Virtualized network packet inspection

Network-based cyber attacks differ in their objectives, techniques, and levels of sophistication, yet they all maintain communication with their controllers. Current approaches to block unauthorized communication fall short or are susceptible to attacks at the kernel level. Our work showcases the feasibility of clandestine network transmissions across different network interface cards, utilizing solely data writes to physical pages. For certain cards, we employ a code-reuse attack to execute IO instructions. This paper presents Virtualized Packet Inspection (VPI), a virtualization-based solution for preventing malicious communication. VPI is embedded in QEMU-KVM, making it particularly suitable for private clouds. Being integrated into QEMU-KVM, VPI is not vulnerable to kernel-mode attacks. In addition, VPI’s ability to monitor the activity of user-mode applications and the network card, allows it to block malicious communications initiated by kernel-mode malware. Our evaluation shows that VPI’s performance overhead is ≈20% for monitored system calls, and is negligible in other cases.