Process out-grafting: An efficient "Out-of-VM" approach for fine-grained process execution monitoring

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2011, Pages 363-374

  Srinivasan, Deepa ^a   Wang, Zhi ^a   Jiang, Xuxian ^a   Xu, Dongyan ^b  

^a NORTH CAROLINA STATE UNIVERSITY   (United States)

^b PURDUE UNIVERSITY   (United States)

Author keywords

Process monitoring; Semantic gap; Virtualization

Indexed keywords

ANTI-MALWARE; ARCHITECTURAL APPROACH; BENCHMARK PROGRAMS; EVALUATION RESULTS; EXECUTION MONITORING; MALWARES; MONITORING TOOLS; PROCESS EXECUTION; SECURITY SOFTWARE; SECURITY TOOLS; SEMANTIC GAP; SYSTEM CALLS; VIRTUAL MACHINES; VIRTUALIZATIONS; VULNERABLE SYSTEMS;

COMPUTER CRIME; COMPUTER SOFTWARE; GRAFTING (CHEMICAL); PROCESS CONTROL; PROCESS MONITORING; SEMANTICS; VIRTUAL REALITY;

SECURITY OF DATA;

EID: 80755144012     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2046707.2046751     Document Type: Conference Paper

References (40)

1. Kaiten. http://packetstormsecurity.org/irc/kaiten.c. [last accessed: May 2011].
2. Kernel Virtual Machine. http://www.linux-kvm.org. [last accessed: May 2011].
3. McAfee Threats Report: Fourth Quarter 2010. http://www.mcafee.com/us/ resources/reports/rp-quarterly-threat-q4-2010.pdf. [last accessed: May 2011].
4. QEMU. http://www.qemu.org. [last accessed: May 2011].
5. UPX: The Ultimate Packer for eXecutables. http://upx.sourceforge.net. [last accessed: May 2011].
6. ADAMS, K., AND AGESEN, O. A Comparison of Software and Hardware Techniques for x86 Virtualization. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems (2006).
7. AMD. AMD-V Nested Paging. AMD White Paper (2008).
8. AZAB, A. M., NING, P., SEZER, E. C., AND ZHANG, X. HIMA: A Hypervisor-Based Integrity Measurement Agent. In Proceedings of the 25th Annual Computer Security Applications Conference (2009).
9. BAYER, U., KRUEGEL, C, AND KIRDA, E. TTAnalyze: A Tool for Analyzing Malware. In Proceedings of the 15th Annual Conference of the European Institute for Computer Antivirus Research (2006).
10. CKER CHIUEH, T., CONOVER, M., LU, M., AND MONTAGUE, B. Stealthy Deployment and Execution of In-Guest Kernel Agents. In BlackHat 2009.
11. DINABURG, A., ROYAL, P., SHARIF, M., AND LEE, W. Ether: Malware Analysis via Hardware Virtualization Extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security (2008).
12. DOLAN-GAVITT, B., LEEK, T., ZHIVICH, M., GIFFIN, J., AND LEE, W. Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (2011).
13. FORREST, S., HOFMEYR, S., AND SOMAYAJI, A. The Evolution of System-Call Monitoring. In Proceedings of the 24th Annual Computer Security Applications Conference (2008).
14. GARFINKEL, T., PFAFF, B., AND ROSENBLUM, M. Ostia: A Delegating Architecture for Secure System Call Interposition. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (2004).
15. GARFINKEL, T., AND ROSENBLUM, M. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the 10th Annual Network and Distributed Systems Security Symposium (2003).
16. GOLDBERG, I., WAGNER, D., THOMAS, R., AND BREWER, E. A. A Secure Environment for Untrusted Helper Applications: Confining the Wily Hacker. In Proceedings of the 6th USENIX Security Symposium (1996).
17. Guo, F., FERRIE, P., AND CHIUEH, T.-c. A Study of the Packer Problem and Its Solutions. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection. (2008).
18. INTEL. Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization. Intel(R) Technology Journal 10, 3 (2006).
19. INTEL. Intel 64 and IA-32 Architectures Software Developers Manual Volume 3: System Programming Guide, Part 1 and Part 2, (2010).
