Virtualisation-Based Security Countermeasures in Software Runtime Systems

As systems become larger and more complex, the need to optimise the infrastructure in favour of reliability and redundancy becomes an imperative. Virtualisation technology seems to have partially fulfilled the needs dictated by growth by redefining the concept of infrastructure and paving the way for new business models such as cloud computing. As a matter of fact, successful low level attacks can circumvent or disable many of the traditional countermeasures in place within the same target system.
Another trend that, according to the security research community, might be a cause for concern in the near future, is the tendency to shift current computer use to remote Internet services. This is making the web browser one of the most considerable actors of today’s computer usage. As a consequence, the web browser is gaining more and more attention from attackers, due to its prominent position within user’s experience. Despite the active contribution of researchers to mitigate the aforementioned security issues, one major challenge to focus in the immediate future consists in minimising the performance overhead, while guaranteeing the highest degree of security. Such a task seems achievable only by the puzzling tradeoff between performance and security that usually sacrifices the former in favour of the latter or vice versa.
This dissertation contributes security mitigation techniques that address the aforementioned challenges. First, we focus on virtualisation technology to tackle the problem of operating system security. A countermeasure that relies on the cooperation between the target system and the virtualisation architecture, protects those critical memory locations within the target system that can be potentially compromised. Within the same field, a general framework that protects operating systems by enforcing the execution of trusted code is presented. Secondly, a security measure that improves web browser security against memory corruption attacks is provided.