More Web Proxy on the site http://driver.im/

research-article

VMM-based hidden process detection and identification using Lycosid

Authors:

Stephen T. Jones,

Andrea C. Arpaci-Dusseau,

Remzi H. Arpaci-DusseauAuthors Info & Claims

VEE '08: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

Pages 91 - 100

https://doi.org/10.1145/1346256.1346269

Published: 05 March 2008 Publication History

Abstract

Use of stealth rootkit techniques to hide long-lived malicious processes is a current and alarming security issue. In this paper, we describe, implement, and evaluate a novel VMM-based hidden process detection and identification service called Lycosid that is based on the cross-view validation principle. Like previous VMM-based security services, Lycosid benefits from its protected location. In contrast top revious VMM-based hidden process detectors, Lycosid obtains guest process information implicitly. Using implicit information reduces its susceptibility to guest evasion attacks and decouples it from specific guest operating system versions and patch levels. The implicit information Lycosid depends on, however, can be noisy and unreliable. Statistical inference techniques like hypothesis testing and line arregression allow Lycosid to trade time for accuracy. Despite low quality inputs, Lycosid provides a robust, highly accurate service usable even insecurity environments where the consequences for wrong decisions can behig.

References

[1]

90210. Bypassing klister 0.4 with no hooks or running a controlled thread scheduler. hi-tech.nsys.by/33/.

[2]

J. Butler, J.L. Undercoffer, and J. Pinkston. Hidden processes: The implication for intrusion detection. In Proceedings of the 2003 IEEE Workshop on Information Assurance, pages 116--121, June 2003.

[3]

J. Clemens. Knark: Linux kernel subversion. www.sans.org/ resources/ idfaq/ knark.php.

[4]

B. Cogswell and M. Russinovich. Pslist. www.sysinternals.com.

[5]

B. Cogswell and M. Russinovich. Rootkit revealer. www.sysinternals.com.

[6]

J.R. Douceur and W.J. Bolosky. Progress-based regulation of low-importance processes. In Proceedings of the 17th ACM Symposium on Operating Systems Principles (SOSP'99), pages 247--260, Kiawah Island Resort, South Carolina, December 1999.

Digital Library

[7]

B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer. Xen and the Art of Virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP'03), Bolton Landing (Lake George), New York, October 2003.

Digital Library

[8]

G.W. Dunlap, S.T. King, S. Cinar, M. Basrai, and P.M. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI '02), Boston, Massachusetts, December 2002.

Digital Library

[9]

fuzen_op. fu.exe and msdirectx.sys. www.rootkit.com/.

[10]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. Network and Distributed Systems Security Symposium, February 2003.

[11]

M. Harchol-Balter and A.B. Downey. Exploiting process lifetime distributions for dynamic load balancing. ACM Trans. Comput. Syst., 15(3):253--285, 1997.

Digital Library

[12]

Holy Father. HackerDefender. hxdef.org.

[13]

Intel and Symantec Corp. Symantec virtual security solution and pcs with intel vpro technology. http://www.intel.com/business/casestudies/symantec\_solutions\_brief.pdf.

[14]

Intel Corporation. Vtx specification. developer.intel.com, 2005.

[15]

S.T. Jones, A.C. Arpaci-Dusseau, and R.H. Arpaci-Dusseau. Antfarm: Tracking Processes in a Virtual Machine Environment. In Proceedings of the USENIX Annual Technical Conference (USENIX'06), Boston, Massachusetts, June 2006.

Digital Library

[16]

S.T. Jones, A.C. Arpaci-Dusseau, and R.H. Arpaci-Dusseau. Geiger: Monitoring the Buffer Cache in a Virtual Machine Environment. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XII), San Jose, California, October 2006.

Digital Library

[17]

A. Joshi, S.T. King, G.W. Dunlap, and P.M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In SOSP '05: Proceedings of the twentieth ACM symposium on Operating systems principles, pages 91--104. ACM Press, 2005.

