Sevigator: Network Confinement of Malware Applications and Untrusted Operating Systems

Stuxnet worm opened a new era in cybersecurity. This heavily networking virus implemented a new threat: it infects industrial control systems; consequences of the infection might be as gravy as a technogenic catastrophe. Stuxnet performs networking to communicate between instances, contact so called “Stuxnet command and control center”, and upload malicious code to real-time controllers. The virus uses OS exploits to infect a computer and installs its component in OS kernel, gaining full control over infected node. This paper presents Sevigator – a toolkit for network confinement when only trusted application gain access to local network while other application and even OS kernel have no networking at all. Thus Sevigator effectively prevents Stuxnet scenario. Sevigator is based on hardware virtualization support: a custom hypervisor hides network interface card from the OS kernel and delegates network-based system calls of trusted applications to a dedicated service virtual machine. To prevent code injection or data alteration by a malicious kernel code or driver the hypervisor maintains integrity of the trusted applications binaries, shared objects and in-memory data.