Virtuoso: Narrowing the semantic gap in virtual machine introspection

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2011, Pages 297-312

  Dolan Gavitt, Brendan ^a   Leek, Tim ^b   Zhivich, Michael ^b   Giffin, Jonathon ^a   Lee, Wenke ^a  

^a Georgia Institute of Technology   (United States)

^b MIT LINCOLN LABORATORY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

INTRUSION DETECTION; NETWORK SECURITY; SEMANTICS;

'CURRENT; DYNAMIC TRACES; GUEST OPERATING SYSTEMS; INTRUSION-DETECTION; MALWARE ANALYSIS; MEMORY ANALYSIS; SECURITY APPLICATION; SECURITY SOLUTIONS; SEMANTIC GAP; VIRTUAL MACHINE INTROSPECTION;

VIRTUAL MACHINE;

EID: 80051981742     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2011.11     Document Type: Conference Paper

References (34)

1. S. Bahram, X. Jiang, Z. Wang, M. Grace, J. Li, D. Srinivasan, J. Rhee, and D. Xu. DKSM: Subverting virtual machine introspection for fun and profit. IEEE Symposium on Reliable Distributed Systems, 2010.
2. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In ACM Symposium on Operating System Principles (SOSP), 2003.
3. U. Bayer, P. Milani Comparetti, C. Hlauscheck, C. Kruegel, and E. Kirda. Scalable, Behavior-Based Malware Clustering. In Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2009.
4. F. Bellard. QEMU, a fast and portable dynamic translator. In USENIX Annual Technical Conference (USENIX ATC), Anaheim, CA, 2005.
5. J. Caballero, N. M. Johnson, S. McCamant, and D. Song. Binary code extraction and interface identification for security applications. In Network and Distributed Systems Security Symposium (NDSS), San Diego, CA, 2010.
6. S. Checkoway, A. J. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC Advantage. In Electronic Voting Technology / Workshop on Trustworthy Elections (EVT/WOTE), Montreal, Canada, 2009.
7. A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In ACM Computer and Communications Security, Alexandria, VA, 2008.
8. B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In ACM Computer and Communications Security (CCS), Chicago, IL, 2009.
9. F-Secure. Rootkit: W32/HacDef description. http://www.f-secure.com/v- descs/hacdef.shtml.
10. T. Garfinkel. Traps and pitfalls: Practical problems in in system call interposition based security tools. In Network and Distributed Systems Security Symposium (NDSS), San Diego, CA, 2003.
11. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Network and Distributed Systems Security Symposium (NDSS), San Diego, CA, 2003.
12. Haiku OS project. http://haiku-os.org/.
13. X. Jiang, D. Xu, and X. Wang. Stealthy malware detection through VMM-based "out-of-the-box" semantic view reconstruction. In ACM Computer and Communications Security (CCS), Alexandria, VA, 2007.
14. A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In ACM Symposium on Operating Systems Principles (SOSP), 2005.
15. C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In USENIX Security Symposium, Montreal, Canada, 2009.
16. C. Kolbitsch, T. Holz, C. Kruegel, and E. Kirda. Inspector Gadget: Automated extraction of proprietary gadgets from malware binaries. In IEEE Symposium on Security and Privacy, Oakland, CA, 2010.
17. B. Korel and J. Laski. Dynamic program slicing. Information Processing Letters, 29(3):155 - 163, 1988.
18. A. Lanzi, M. I. Sharif, and W. Lee. K-tracer: A system for extracting kernel malware behavior. In Network and Distributed Systems Security Symposium (NDSS), San Diego, CA, 2009.
19. M. Laureano, C. Maziero, and E. Jamnhour. Intrusion detection in virtual machine environments. In Euromicro Conference, 2004.
20. J. Lee, T. Avgerinos, and D. Brumley. TIE: Principled reverse engineering of types in binary programs. In Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2011.
21. Z. Lin, X. Zhang, and D. Xu. Automatic reverse engineering of data structures from binary execution. In Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2010.
22. C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In ACM Computer and Communications Security (CCS), Washington, D.C., 2003.
23. Microsoft Corporation. RtlAllocateHeap on MSDN. http://msdn.microsoft. com/en-us/library/ff552108(VS.85).aspx.
24. Microsoft Corporation. Windows research kernel. http://www.microsoft.com/ resources/sharedsource/windowsacademic/researchkernelkit.mspx.
25. Mission Critical Linux. Core analysis suite (crash). http://www. missioncriticallinux.com/projects/crash/.
26. B. D. Payne, M. Carbone, and W. Lee. Secure and flexible monitoring of virtual machines. In Annual Computer Security Applications Conference (ACSAC), Miami Beach, FL, 2007.
27. B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In IEEE Symposium on Security and Privacy, Oakland, CA, 2008.
28. N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - a coprocessor-based kernel runtime integrity monitor. In USENIX Security Symposium, San Diego, CA, 2004.
29. H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In ACM Computer and Communications Security (CCS), Alexandria, VA, 2007.
30. A. Slowinska, T. Stancescu, and H. Bos. Towards precise data structure recognition in stripped binaries. In Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2011.
31. A. Srivastava and J. Giffin. Tamper-resistant, application-aware blocking of malicious network connections. Recent Advances in Intrusion Detection, 2008.
32. A. Walters. The Volatility framework: Volatile memory artifact extraction utility framework. https://www.volatilesystems.com/default/volatility.
33. Z. Wang, X. Jiang, W. Cui, and X. Wang. Countering persistent kernel rootkits through systematic hook discovery. In Recent Advances in Intrusion Detection, Cambridge, MA, 2008.
34. C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using CWSandbox. IEEE Security & Privacy, 5(2), March 2007.