skip to main content
research-article

Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection

Published:01 September 2013Publication History
Skip Abstract Section

Abstract

It is generally believed to be a tedious, time-consuming, and error-prone process to develop a virtual machine introspection (VMI) tool because of the semantic gap. Recent advance shows that the semantic-gap can be largely narrowed by reusing the executed code from a trusted OS kernel. However, the limitation for such an approach is that it only reuses the exercised code through a training process, which suffers the code coverage issues. Thus, in this article, we present Vmst, a new technique that can seamlessly bridge the semantic gap and automatically generate the VMI tools. The key idea is that, through system wide instruction monitoring, Vmst automatically identifies the introspection related data from a secure-VM and online redirects these data accesses to the kernel memory of a product-VM, without any training. Vmst offers a number of new features and capabilities. Particularly, it enables an in-VM inspection program (e.g., ps) to automatically become an out-of-VM introspection program. We have tested Vmst with over 25 commonly used utilities on top of a number of different OS kernels including Linux and Microsoft Windows. The experimental results show that our technique is general (largely OS-independent), and it introduces 9.3X overhead for Linux utilities and 19.6X overhead for Windows utilities on average for the introspected program compared to the native in-VM execution without data redirection.

References

  1. Bach, M. J. 1986. The Design of the UNIX Operating System. Prentice Hall. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., and Xu, D. 2010. DKSM: Subverting virtual machine introspection for fun and profit. In Proceedings of the 29th IEEE Symposium on Reliable Distributed Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Baiardi, F. and Sgandurra, D. 2007. Building trustworthy intrusion detection through vm introspection. In Proceedings of the 3rd International Symposium on Information Assurance and Security. IEEE Computer Society. 209--214. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Bovet, D. and Cesati, M. 2005. Understanding the Linux Kernel. Oreilly & Associates Inc. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Caballero, J. and Song, D. 2007. Polyglot: Automatic extraction of protocol format using dynamic binary analysis. In Proceedings of the 14th ACM Conference on Computer and and Communications Security (CCS’07). 317--329. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Caballero, J., Johnson, N. M., McCamant, S., and Song, D. 2010. Binary code extraction and interface identification for security applications. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10).Google ScholarGoogle Scholar
  7. Cadar, C., Ganesh, V., Pawlowski, P. M., Dill, D. L., and Engler, D. R. 2006. Exe: Automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS’06). ACM, 322--335. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., and Jiang, X. 2009. Mapping kernel objects to enable systematic integrity checking. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, 555--565. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Chen, P. M. and Noble, B. D. 2001. When virtual is better than real. In Proceedings of the 8th Workshop on Hot Topics in Operating Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Chow, J., Pfaff, B., Christopher, K., and Rosenblum, M. 2004. Understanding data lifetime via whole-system simulation. In Proceedings of the 13th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Cui, W., Peinado, M., Chen, K., Wang, H. J., and Irun-Briz, L. 2008. Tupni: Automatic reverse engineering of input formats. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM, 391--402. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Dinaburg, A., Royal, P., Sharif, M., and Lee, W. 2008. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM, 51--62. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Dolan-Gavitt, B., Srivastava, A., Traynor, P., and Giffin, J. 2009. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, 566--577. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., and Lee, W. 2011a. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of IEEE Symposium on Security and Privacy. 297--312. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Dolan-Gavitt, B., Payne, B., and Lee, W. 2011b. Leveraging forensic tools for virtual machine introspection. Tech. rep. GT-CS-11-05.Google ScholarGoogle Scholar
  16. Egele, M., Kruegel, C., Kirda, E., Yin, H., and Song, D. 2007. Dynamic spyware analysis. In Proceedings of the USENIX Annual Technical Conference (Usenix’07). Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for unix processes. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Fu, Y. and Lin, Z. 2012. Space traveling across vm: Automatically bridging the semantic-gap in virtual machine introspection via online kernel data redirection. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Garfinkel, T. 2003. Traps and pitfalls: Practical problems in system call interposition based security tools. In In Proceedings of Network and Distributed Systems Security Symposium (NDSS’03). 163--176.Google ScholarGoogle Scholar
  20. Garfinkel, T. and Rosenblum, M. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS’03).Google ScholarGoogle Scholar
  21. Godefroid, P., Levin, M., and Molnar, D. 2008. Automated whitebox fuzz testing. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).Google ScholarGoogle Scholar
  22. Gu, Y., Fu, Y., Prakash, A., Lin, Z., and Yin H. 2012. Os-sommelier: Memory-only operating system fingerprinting in the cloud. In Proceedings of the 3rd ACM Symposium on Cloud Computing (SOCC’12). Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Hay, B. and Nance, K. 2008. Forensics examination of volatile system data using virtual introspection. SIGOPS Operat. Syst. Rev. 42, 74--82. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Hofmann, O. S., Dunn, A. M., Kim, S., Roy, I., and Witchel, E. 2011. Ensuring operating system kernel integrity with oSck. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’11). Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Inoue, H., Adelstein, F., Donovan, M., and Brueckner, S. 2011. Automatically bridging the semantic gap using ac interpreter. In Proceedings of the Annual Symposium on Information Assurance.Google ScholarGoogle Scholar
