Abstract
Virtual Machine Introspection (VMI) provides the ability to monitor virtual machines (VM) in an agentless fashion by gathering VM execution states from the hypervisor and analyzing those states to extract information about a running operating system (OS) without installing an agent inside the VM. VMI's main challenge lies in the difficulty in converting low-level byte string values into high-level semantic states of the monitored VM's OS. In this work, we tackle this challenge by developing a real-time kernel data structure monitoring (RTKDSM) system that leverages the rich OS analysis capabilities of Volatility, an open source computer forensics framework, to significantly simplify and automate analysis of VM execution states. The RTKDSM system is designed as an extensible software framework that is meant to be extended to perform application-specific VM state analysis. In addition, the RTKDSM system is able to perform real-time monitoring of any changes made to the extracted OS states of guest VMs. This real-time monitoring capability is especially important for VMI-based security applications. To minimize the performance overhead associated with real-time kernel data structure monitoring, the RTKDSM system has incorporated several optimizations whose effectiveness is reported in this paper.
- A. Srivastava and J. Giffin. Tamper-resistant, application-aware blocking of malicious network connections. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID 2008), pages 39--58, September 2008. Google Scholar
Digital Library
- B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the IEEE Symposium on Security and Privacy (IEEE SP 2008), pages 233--247, May 2008. Google Scholar
Digital Library
- X. Jiang, A. Wang, and D. Xu. Stealthy malware detection through VMM-based "out-of-the-box" semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pages 128--138, October 2007. Google Scholar
Digital Library
- T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS 2003), pages 191--206, February 2003.Google Scholar
- L. Litty and D. Lie. Manitou: A layer-below approach to fighting malware. In Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability (ASID 2006), pages 6--11, October 2006. Google Scholar
Digital Library
- S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. VMM-based hidden process detection and identification using Lycosid. In Proceedings of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE 2008), pages 91--100, March 2008. Google Scholar
Digital Library
- S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Antfarm: Tracking processes in a virtual machine environment. In Proceedings of the 2006 USENIX Annual Technical Conference (USENIX ATEC 2006), pages 1--14, June 2006. Google Scholar
Digital Library
- L. Litty, H.A. Lagar-Cavilla, and D. Lie. Hypervisor support for identifying covertly executing binaries. In Proceedings of the 17th USENIX Security Symposium (USENIX SS 2008), pages 243--258, July 2008. Google Scholar
Digital Library
- https://www.volatilesystems.com/default/volatility.Google Scholar
- S. Bahram, X. Jiang, Z. Wang, M. Grace, J. Li, and D. Xu. DKSM: Subverting virtual machine introspection for fun and profit. In Proceedings of the 29th IEEE Symposium on Reliable Distributed Systems (SRDS 2010), pages 82--91, November 2010. Google Scholar
Digital Library
- A. Baliga, V. Ganapathy, and L. Iftode. Automatic inference and enforcement of kernel data structure invariants. In Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC 2008), pages 77--86, December 2008. Google Scholar
Digital Library
- B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), pages 566--577, November 2009. Google Scholar
Digital Library
- Z. Gu, Z. Deng, D. Xu, and X. Jiang. Process implanting: A new active introspection framework for virtualization. In Proceedings of the 30th IEEE Symposium on Reliable Distributed Systems (SRDS 2011), pages 147--156, July 2011. Google Scholar
Digital Library
- http://www.futuremark.com/benchmarks/pcmark05/Google Scholar
- http://httpd.apache.org/docs/2.2/programs/ab.html.Google Scholar
- G. Dunlap, S. King, S. Cinar, M. Basrai, and P. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2002), pages 211--224, 2002. Google Scholar
Digital Library
- PCI Council. https://www.pcisecuritystandards.org/.Google Scholar
- J. Hizver and T. Chiueh. Tracking payment card data flow using virtual machine state introspection. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC 2011), pages 277--285, December 2011. Google Scholar
Digital Library
- J. Hizver and T. Chiueh. Cloud-based application whitelisting. In Proceedings of the 6th IEEE International Conference on Cloud Computing (CLOUD 2013), pages 636--643, July 2013. Google Scholar
Digital Library
- B. Hay and K. Nance. Forensics examination of volatile system data using virtual introspection. ACM SIGOPS Operating Systems Review, vol. 42, issue 3, pages 75--83, April 2008. Google Scholar
Digital Library
- K. Nance, M. Bishop, and B. Hay. Investigating the implications of virtual machine introspection for digital forensics. In Proceedings of the International Conference on Availability, Reliability and Security (ARES 2009), pages 1024--1029, March 2009.Google Scholar
Cross Ref
- B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (IEEE SP 2011), pages 297--312, May 2011. Google Scholar
Digital Library
- Z. Gu, Z. Deng, D. Xu, and X. Jiang. Process implanting: A new active introspection framework for virtualization. In Proceedings of the 30th IEEE Symposium on Reliable Distributed Systems (SRDS 2011), pages 147--156, July 2011. Google Scholar
Digital Library
- A. Roberts, R. McClatchey, S. Liaquat, N. Edwards, M. Wray. Introducing Pathogen: a real-time virtual machine introspection framework. In Proceedings of the 20th ACM Conference on Computer and Communications Security (ACM CCS 2013), November 2013. Google Scholar
Digital Library
- N. Petroni, T. Fraser, J. Molina, and W. Arbaugh. Copilot--a coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium (USENIX SS 2004), pages 179--194, August 2004. Google Scholar
Digital Library
- A. Srivastava, I. Erete, and J. Giffin. Kernel data integrity protection via memory access control. Georgia Institute of Technology, 2009. http://hdl.handle.net/1853/30785.Google Scholar
- J. Rhee, R. Riley, D. Xu, and X. Jiang. Defeating dynamic data kernel rootkit attacks via VMM-based guest-transparent monitoring. In Proceedings of the International Conference on Availability, Reliability and Security (ARES 2009), pages 74--81, March 2009Google Scholar
Cross Ref
Index Terms
Real-time deep virtual machine introspection and its applications
Recommendations
Real-time deep virtual machine introspection and its applications
VEE '14: Proceedings of the 10th ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsVirtual Machine Introspection (VMI) provides the ability to monitor virtual machines (VM) in an agentless fashion by gathering VM execution states from the hypervisor and analyzing those states to extract information about a running operating system (OS)...
Virtual Machine Introspection
SIN '14: Proceedings of the 7th International Conference on Security of Information and NetworksDue to exposure to the Internet, virtual machines (VMs) as forms of delivering virtualized infrastructures and resources represent a first point-of-target for security attackers who want to gain access into the virtualization environment. In-VM ...
Virtual Machine Introspection: Observation or Interference?
As virtualization becomes increasingly mainstream, virtual machine introspection techniques and tools are evolving to provide methods to monitor the behavior of virtual machines. This survey classifies and describes current VMI introspection ...







Comments