Abstract
It is generally believed to be a tedious, time-consuming, and error-prone process to develop a virtual machine introspection (VMI) tool because of the semantic gap. Recent advance shows that the semantic-gap can be largely narrowed by reusing the executed code from a trusted OS kernel. However, the limitation for such an approach is that it only reuses the exercised code through a training process, which suffers the code coverage issues. Thus, in this article, we present Vmst, a new technique that can seamlessly bridge the semantic gap and automatically generate the VMI tools. The key idea is that, through system wide instruction monitoring, Vmst automatically identifies the introspection related data from a secure-VM and online redirects these data accesses to the kernel memory of a product-VM, without any training. Vmst offers a number of new features and capabilities. Particularly, it enables an in-VM inspection program (e.g., ps) to automatically become an out-of-VM introspection program. We have tested Vmst with over 25 commonly used utilities on top of a number of different OS kernels including Linux and Microsoft Windows. The experimental results show that our technique is general (largely OS-independent), and it introduces 9.3X overhead for Linux utilities and 19.6X overhead for Windows utilities on average for the introspected program compared to the native in-VM execution without data redirection.
- Bach, M. J. 1986. The Design of the UNIX Operating System. Prentice Hall. Google Scholar
Digital Library
- Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., and Xu, D. 2010. DKSM: Subverting virtual machine introspection for fun and profit. In Proceedings of the 29th IEEE Symposium on Reliable Distributed Systems. Google Scholar
Digital Library
- Baiardi, F. and Sgandurra, D. 2007. Building trustworthy intrusion detection through vm introspection. In Proceedings of the 3rd International Symposium on Information Assurance and Security. IEEE Computer Society. 209--214. Google Scholar
Digital Library
- Bovet, D. and Cesati, M. 2005. Understanding the Linux Kernel. Oreilly & Associates Inc. Google Scholar
Digital Library
- Caballero, J. and Song, D. 2007. Polyglot: Automatic extraction of protocol format using dynamic binary analysis. In Proceedings of the 14th ACM Conference on Computer and and Communications Security (CCS’07). 317--329. Google Scholar
Digital Library
- Caballero, J., Johnson, N. M., McCamant, S., and Song, D. 2010. Binary code extraction and interface identification for security applications. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10).Google Scholar
- Cadar, C., Ganesh, V., Pawlowski, P. M., Dill, D. L., and Engler, D. R. 2006. Exe: Automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS’06). ACM, 322--335. Google Scholar
Digital Library
- Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., and Jiang, X. 2009. Mapping kernel objects to enable systematic integrity checking. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, 555--565. Google Scholar
Digital Library
- Chen, P. M. and Noble, B. D. 2001. When virtual is better than real. In Proceedings of the 8th Workshop on Hot Topics in Operating Systems. Google Scholar
Digital Library
- Chow, J., Pfaff, B., Christopher, K., and Rosenblum, M. 2004. Understanding data lifetime via whole-system simulation. In Proceedings of the 13th USENIX Security Symposium. Google Scholar
Digital Library
- Cui, W., Peinado, M., Chen, K., Wang, H. J., and Irun-Briz, L. 2008. Tupni: Automatic reverse engineering of input formats. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM, 391--402. Google Scholar
Digital Library
- Dinaburg, A., Royal, P., Sharif, M., and Lee, W. 2008. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM, 51--62. Google Scholar
Digital Library
- Dolan-Gavitt, B., Srivastava, A., Traynor, P., and Giffin, J. 2009. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, 566--577. Google Scholar
Digital Library
- Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., and Lee, W. 2011a. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of IEEE Symposium on Security and Privacy. 297--312. Google Scholar
Digital Library
- Dolan-Gavitt, B., Payne, B., and Lee, W. 2011b. Leveraging forensic tools for virtual machine introspection. Tech. rep. GT-CS-11-05.Google Scholar
- Egele, M., Kruegel, C., Kirda, E., Yin, H., and Song, D. 2007. Dynamic spyware analysis. In Proceedings of the USENIX Annual Technical Conference (Usenix’07). Google Scholar
Digital Library
- Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for unix processes. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Fu, Y. and Lin, Z. 2012. Space traveling across vm: Automatically bridging the semantic-gap in virtual machine introspection via online kernel data redirection. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Garfinkel, T. 2003. Traps and pitfalls: Practical problems in system call interposition based security tools. In In Proceedings of Network and Distributed Systems Security Symposium (NDSS’03). 163--176.Google Scholar
- Garfinkel, T. and Rosenblum, M. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS’03).Google Scholar
- Godefroid, P., Levin, M., and Molnar, D. 2008. Automated whitebox fuzz testing. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).Google Scholar
- Gu, Y., Fu, Y., Prakash, A., Lin, Z., and Yin H. 2012. Os-sommelier: Memory-only operating system fingerprinting in the cloud. In Proceedings of the 3rd ACM Symposium on Cloud Computing (SOCC’12). Google Scholar
Digital Library
- Hay, B. and Nance, K. 2008. Forensics examination of volatile system data using virtual introspection. SIGOPS Operat. Syst. Rev. 42, 74--82. Google Scholar
Digital Library
- Hofmann, O. S., Dunn, A. M., Kim, S., Roy, I., and Witchel, E. 2011. Ensuring operating system kernel integrity with oSck. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’11). Google Scholar
Digital Library
- Inoue, H., Adelstein, F., Donovan, M., and Brueckner, S. 2011. Automatically bridging the semantic gap using ac interpreter. In Proceedings of the Annual Symposium on Information Assurance.Google Scholar
- Jiang, X., Wang, X., and Xu, D. 2007. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, 128--138. Google Scholar
