skip to main content
research-article

Real-time deep virtual machine introspection and its applications

Published:01 March 2014Publication History
Skip Abstract Section

Abstract

Virtual Machine Introspection (VMI) provides the ability to monitor virtual machines (VM) in an agentless fashion by gathering VM execution states from the hypervisor and analyzing those states to extract information about a running operating system (OS) without installing an agent inside the VM. VMI's main challenge lies in the difficulty in converting low-level byte string values into high-level semantic states of the monitored VM's OS. In this work, we tackle this challenge by developing a real-time kernel data structure monitoring (RTKDSM) system that leverages the rich OS analysis capabilities of Volatility, an open source computer forensics framework, to significantly simplify and automate analysis of VM execution states. The RTKDSM system is designed as an extensible software framework that is meant to be extended to perform application-specific VM state analysis. In addition, the RTKDSM system is able to perform real-time monitoring of any changes made to the extracted OS states of guest VMs. This real-time monitoring capability is especially important for VMI-based security applications. To minimize the performance overhead associated with real-time kernel data structure monitoring, the RTKDSM system has incorporated several optimizations whose effectiveness is reported in this paper.

References

  1. A. Srivastava and J. Giffin. Tamper-resistant, application-aware blocking of malicious network connections. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID 2008), pages 39--58, September 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the IEEE Symposium on Security and Privacy (IEEE SP 2008), pages 233--247, May 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. X. Jiang, A. Wang, and D. Xu. Stealthy malware detection through VMM-based "out-of-the-box" semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pages 128--138, October 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS 2003), pages 191--206, February 2003.Google ScholarGoogle Scholar
  5. L. Litty and D. Lie. Manitou: A layer-below approach to fighting malware. In Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability (ASID 2006), pages 6--11, October 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. VMM-based hidden process detection and identification using Lycosid. In Proceedings of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE 2008), pages 91--100, March 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Antfarm: Tracking processes in a virtual machine environment. In Proceedings of the 2006 USENIX Annual Technical Conference (USENIX ATEC 2006), pages 1--14, June 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. L. Litty, H.A. Lagar-Cavilla, and D. Lie. Hypervisor support for identifying covertly executing binaries. In Proceedings of the 17th USENIX Security Symposium (USENIX SS 2008), pages 243--258, July 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. https://www.volatilesystems.com/default/volatility.Google ScholarGoogle Scholar
  10. S. Bahram, X. Jiang, Z. Wang, M. Grace, J. Li, and D. Xu. DKSM: Subverting virtual machine introspection for fun and profit. In Proceedings of the 29th IEEE Symposium on Reliable Distributed Systems (SRDS 2010), pages 82--91, November 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. A. Baliga, V. Ganapathy, and L. Iftode. Automatic inference and enforcement of kernel data structure invariants. In Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC 2008), pages 77--86, December 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), pages 566--577, November 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Z. Gu, Z. Deng, D. Xu, and X. Jiang. Process implanting: A new active introspection framework for virtualization. In Proceedings of the 30th IEEE Symposium on Reliable Distributed Systems (SRDS 2011), pages 147--156, July 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. http://www.futuremark.com/benchmarks/pcmark05/Google ScholarGoogle Scholar
  15. http://httpd.apache.org/docs/2.2/programs/ab.html.Google ScholarGoogle Scholar
  16. G. Dunlap, S. King, S. Cinar, M. Basrai, and P. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2002), pages 211--224, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. PCI Council. https://www.pcisecuritystandards.org/.Google ScholarGoogle Scholar
  18. J. Hizver and T. Chiueh. Tracking payment card data flow using virtual machine state introspection. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC 2011), pages 277--285, December 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. J. Hizver and T. Chiueh. Cloud-based application whitelisting. In Proceedings of the 6th IEEE International Conference on Cloud Computing (CLOUD 2013), pages 636--643, July 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. B. Hay and K. Nance. Forensics examination of volatile system data using virtual introspection. ACM SIGOPS Operating Systems Review, vol. 42, issue 3, pages 75--83, April 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. K. Nance, M. Bishop, and B. Hay. Investigating the implications of virtual machine introspection for digital forensics. In Proceedings of the International Conference on Availability, Reliability and Security (ARES 2009), pages 1024--1029, March 2009.Google ScholarGoogle ScholarCross RefCross Ref
  22. B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (IEEE SP 2011), pages 297--312, May 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Z. Gu, Z. Deng, D. Xu, and X. Jiang. Process implanting: A new active introspection framework for virtualization. In Proceedings of the 30th IEEE Symposium on Reliable Distributed Systems (SRDS 2011), pages 147--156, July 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. A. Roberts, R. McClatchey, S. Liaquat, N. Edwards, M. Wray. Introducing Pathogen: a real-time virtual machine introspection framework. In Proceedings of the 20th ACM Conference on Computer and Communications Security (ACM CCS 2013), November 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. N. Petroni, T. Fraser, J. Molina, and W. Arbaugh. Copilot--a coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium (USENIX SS 2004), pages 179--194, August 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. A. Srivastava, I. Erete, and J. Giffin. Kernel data integrity protection via memory access control. Georgia Institute of Technology, 2009. http://hdl.handle.net/1853/30785.Google ScholarGoogle Scholar
  27. J. Rhee, R. Riley, D. Xu, and X. Jiang. Defeating dynamic data kernel rootkit attacks via VMM-based guest-transparent monitoring. In Proceedings of the International Conference on Availability, Reliability and Security (ARES 2009), pages 74--81, March 2009Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Real-time deep virtual machine introspection and its applications

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!