20. JIANG, X., AND WANG, X. "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (2007).
21. JIANG, X., WANG, X., AND XU, D. Stealthy Malware Detection through VMM-based "Out-of-the-Box" Semantic View Reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (2007).
22. Gu, Z., DENG, Z., XU, D., AND JIANG, X. Process Implanting: A New Active Introspection Framework for Virtualization. In Proceedings of the 30th IEEE Symposium on Reliable Distributed Systems (2011).
23. JOSHI, A., KING, S. T., DUNLAP, G. W., AND CHEN, P. M. Detecting Past and Present Intrusions through Vulnerability-specific Predicates. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (2005).
24. KING, S. T., AND CHEN, P. M. Backtracking Intrusions. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (2003).
25. KLEIN, G., ELPHINSTONE, K., HEISER, G., ANDRONICK, J., COCK, D., DERRIN, P., ELKADUWE, D., ENGELHARDT, K., KOLANSKI, R., NORRISH, M., SEWELL, T., TUCH, H., AND WINWOOD, S. seL4: Formal Verification of an OS Kernel. In Proceedings of the 22nd Symposium on Operating Systems Principles (2009).
26. MARTIGNONI, L., CHRISTODORESCU, M., AND JHA, S. OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In Proceedings of the 23rd Annual Computer Security Applications Conference (2007).
27. MARTIGNONI, L., PALEARI, R., AND BRUSCHI, D. A Framework for Behavior-Based Malware Analysis in the Cloud. In Proceedings of the 5th International Conference on Information Systems Security (2009).
28. NUTTALL, M. A Brief Survey of Systems Providing Process or Object Migration Facilities. ACM SIGOPS Operating Systems Review 28 (1994).
29. OSMAN, S., SUBHRAVETI, D., SU, G., AND NIEH, J. The Design and Implementation of Zap: a System for Migrating Computing Environments. ACM SIGOPS Operating Systems Review 36 (2002).
30. PAYNE, B., DE CARBONE, M., AND LEE, W. Secure and Flexible Monitoring of Virtual Machines. In Proceedings of the 23rd Annual Computer Security Applications Conference (2007).
31. PAYNE, B. D., CARBONE, M., SHARIF, M., AND LEE, W. Lares: An Architecture for Secure Active Monitoring Using Virtualization. In Proceedings of the 29th IEEE Symposium on Security and Privacy (2008).
32. PROVOS, N. Improving Host Security with System Call Policies. In Proceedings of the 12th USENIX Security Symposium (2003).
33. ROYAL, P., HALPIN, M., DAGON, D., EDMONDS, R., AND LEE, W. PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In Proceedings of the 22nd Annual Computer Security Applications Conference (2006).
34. SHARIF, M. I., LEE, W., CUI, W., AND LANZI, A. Secure In-VM Monitoring Using Hardware Virtualization. In Proceedings of the 16th ACM Conference on Computer and Communications Security (2009).
35. SMITH, J. M. A survey of process migration mechanisms. ACM SIGOPS Operating Systems Review 22 (1988).
36. SMITH, J. M. The Design and Implementation of Berkeley Lab's Linux Checkpoint/Restart. Berkeley Lab Technical Report (2002).
37. SRIVASTAVA, A., AND GIFFIN, J. Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (2008).
38. SRIVASTAVA, A., AND GlFFIN, J. Efficient Monitoring of Untrusted Kernel-mode Execution. In Proceedings of the 18th Annual Network and Distributed Systems Security Symposium (2011).
39. TA-MIN, R., LITTY, L., AND LIE, D. Splitting Interfaces: Making Trust between Applications and Operating Systems Configurable. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (2006).
40. WANG, Z., AND JIANG, X. HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity. Proceedings of the 31st IEEE Symposium on Security and Privacy (2010).