[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
research-article

Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection

Published: 01 September 2013 Publication History

Abstract

It is generally believed to be a tedious, time-consuming, and error-prone process to develop a virtual machine introspection (VMI) tool because of the semantic gap. Recent advance shows that the semantic-gap can be largely narrowed by reusing the executed code from a trusted OS kernel. However, the limitation for such an approach is that it only reuses the exercised code through a training process, which suffers the code coverage issues. Thus, in this article, we present Vmst, a new technique that can seamlessly bridge the semantic gap and automatically generate the VMI tools. The key idea is that, through system wide instruction monitoring, Vmst automatically identifies the introspection related data from a secure-VM and online redirects these data accesses to the kernel memory of a product-VM, without any training. Vmst offers a number of new features and capabilities. Particularly, it enables an in-VM inspection program (e.g., ps) to automatically become an out-of-VM introspection program. We have tested Vmst with over 25 commonly used utilities on top of a number of different OS kernels including Linux and Microsoft Windows. The experimental results show that our technique is general (largely OS-independent), and it introduces 9.3X overhead for Linux utilities and 19.6X overhead for Windows utilities on average for the introspected program compared to the native in-VM execution without data redirection.

References

[1]
Bach, M. J. 1986. The Design of the UNIX Operating System. Prentice Hall.
[2]
Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., and Xu, D. 2010. DKSM: Subverting virtual machine introspection for fun and profit. In Proceedings of the 29th IEEE Symposium on Reliable Distributed Systems.
[3]
Baiardi, F. and Sgandurra, D. 2007. Building trustworthy intrusion detection through vm introspection. In Proceedings of the 3rd International Symposium on Information Assurance and Security. IEEE Computer Society. 209--214.
[4]
Bovet, D. and Cesati, M. 2005. Understanding the Linux Kernel. Oreilly & Associates Inc.
[5]
Caballero, J. and Song, D. 2007. Polyglot: Automatic extraction of protocol format using dynamic binary analysis. In Proceedings of the 14th ACM Conference on Computer and and Communications Security (CCS’07). 317--329.
[6]
Caballero, J., Johnson, N. M., McCamant, S., and Song, D. 2010. Binary code extraction and interface identification for security applications. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10).
[7]
Cadar, C., Ganesh, V., Pawlowski, P. M., Dill, D. L., and Engler, D. R. 2006. Exe: Automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS’06). ACM, 322--335.
[8]
Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., and Jiang, X. 2009. Mapping kernel objects to enable systematic integrity checking. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, 555--565.
[9]
Chen, P. M. and Noble, B. D. 2001. When virtual is better than real. In Proceedings of the 8th Workshop on Hot Topics in Operating Systems.
[10]
Chow, J., Pfaff, B., Christopher, K., and Rosenblum, M. 2004. Understanding data lifetime via whole-system simulation. In Proceedings of the 13th USENIX Security Symposium.
[11]
Cui, W., Peinado, M., Chen, K., Wang, H. J., and Irun-Briz, L. 2008. Tupni: Automatic reverse engineering of input formats. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM, 391--402.
[12]
Dinaburg, A., Royal, P., Sharif, M., and Lee, W. 2008. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM, 51--62.
[13]
Dolan-Gavitt, B., Srivastava, A., Traynor, P., and Giffin, J. 2009. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, 566--577.
[14]
Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., and Lee, W. 2011a. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of IEEE Symposium on Security and Privacy. 297--312.
[15]
Dolan-Gavitt, B., Payne, B., and Lee, W. 2011b. Leveraging forensic tools for virtual machine introspection. Tech. rep. GT-CS-11-05.
[16]
Egele, M., Kruegel, C., Kirda, E., Yin, H., and Song, D. 2007. Dynamic spyware analysis. In Proceedings of the USENIX Annual Technical Conference (Usenix’07).
[17]
Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for unix processes. In Proceedings of the IEEE Symposium on Security and Privacy.
[18]
Fu, Y. and Lin, Z. 2012. Space traveling across vm: Automatically bridging the semantic-gap in virtual machine introspection via online kernel data redirection. In Proceedings of the IEEE Symposium on Security and Privacy.
[19]
Garfinkel, T. 2003. Traps and pitfalls: Practical problems in system call interposition based security tools. In In Proceedings of Network and Distributed Systems Security Symposium (NDSS’03). 163--176.
[20]
Garfinkel, T. and Rosenblum, M. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS’03).
[21]
Godefroid, P., Levin, M., and Molnar, D. 2008. Automated whitebox fuzz testing. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).
[22]
Gu, Y., Fu, Y., Prakash, A., Lin, Z., and Yin H. 2012. Os-sommelier: Memory-only operating system fingerprinting in the cloud. In Proceedings of the 3rd ACM Symposium on Cloud Computing (SOCC’12).