Digital Library

[18]

J. Jung, V. Paxson, A.W. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In IEEE Symposium on Security and Privacy 2004, Oakland, CA, May 2004.

[19]

P. Karger, M. Zurko, D. Bonin, A. Mason, and C. Kahn. A retrospective on the VAX VMM security kernel. In IEEE Transactions on Software Engineering, volume 17, pages 1147--1165, November 1991.

Digital Library

[20]

Microsoft. Windows malicious software removal tool. www.microsoft.com.

[21]

T. Miller. t0rn rootkit. www.ossec.net/rootkits/studies/t0rn.txt.

[22]

R. Naraine. Microsoft: Stealth Rootkits Are Bombarding XP SP2 Boxes. www.eweek.com/article2/0,1895,1896605,00.asp.

[23]

N.L. Petroni, T. Fraser, J. Molina, and W.A. Arbaugh. Copilot -- a coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium, pages 179--194, August 2004.

Digital Library

[24]

R Development Core Team. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria, 2006. ISBN 3-900051-07-0.

[25]

F.L. Ramsey and D.W. Schafer. The Statistical Sleuth: A Course in Methods of Data Analysis. Duxbury Press, Boston, MA, 2nd edition, 2002.

[26]

J. Rutkowska. klister. www.invisiblethings.org/tools/klister-0.4.zip.

[27]

SANS Institute. Subseven trojan v 1.1. www.sans.org/resources/idfaq/subseven.php.

[28]

sd and devik. Suckit. Phrack #58, article 0x07.

[29]

A. Wald. Sequential Analysis. John Wiley & Sons, Inc., New York, NY, 3rd edition, September 1952.

[30]

Y.-M. Wang, D. Beck, B. Vo, R. Roussev, and C. Verbowski. Detecting stealth software with strider ghostbuster. In Proceedings of the International Conference on Dependable Systems and Networks (DSN 2005), pages 368--377, June 2005.

Digital Library

Cited By

Nemati HTetreault FPuncher JDagenais M(2022)Critical Path Analysis through Hierarchical Distributed Virtualized Environments Using Host Kernel TracingIEEE Transactions on Cloud Computing10.1109/TCC.2019.295325810:2(774-791)Online publication date: 1-Apr-2022
https://doi.org/10.1109/TCC.2019.2953258
Choi SPark K(2022)Cloud-BlackBox: Toward practical recording and tracking of VM swarms for multifaceted cloud inspectionFuture Generation Computer Systems10.1016/j.future.2022.07.002137(219-233)Online publication date: Dec-2022
https://doi.org/10.1016/j.future.2022.07.002
Pham C(2022)Multi-layered Monitoring for Virtual MachinesSystem Dependability and Analytics10.1007/978-3-031-02063-6_6(99-140)Online publication date: 26-Jul-2022
https://doi.org/10.1007/978-3-031-02063-6_6
Show More Cited By

Index Terms

VMM-based hidden process detection and identification using Lycosid
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Geiger: monitoring the buffer cache in a virtual machine environment
Proceedings of the 2006 ASPLOS Conference

Virtualization is increasingly being used to address server management and administration issues like flexible resource allocation, service isolation and workload migration. In a virtualized environment, the virtual machine monitor (VMM) is the primary ...
Enabling Instantaneous Relocation of Virtual Machines with a Lightweight VMM Extension
CCGRID '10: Proceedings of the 2010 10th IEEE/ACM International Conference on Cluster, Cloud and Grid Computing

We are developing an efficient resource management system with aggressive virtual machine (VM) relocation among physical nodes in a data center. Existing live migration technology, however, requires a long time to change the execution host of a VM, it ...
Implicit Detection of Hidden Processes with a Local-Booted Virtual Machine
ISA '08: Proceedings of the 2008 International Conference on Information Security and Assurance (isa 2008)

Currently stealth malware is becoming a major threat to the PC computers. Process hiding is the technique commonly used by stealth malware to evade detection by anti-malware scanners. On the defensive side, previous host-based approaches will be ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

