent developers. This work presents a development methodology to re-engineer a host agent in to a hyperagent, an out-of-guest agent that gains unique hypervisor-based advantages while retaining its original in-guest capabilities. This three-phase methodology makes integrating Virtual Machine Introspection (VMI) functionality in to existing code easier and more accessible, minimizing an agent developer's re-engineering effort. The benefits of hyperagents are illustrated by porting the GRR live forensics agent, which retains 89% of its codebase, uses 40% less memory than its in-guest counterparts, and enables a 4.9x speedup for a representative data-intensive workload. This work shows that a conventional off-the-shelf host agent can be feasibly transformed into a hyperagent and provide a powerful, efficient tool for defending virtualized systems.}, journal={PROCEEDINGS OF THE EIGHTH ACM CONFERENCE ON DATA AND APPLICATION SECURITY AND PRIVACY (CODASPY'18)}, author={Bushouse, Micah and Reeves, Douglas}, year={2018}, pages={212–223} }