[23]
Hay, B. and Nance, K. 2008. Forensics examination of volatile system data using virtual introspection. SIGOPS Operat. Syst. Rev. 42, 74--82.
[24]
Hofmann, O. S., Dunn, A. M., Kim, S., Roy, I., and Witchel, E. 2011. Ensuring operating system kernel integrity with oSck. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’11).
[25]
Inoue, H., Adelstein, F., Donovan, M., and Brueckner, S. 2011. Automatically bridging the semantic gap using ac interpreter. In Proceedings of the Annual Symposium on Information Assurance.
[26]
Jiang, X., Wang, X., and Xu, D. 2007. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, 128--138.
[27]
Jones, S. T., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. 2006. Antfarm:tracking processes in a virtual machine environment. In Proceedings of the USENIX Annual Technical Conference (Usenix’06).
[28]
Jones, S. T., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. 2008. Vmm-based hidden process detection and identification using lycosid. In Proceedings of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments.
[29]
Kolbitsch, C., Holz, T., Kruegel, C., and Kirda, E. 2010. Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In Proceedings of the IEEE Security and Privacy.
[30]
Lin, Z., Jiang, X., Xu, D., and Zhang, X. 2008. Automatic protocol format reverse engineering through context-aware monitored execution. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).
[31]
Lin, Z., Zhang, X., and Xu, D. 2010a. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10).
[32]
Lin, Z., Zhang, X., and Xu, D. 2010b. Reuse-oriented camouflaging trojan: Vulnerability detection and attack construction. In Proceedings of the 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-DCCS 2010).
[33]
Lin, Z., Rhee, J., Zhang, X., Xu, D., and Jiang, X. 2011. SIGGRAPH: Brute force scanning of kernel data structure instances using graph-based signatures. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS’11).
[34]
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. 2005. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’05). ACM, 190--200.
[35]
Newsome, J. and Song, D. 2005. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS’05).
[36]
Payne, B. D., Carbone, M., and Lee, W. 2007. Secure and flexible monitoring of virtual machines. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007).
[37]
Payne, B. D., Carbone, M., Sharif, M. I., and Lee, W. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 233--247.
[38]
Petroni, N. L., Jr. and Hicks, M. 2007. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, 103--115.
[39]
Petroni, N. L., Jr., Fraser, T., Molina, J., and Arbaugh, W. A. 2004. Copilot - A coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium. USENIX, 179--194.
[40]
Portokalidis, G., Slowinska, A., and Bos, H. 2006. Argos: An emulator for fingerprinting zero-day attacks. In Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems.
[41]
Provos, N. 2003. Improving host security with system call policies. In Proceedings of the 12th USENIX Security Symposium. USENIX, 257--272.
[42]
QEMU: An open source processor emulator. http://www.qemu.org/.
[43]
Riley, R., Jiang, X., and Xu, D. 2008. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In Proceedings of Recent Advances in Intrusion Detection (RAID’08). 1--20.
[44]
Sekar, R. Classification and grouping of linux system calls. http://seclab.cs.sunysb.edu/sekar/papers/syscallclassif.htm.
[45]
Srinivasan, D., Wang, Z., Jiang, X., and Xu, D. 2011. Process out-grafting: An efficient ”out-of-vm” approach for fine-grained process execution monitoring. In Proceedings of the 18th ACM conference on Computer and communications security (CCS’11). ACM, 363--374.
[46]
Srivastava, A. and Giffin, J. 2008. Tamper-resistant, application-aware blocking of malicious network connections. In Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection (RAID’08). 39--58.
[47]
VProbe:a VMI framework. http://communities.vmware.com/community/vmtn/developer/forums/vprobes.
[48]
Walters, A. The volatility framework: Volatile memory artifact extraction utility framework. https://www.volatilesystems.com/default/volatility.
[49]
Wang, Y.-M., Beck, D., Vo, B., Roussev, R., and Verbowski, C. 2005. Detecting stealth software with strider ghostbuster. In Proceedings of the International Conference on Dependable Systems and Networks.
[50]
Wondracek, G., Milani, P., Kruegel, C., and Kirda, E. 2008. Automatic network protocol analysis. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).
[51]
Xed: X86 encoder decoder. http://www.pintool.org/docs/24110/Xed/html/.
[52]
Xiong, X., Tian, D., and Liu, P. 2011. Practical protection of kernel integrity for commodity OS from untrusted extensions. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS’11).
[53]
Yin, H. and Song, D. 2010. Temu: Binary code analysis via whole-system layered annotative execution. Tech. rep. UCB/EECS-2010-3, EECS Department, University of California, Berkeley.
[54]
Yin, H., Song, D., Manuel, E., Kruegel, C., and Kirda, E. 2007. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conferences on Computer and Communication Security (CCS’07).

