More Web Proxy on the site http://driver.im/

research-article

Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection

Authors:

Sergej Proskurin,

Claudia Eckert,

Apostolis ZarrasAuthors Info & Claims

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Pages 407 - 417

https://doi.org/10.1145/3274694.3274698

Published: 03 December 2018 Publication History

Abstract

ARM has become the leading processor architecture for mobile and IoT devices, while it has recently started claiming a bigger slice of the server market pie as well. As such, it will not be long before malware more regularly target the ARM architecture. Therefore, the stealthy operation of Virtual Machine Introspection (VMI) is an obligation to successfully analyze and proactively mitigate this growing threat. Stealthy VMI has proven itself perfectly suitable for malware analysis on Intel's architecture, yet, it often lacks the foundation required to be equally effective on ARM.

References

[1]

ARM. 2017. ARM Architecture Reference Manual, ARMv8 for ARMv8-A Architecture Profile (DDI 0487C.a).

[2]

Davide Balzarotti, Marco Cova, Christoph Karlberger, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2010. Efficient Detection of Split Personalities in Malware. In ISOC Network and Distributed System Security Symposium (NDSS).

[3]

Bitdefender. 2018. Bitdefender. http://www.bitdefender.com/.

[4]

Robert Buhren, Julian Vetter, and Jan Nordholz. 2016. The Threat of Virtualization: Hypervisor-Based Rootkits on the ARM Architecture.

[5]

Peter M. Chen and Brian D. Noble. 2001. When Virtual Is Better Than Real. In USENIX Workshop on Hot Topics in Operating Systems (HotOS).

Digital Library

[6]

Xu Chen, Jon Andersen, Z Morley Mao, Michael Bailey, and Jose Nazario. 2008. Towards an Understanding of Anti-Virtualization and Anti-Debugging Behavior in Modern Malware. In Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[7]

Zhui Deng, Xiangyu Zhang, and Dongyan Xu. 2013. SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization. In Annual Computer Security Applications Conference (ACSAC).

Digital Library

[8]

Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether: Malware Analysis via Hardware Virtualization Extensions. In ACM Conference on Computer and Communications Security (CCS).

Digital Library

[9]

Ferrie, Peter. 2007. Attacks on More Virtual Machine Emulators. Symantec Technology Exchange (2007).

[10]

FireEye. 2018. FireEye. https://www.fireeye.com/.

[11]

Tal Garfinkel, Keith Adams, Andrew Warfield, and Jason Franklin. 2007. Compatibility Is Not Transparency: VMM Detection Myths and Realities. In USENIX Workshop on Hot Topics in Operating Systems (HotOS).

Digital Library

[12]

Tal Garfinkel and Mendel Rosenblum. 2003. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In ISOC Network and Distributed System Security Symposium (NDSS).

[13]

Xinyang Ge, Hayawardh Vijayakumar, and Trent Jaeger. 2014. SPROBES: Enforcing Kernel Code Integrity on the TrustZone Architecture. In IEEE Mobile Security Technologies Workshop (MoST).

[14]

Tamas K Lengyel. 2016. Stealthy Monitoring With Xen Altp2m. https://blog.xenproject.org/2016/04/13/stealthy-monitoring-with-xen-altp2m.

[15]

Tamas K. Lengyel, Thomas Kittel, and Claudia Eckert. 2015. Virtual Machine Introspection With Xen on ARM. In Workshop on Security in highly connected IT systems (SHCIS).

[16]

Tamas K Lengyel, Thomas Kittel, Jonas Pfoh, and Claudia Eckert. 2014. Multi-Tiered Security Architecture for ARM via the Virtualization and Security Extensions. In International Workshop on Database and Expert Systems Applications (DEXA).

Digital Library

[17]

Tamas K Lengyel, Steve Maresca, Bryan D. Payne, George D. Webster, Sebastian Vogl, and Aggelos Kiayias. 2014. Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System. In Annual Computer Security Applications Conference (ACSAC).

Digital Library

[18]

LibVMI. 2018. LibVMI Virtual Machine Introspection. http://libvmi.com.

[19]

Linux Foundation. 2018. Xen Project. https://www.xenproject.org/.