VEE '08: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

March 2008

190 pages

ISBN:9781595937964

DOI:10.1145/1346256

General Chair:
David Gregg
Trinity College Dublin, Ireland
,
Program Chairs:
Vikram Adve
University of Illinois at Urbana-Champaign, USA
,
Brian Bershad
Google, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 March 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

VEE '08

Sponsor:

VEE '08: International Conference on Virtual Execution Environments

March 5 - 7, 2008

WA, Seattle, USA

Acceptance Rates

VEE '08 Paper Acceptance Rate 18 of 57 submissions, 32%;

Overall Acceptance Rate 80 of 235 submissions, 34%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

133
Total Citations
View Citations
1,222
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)1

Reflects downloads up to 12 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Nemati HTetreault FPuncher JDagenais M(2022)Critical Path Analysis through Hierarchical Distributed Virtualized Environments Using Host Kernel TracingIEEE Transactions on Cloud Computing10.1109/TCC.2019.295325810:2(774-791)Online publication date: 1-Apr-2022
https://doi.org/10.1109/TCC.2019.2953258
Choi SPark K(2022)Cloud-BlackBox: Toward practical recording and tracking of VM swarms for multifaceted cloud inspectionFuture Generation Computer Systems10.1016/j.future.2022.07.002137(219-233)Online publication date: Dec-2022
https://doi.org/10.1016/j.future.2022.07.002
Pham C(2022)Multi-layered Monitoring for Virtual MachinesSystem Dependability and Analytics10.1007/978-3-031-02063-6_6(99-140)Online publication date: 26-Jul-2022
https://doi.org/10.1007/978-3-031-02063-6_6
Nemati HAzhari SShakeri MDagenais M(2021)Host-Based Virtual Machine Workload Characterization Using Hypervisor Trace MiningACM Transactions on Modeling and Performance Evaluation of Computing Systems10.1145/34601976:1(1-25)Online publication date: 8-Jun-2021
https://dl.acm.org/doi/10.1145/3460197
Zhou LZhang FXiao JLeach KWeimer WDing XWang G(2021)A Coprocessor-based Introspection Framework via Intel Management EngineIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.3071092(1-1)Online publication date: 2021
https://doi.org/10.1109/TDSC.2021.3071092
Mohan ANadgowda SPipaliya BVarma SSuneja SIsci CCooperman GDesnoyers PKrieger OTurk A(2020)Towards Non-Intrusive Software Introspection and Beyond2020 IEEE International Conference on Cloud Engineering (IC2E)10.1109/IC2E48712.2020.00025(173-184)Online publication date: Apr-2020
https://doi.org/10.1109/IC2E48712.2020.00025
Mishra AGovil MPilli E(2020)A Taxonomy of Hypervisor Forensic ToolsAdvances in Digital Forensics XVI10.1007/978-3-030-56223-6_10(181-199)Online publication date: 6-Aug-2020
https://doi.org/10.1007/978-3-030-56223-6_10
Klemperer PJeon HPayne BHoe J(2019)High-Performance Memory Snapshotting for Real-Time, Consistent, Hypervisor-Based MonitorsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2018.2805904(1-1)Online publication date: 2019
https://doi.org/10.1109/TDSC.2018.2805904
Nemati HAzhari SDagenais M(2019)Host Hypervisor Trace Mining for Virtual Machine Workload Characterization2019 IEEE International Conference on Cloud Engineering (IC2E)10.1109/IC2E.2019.00024(102-112)Online publication date: Jun-2019
https://doi.org/10.1109/IC2E.2019.00024
Zhou LXiao JLeach KWeimer WZhang FWang G(2019)Nighthawk: Transparent System Introspection from Ring -3Computer Security – ESORICS 201910.1007/978-3-030-29962-0_11(217-238)Online publication date: 15-Sep-2019
https://doi.org/10.1007/978-3-030-29962-0_11
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents