DKSM: Subverting virtual machine introspection for fun and profit

Proceedings of the IEEE Symposium on Reliable Distributed Systems

Volumn , Issue , 2010, Pages 82-91

  Bahram, Sina ^a   Jiang, Xuxian ^a   Wang, Zhi ^a   Grace, Mike ^a   Li, Jinku ^a   Srinivasan, Deepa ^a   Rhee, Junghwan ^b   Xu, Dongyan ^b  

^a NORTH CAROLINA STATE UNIVERSITY   (United States)

^b PURDUE UNIVERSITY   (United States)

Author keywords

Direct kernel structure manipulation; Introspection; Virtualization

Indexed keywords

INTROSPECTION; KERNEL STRUCTURE; SEMANTIC GAP; VIRTUAL MACHINE INTROSPECTION; VIRTUAL MACHINES; VIRTUALIZATIONS;

DATA STRUCTURES; PROFITABILITY; SEMANTICS;

COMPUTER SIMULATION;

EID: 78650574143     PISSN: 10609857     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SRDS.2010.39     Document Type: Conference Paper

References (25)

1. Volatile systems. https://www.volatilesystems.com.
2. Xenaccess library. http://code.google.com/p/xenaccess/.
3. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur., 13(1):1-40, 2009.
4. Advanced Micro Devices. AMD64 Architecture Programmer's Manual Volume 3: General-Purpose and System Instructions, 3.14 edition, September 2007.
5. F. Baiardi, D. Cilea, D. Sgandurra, and F. Ceccarelli. Measuring semantic integrity for remote attestation. In Proc. of the 2nd Conference on Trusted Computing, 2009.
6. A. Baliga, V. Ganapathy, and L. Iftode. Automatic inference and enforcement of kernel data structure invariants. In Proc. of the 2008 ACSAC, pages 77-86, Washington, DC, 2008.
7. E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In Proc. of the 15th ACM CCS, 2008.
8. M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. Mapping Kernel Objects to Enable Systematic Integrity Checking. In Proc. of the 16th ACM CCS, 2009.
9. P. M. Chen and B. D. Noble. When virtual is better than real. In Proc. of the 8th HotOS Workshop, 2001.
10. B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust Signatures for Kernel Data Structures. In Proc. of the 16th ACM CCS, pages 566-577, 2009.
11. T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proc. of the 2003 NDSS, February 2003.
12. R. Hund, T. Holz, and F. Freiling. Return-Oriented Rootkits: Bypasssing Kernel Code Integrity Protection Mechanisms. In Proc. of the 18th USENIX Security Symposium, 2009.
13. X. Jiang, X. Wang, and D. Xu. Stealthy Malware Detection through VMM-based "Out-of-the-Box" Semantic View Reconstruction. In Proc. of the 14th ACM CCS, 2007.
14. S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Antfarm: Tracking Processes in a Virtual Machine Environment. In Proc. of the 2006 USENIX Annual Technical Conference, Berkeley, CA, 2006.
15. L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor Support for Identifying Covertly Executing Binaries. In Proc. of the 17th conference on Security symposium, 2008.
16. K. Nance, M. Bishop, and B. Hay. Virtual Machine Introspection: Observation or Interference? IEEE Security and Privacy, 6(5):32-37, 2008.
17. N. L. Petroni, Jr. and M. Hicks. Automated Detection of Persistent Kernel Control-Flow Attacks. In Proc. of the 14th ACM CCS, 2007.
18. R. Riley, X. Jiang, and D. Xu. An Architectural Approach to Preventing Code Injection Attacks. In Proc. of the 37th DSN, pages 30-40, 2007.
19. R. Riley, X. Jiang, and D. Xu. Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing. In Proc. of the 11th RAID, 2008.
20. H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proc. of the 14th ACM CCS. ACM, 2007.
21. M. I. Sharif, W. Lee, W. Cui, and A. Lanzi. Secure in-VM Monitoring using Hardware Virtualization. In Proc. of the 16th ACM CCS, 2009.
22. S. Sparks and J. Butler. Shadow Walker: Raising the Bar For Windows Rootkit Detection. Phrack, 11(63), 2005.
23. A. Srivastava and J. Giffin. Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections. In Proc. of the 11th RAID, Berlin, Heidelberg, 2008.
24. P. C. van Oorschot, A. Somayaji, and G.Wurster. Hardware-Assisted Circumvention of Self-Hashing Software Tamper Resistance. IEEE Trans. Dependable Secur. Comput., 2(2):82-92, 2005. (Pubitemid 41259858)
25. VMware. VMware VMsafe Security Technology. http://www.vmware.com/ technical-resources/security/vmsafe.html.