[20]

Litty, Lionel and Lagar-Cavilla, H. Andrés and Lie, David. 2008. Hypervisor Support for Identifying Covertly Executing Binaries. In USENIX Security Symposium.

Digital Library

[21]

Zhenyu Ning and Fengwei Zhang. 2017. Ninja: Towards transparent tracing and debugging on arm. In USENIX Security Symposium.

Digital Library

[22]

PaX Project. 2018. Pageexec. http://pax.grsecurity.net/docs/pageexec.txt.

[23]

Bryan D Payne, Martim Carbone, Monirul Sharif, and Wenke Lee. 2008. Lares: An Architecture for Secure Active Monitoring Using Virtualization. In IEEE Symposium on Security and Privacy (S&P).

Digital Library

[24]

Jonas Pfoh, Christian Schneider, and Claudia Eckert. 2011. Nitro: Hardware-Based System Call Tracing for Virtual Machines. In International Workshop on Advances in Information and Computer Security (IWSEC).

Digital Library

[25]

Sergej Proskurin, Julian Kirsch, and Apostolis Zarras. 2018. Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection. In IFIP International Conference on ICT Systems Security and Privacy Protection (IFIP SEC).

[26]

Rekall Forensics. 2018. Advanced Forensic and Incident Response Framework. http://www.rekall-forensic.com/.

[27]

Hao Shi, Abdulla Alwabel, and Jelena Mirkovic. 2014. Cardinal Pill Testing of System Virtual Machines. In USENIX Security Symposium.

Digital Library

[28]

Sherri Sparks and Jamie Butler. 2005. Shadow Walker: Raising the Bar for Rootkit Detection. Black Hat, Japan (2005).

[29]

Kimberly Tam, Salahuddin J Khan, Aristide Fattori, and Lorenzo Cavallaro. 2015. CopperDroid: Automatic Reconstruction of Android Malware Behaviors. In ISOC Network and Distributed System Security Symposium (NDSS).

[30]

The Linux Kernel. 2018. Ftrace -- Function Tracer. https://www.kernel.org/doc/Documentation/trace/ftrace.txt.

[31]

Jacob Torrey. 2014. MoRE Shadow Walker: TLB-splitting on Modern X86. Black Hat, USA (2014).

[32]

VMRay. 2018. VMRay GmbH. https://www.vmray.com.

[33]

Sebastian Vogl, Fatih Kilic, Christian Schneider, and Claudia Eckert. 2013. X-Tier: Kernel Module Injection. In International Conference on Network and System Security (NSS).

[34]

Glenn Wurster, Paul C van Oorschot, and Anil Somayaji. 2005. A Generic Attack on Checksumming-Based Software Tamper Resistance. In IEEE Symposium on Security and Privacy (S&P).

Digital Library

[35]

Xen Project. 2018. Xen Security Advisory 203. https://xenbits.xen.org/xsa/advisory-203.html.

[36]

Xen Project. 2018. Xen Security Advisory 204. https://xenbits.xen.org/xsa/advisory-204.html.

[37]

Lok Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In USENIX Security Symposium.

Digital Library

[38]

Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. 2015. Using Hardware Features for Increased Debugging Transparency. In IEEE Symposium on Security and Privacy (S&P).

Digital Library

[39]

Fengwei Zhang, Kevin Leach, Kun Sun, and Angelos Stavrou. 2013. SPECTRE: A Dependable Introspection Framework via System Management Mode. In Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

Digital Library

Cited By

Dangl TSentanoe SReiser H(2024)Active and passive virtual machine introspection on AMD and ARM processorsJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2024.103101149:COnline publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2024.103101
D'Elia DNicchi SMariani MMarini MPalmaro F(2023)Designing Robust API Monitoring SolutionsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.313372920:1(392-406)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2021.3133729
Dangl TSentanoe SReiser H(2023)Retrofitting AMD x86 Processors with Active Virtual Machine Introspection CapabilitiesArchitecture of Computing Systems10.1007/978-3-031-42785-5_12(168-182)Online publication date: 26-Aug-2023
https://doi.org/10.1007/978-3-031-42785-5_12
Show More Cited By

Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection
1. Security and privacy
  1. Systems security