Digital Library
- Jones, S. T., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. 2006. Antfarm:tracking processes in a virtual machine environment. In Proceedings of the USENIX Annual Technical Conference (Usenix’06). Google Scholar
Digital Library
- Jones, S. T., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. 2008. Vmm-based hidden process detection and identification using lycosid. In Proceedings of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. Google Scholar
Digital Library
- Kolbitsch, C., Holz, T., Kruegel, C., and Kirda, E. 2010. Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In Proceedings of the IEEE Security and Privacy. Google Scholar
Digital Library
- Lin, Z., Jiang, X., Xu, D., and Zhang, X. 2008. Automatic protocol format reverse engineering through context-aware monitored execution. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).Google Scholar
- Lin, Z., Zhang, X., and Xu, D. 2010a. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10).Google Scholar
- Lin, Z., Zhang, X., and Xu, D. 2010b. Reuse-oriented camouflaging trojan: Vulnerability detection and attack construction. In Proceedings of the 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-DCCS 2010).Google Scholar
- Lin, Z., Rhee, J., Zhang, X., Xu, D., and Jiang, X. 2011. SIGGRAPH: Brute force scanning of kernel data structure instances using graph-based signatures. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS’11).Google Scholar
- Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. 2005. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’05). ACM, 190--200. Google Scholar
Digital Library
- Newsome, J. and Song, D. 2005. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS’05).Google Scholar
- Payne, B. D., Carbone, M., and Lee, W. 2007. Secure and flexible monitoring of virtual machines. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007).Google Scholar
- Payne, B. D., Carbone, M., Sharif, M. I., and Lee, W. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 233--247. Google Scholar
Digital Library
- Petroni, N. L., Jr. and Hicks, M. 2007. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, 103--115. Google Scholar
Digital Library
- Petroni, N. L., Jr., Fraser, T., Molina, J., and Arbaugh, W. A. 2004. Copilot - A coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium. USENIX, 179--194. Google Scholar
Digital Library
- Portokalidis, G., Slowinska, A., and Bos, H. 2006. Argos: An emulator for fingerprinting zero-day attacks. In Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems. Google Scholar
Digital Library
- Provos, N. 2003. Improving host security with system call policies. In Proceedings of the 12th USENIX Security Symposium. USENIX, 257--272. Google Scholar
Digital Library
- QEMU: An open source processor emulator. http://www.qemu.org/.Google Scholar
- Riley, R., Jiang, X., and Xu, D. 2008. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In Proceedings of Recent Advances in Intrusion Detection (RAID’08). 1--20. Google Scholar
Digital Library
- Sekar, R. Classification and grouping of linux system calls. http://seclab.cs.sunysb.edu/sekar/papers/syscallclassif.htm.Google Scholar
- Srinivasan, D., Wang, Z., Jiang, X., and Xu, D. 2011. Process out-grafting: An efficient ”out-of-vm” approach for fine-grained process execution monitoring. In Proceedings of the 18th ACM conference on Computer and communications security (CCS’11). ACM, 363--374. Google Scholar
Digital Library
- Srivastava, A. and Giffin, J. 2008. Tamper-resistant, application-aware blocking of malicious network connections. In Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection (RAID’08). 39--58. Google Scholar
Digital Library
- VProbe:a VMI framework. http://communities.vmware.com/community/vmtn/developer/forums/vprobes.Google Scholar
- Walters, A. The volatility framework: Volatile memory artifact extraction utility framework. https://www.volatilesystems.com/default/volatility.Google Scholar
- Wang, Y.-M., Beck, D., Vo, B., Roussev, R., and Verbowski, C. 2005. Detecting stealth software with strider ghostbuster. In Proceedings of the International Conference on Dependable Systems and Networks. Google Scholar
Digital Library
- Wondracek, G., Milani, P., Kruegel, C., and Kirda, E. 2008. Automatic network protocol analysis. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).Google Scholar
- Xed: X86 encoder decoder. http://www.pintool.org/docs/24110/Xed/html/.Google Scholar
- Xiong, X., Tian, D., and Liu, P. 2011. Practical protection of kernel integrity for commodity OS from untrusted extensions. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS’11).Google Scholar
- Yin, H. and Song, D. 2010. Temu: Binary code analysis via whole-system layered annotative execution. Tech. rep. UCB/EECS-2010-3, EECS Department, University of California, Berkeley.Google Scholar
- Yin, H., Song, D., Manuel, E., Kruegel, C., and Kirda, E. 2007. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conferences on Computer and Communication Security (CCS’07). Google Scholar
Digital Library
Index Terms
Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection
Recommendations
Transparently bridging semantic gap in CPU management for virtualized environments
Consolidated environments are progressively accommodating diverse and unpredictable workloads in conjunction with virtual desktop infrastructure and cloud computing. Unpredictable workloads, however, aggravate the semantic gap between the virtual ...
Virtual Machine Introspection
SIN '14: Proceedings of the 7th International Conference on Security of Information and NetworksDue to exposure to the Internet, virtual machines (VMs) as forms of delivering virtualized infrastructures and resources represent a first point-of-target for security attackers who want to gain access into the virtualization environment. In-VM ...
Virtual Machine Introspection: Observation or Interference?
As virtualization becomes increasingly mainstream, virtual machine introspection techniques and tools are evolving to provide methods to monitor the behavior of virtual machines. This survey classifies and describes current VMI introspection ...






Comments