Cited By

View all
  • (2023)Travelling the Hypervisor and SSD: A Tag-Based Approach Against Crypto Ransomware with Fine-Grained Data RecoveryProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616665(341-355)Online publication date: 15-Nov-2023
  • (2022)Implementation of Block-Level Double Encryption Based on Machine Learning Techniques for Attack Detection and PreventionWireless Communications & Mobile Computing10.1155/2022/42552202022Online publication date: 1-Jan-2022
  • (2018)Leveraging KVM Events to Detect Cache-Based Side Channel Attacks in a Virtualization EnvironmentSecurity and Communication Networks10.1155/2018/42162402018Online publication date: 1-Jan-2018
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security
ACM Transactions on Information and System Security  Volume 16, Issue 2
September 2013
120 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/2516951
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 September 2013
Accepted: 01 June 2013
Revised: 01 April 2013
Received: 01 December 2012
Published in TISSEC Volume 16, Issue 2

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article
  • Research
  • Refereed

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)15
  • Downloads (Last 6 weeks)1
Reflects downloads up to 11 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2023)Travelling the Hypervisor and SSD: A Tag-Based Approach Against Crypto Ransomware with Fine-Grained Data RecoveryProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616665(341-355)Online publication date: 15-Nov-2023
  • (2022)Implementation of Block-Level Double Encryption Based on Machine Learning Techniques for Attack Detection and PreventionWireless Communications & Mobile Computing10.1155/2022/42552202022Online publication date: 1-Jan-2022
  • (2018)Leveraging KVM Events to Detect Cache-Based Side Channel Attacks in a Virtualization EnvironmentSecurity and Communication Networks10.1155/2018/42162402018Online publication date: 1-Jan-2018
  • (2018)Who Watches the WatchmenACM Computing Surveys10.1145/319967351:4(1-34)Online publication date: 13-Jul-2018
  • (2018)HyperagentsProceedings of the Eighth ACM Conference on Data and Application Security and Privacy10.1145/3176258.3176317(212-223)Online publication date: 13-Mar-2018
  • (2018)Automated multi-level malware detection system based on reconstructed semantic view of executables using machine learning techniques at VMMFuture Generation Computer Systems10.1016/j.future.2017.06.00279:P1(431-446)Online publication date: 1-Feb-2018
  • (2015)A Survey on Hypervisor-Based MonitoringACM Computing Surveys10.1145/277511148:1(1-33)Online publication date: 10-Aug-2015
  • (2014)Mixed-Mode Malware and Its AnalysisProceedings of the 4th Program Protection and Reverse Engineering Workshop10.1145/2689702.2689703(1-12)Online publication date: 9-Dec-2014

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media