  26. Jiang, X., Wang, X., and Xu, D. 2007. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, 128--138. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Jones, S. T., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. 2006. Antfarm:tracking processes in a virtual machine environment. In Proceedings of the USENIX Annual Technical Conference (Usenix’06). Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Jones, S. T., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. 2008. Vmm-based hidden process detection and identification using lycosid. In Proceedings of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Kolbitsch, C., Holz, T., Kruegel, C., and Kirda, E. 2010. Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In Proceedings of the IEEE Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Lin, Z., Jiang, X., Xu, D., and Zhang, X. 2008. Automatic protocol format reverse engineering through context-aware monitored execution. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).Google ScholarGoogle Scholar
  31. Lin, Z., Zhang, X., and Xu, D. 2010a. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10).Google ScholarGoogle Scholar
  32. Lin, Z., Zhang, X., and Xu, D. 2010b. Reuse-oriented camouflaging trojan: Vulnerability detection and attack construction. In Proceedings of the 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-DCCS 2010).Google ScholarGoogle Scholar
  33. Lin, Z., Rhee, J., Zhang, X., Xu, D., and Jiang, X. 2011. SIGGRAPH: Brute force scanning of kernel data structure instances using graph-based signatures. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS’11).Google ScholarGoogle Scholar
  34. Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. 2005. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’05). ACM, 190--200. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Newsome, J. and Song, D. 2005. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS’05).Google ScholarGoogle Scholar
  36. Payne, B. D., Carbone, M., and Lee, W. 2007. Secure and flexible monitoring of virtual machines. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007).Google ScholarGoogle Scholar
  37. Payne, B. D., Carbone, M., Sharif, M. I., and Lee, W. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 233--247. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Petroni, N. L., Jr. and Hicks, M. 2007. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, 103--115. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Petroni, N. L., Jr., Fraser, T., Molina, J., and Arbaugh, W. A. 2004. Copilot - A coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium. USENIX, 179--194. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Portokalidis, G., Slowinska, A., and Bos, H. 2006. Argos: An emulator for fingerprinting zero-day attacks. In Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Provos, N. 2003. Improving host security with system call policies. In Proceedings of the 12th USENIX Security Symposium. USENIX, 257--272. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. QEMU: An open source processor emulator. http://www.qemu.org/.Google ScholarGoogle Scholar
  43. Riley, R., Jiang, X., and Xu, D. 2008. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In Proceedings of Recent Advances in Intrusion Detection (RAID’08). 1--20. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Sekar, R. Classification and grouping of linux system calls. http://seclab.cs.sunysb.edu/sekar/papers/syscallclassif.htm.Google ScholarGoogle Scholar
  45. Srinivasan, D., Wang, Z., Jiang, X., and Xu, D. 2011. Process out-grafting: An efficient ”out-of-vm” approach for fine-grained process execution monitoring. In Proceedings of the 18th ACM conference on Computer and communications security (CCS’11). ACM, 363--374. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Srivastava, A. and Giffin, J. 2008. Tamper-resistant, application-aware blocking of malicious network connections. In Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection (RAID’08). 39--58. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. VProbe:a VMI framework. http://communities.vmware.com/community/vmtn/developer/forums/vprobes.Google ScholarGoogle Scholar
  48. Walters, A. The volatility framework: Volatile memory artifact extraction utility framework. https://www.volatilesystems.com/default/volatility.Google ScholarGoogle Scholar
  49. Wang, Y.-M., Beck, D., Vo, B., Roussev, R., and Verbowski, C. 2005. Detecting stealth software with strider ghostbuster. In Proceedings of the International Conference on Dependable Systems and Networks. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Wondracek, G., Milani, P., Kruegel, C., and Kirda, E. 2008. Automatic network protocol analysis. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).Google ScholarGoogle Scholar
  51. Xed: X86 encoder decoder. http://www.pintool.org/docs/24110/Xed/html/.Google ScholarGoogle Scholar
  52. Xiong, X., Tian, D., and Liu, P. 2011. Practical protection of kernel integrity for commodity OS from untrusted extensions. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS’11).Google ScholarGoogle Scholar
  53. Yin, H. and Song, D. 2010. Temu: Binary code analysis via whole-system layered annotative execution. Tech. rep. UCB/EECS-2010-3, EECS Department, University of California, Berkeley.Google ScholarGoogle Scholar
  54. Yin, H., Song, D., Manuel, E., Kruegel, C., and Kirda, E. 2007. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conferences on Computer and Communication Security (CCS’07). Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Information and System Security
          ACM Transactions on Information and System Security  Volume 16, Issue 2
          September 2013
          120 pages
          ISSN:1094-9224
          EISSN:1557-7406
          DOI:10.1145/2516951
          Issue’s Table of Contents

          Copyright © 2013 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 1 September 2013
          • Accepted: 1 June 2013
          • Revised: 1 April 2013
          • Received: 1 December 2012
          Published in tissec Volume 16, Issue 2

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!