Recommendations

Hiding "real" machine from attackers and malware with a minimal virtual machine monitor
SecureComm '08: Proceedings of the 4th international conference on Security and privacy in communication netowrks

With security researchers relying on the virtual machine (VM) in their analysis work, malware has a significant stake in detecting the presence of a VM to avoid executing its vicious behavior. But hiding a VM from malware by building a transparent ...
Hiding Virtualization from Attackers and Malware

With security researchers relying on virtual machine environments (VMEs) in their analysis work, attackers and their malicious code have a significant stake in detecting the presence of a virtual machine. Virtualization, by its very nature, creates ...
Clearing the Shadows: Recovering Lost Performance for Invisible Speculative Execution through HW/SW Co-Design
PACT '20: Proceedings of the ACM International Conference on Parallel Architectures and Compilation Techniques

Out-of-order processors heavily rely on speculation to achieve high performance, allowing instructions to bypass other slower instructions in order to fully utilize the processor's resources. Speculatively executed instructions do not affect the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

December 2018

766 pages

ISBN:9781450365697

DOI:10.1145/3274694

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC '18

ACSAC '18: 2018 Annual Computer Security Applications Conference

December 3 - 7, 2018

PR, San Juan, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
320
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)2

Reflects downloads up to 04 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Dangl TSentanoe SReiser H(2024)Active and passive virtual machine introspection on AMD and ARM processorsJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2024.103101149:COnline publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2024.103101
D'Elia DNicchi SMariani MMarini MPalmaro F(2023)Designing Robust API Monitoring SolutionsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.313372920:1(392-406)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2021.3133729
Dangl TSentanoe SReiser H(2023)Retrofitting AMD x86 Processors with Active Virtual Machine Introspection CapabilitiesArchitecture of Computing Systems10.1007/978-3-031-42785-5_12(168-182)Online publication date: 26-Aug-2023
https://doi.org/10.1007/978-3-031-42785-5_12
Voulimeneas AVinck JMechelinck RVolckaert SBromberg YKermarrec AKozyrakis C(2022)You shall not (by)pass!Proceedings of the Seventeenth European Conference on Computer Systems10.1145/3492321.3519560(266-282)Online publication date: 28-Mar-2022
https://dl.acm.org/doi/10.1145/3492321.3519560
Liu WLiu XLi ZLiu BYu RWang L(2022)Retrofitting LBR Profiling to Enhance Virtual Machine IntrospectionIEEE Transactions on Information Forensics and Security10.1109/TIFS.2022.318340917(2311-2323)Online publication date: 2022
https://doi.org/10.1109/TIFS.2022.3183409
Sato MNakamura RYamauchi TTaniguchi H(2022)Improving Transparency of Hardware Breakpoints with Virtual Machine Introspection2022 12th International Congress on Advanced Applied Informatics (IIAI-AAI)10.1109/IIAIAAI55812.2022.00031(113-117)Online publication date: Jul-2022
https://doi.org/10.1109/IIAIAAI55812.2022.00031
Morbitzer MProskurin SRadev MDorfhuber MSalas E(2021)SEVerity: Code Injection Attacks against Encrypted Virtual Machines2021 IEEE Security and Privacy Workshops (SPW)10.1109/SPW53761.2021.00063(444-455)Online publication date: May-2021
https://doi.org/10.1109/SPW53761.2021.00063
Connelly JRoberts TGao XXiao JWang HStavrou A(2021)CloudSkulk: A Nested Virtual Machine Based Rootkit and Its Detection2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48987.2021.00047(350-362)Online publication date: Jun-2021
https://doi.org/10.1109/DSN48987.2021.00047
Kiperberg MAmit GYeshooroon AZaidenberg N(2021)Efficient DLP-visor: An efficient hypervisor-based DLP2021 IEEE/ACM 21st International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid51090.2021.00044(344-355)Online publication date: May-2021
https://doi.org/10.1109/CCGrid51090.2021.00044
Utomo AWinarno ISyarif I(2020)Towards a Resilient Server with an external VMI in the Virtualization EnvironmentEMITTER International Journal of Engineering Technology10.24003/emitter.v8i1.4688:1(49-66)Online publication date: 2-Jun-2020
https://doi.org/10.24003/emitter.v8i1.468
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents