Maitland: Lighter-weight VM introspection to support cyber-security in the cloud

Proceedings - 2012 IEEE 5th International Conference on Cloud Computing, CLOUD 2012

Volumn , Issue , 2012, Pages 471-478

  Benninger, Chris ^a   Neville, Stephen W ^a   Yazir, Yaǧiz Onat ^a   Matthews, Chris ^a   Coady, Yvonne ^a  

^a UNIVERSITY OF VICTORIA   (Canada)

Author keywords

clouds; malware; VM introspection

Indexed keywords

CLOSE INTEGRATION; CYBER SECURITY; HYPERVISOR; MALICIOUS SOFTWARE; MALWARE DETECTION; MALWARES; PARAVIRTUALIZATION; PROOF OF CONCEPT; RUNTIMES; SECURITY AND PRIVACY ISSUES; VIRTUAL MACHINES; VM INTROSPECTION;

CLOUD COMPUTING; CLOUDS;

COMPUTER CRIME;

EID: 84866766411     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/CLOUD.2012.145     Document Type: Conference Paper

References (40)

1. C. Economics, "2005 Malware Report: Executive Summary," 2006, http://www.computereconomics.com/article.cfm?id=1090.
2. Gunter and Ollmann, "The evolution of commercial malware development kits and colour-by-numbers custom malware," Computer Fraud and Security, vol. 2008, no. 9, pp. 4-7, 2008. [Online]. Available: http://www.sciencedirect. com/science/article/pii/S1361372308701350
3. J. Rutkowska and A. Tereshkin, "Bluepilling the Xen Hypervisor," Black Hat USA, 2008.
4. S. King, P. Chen, C. Verbowski, H. Wang, and J. Lorch, "SubVirt: Implementing malware with virtual machines," 2006 IEEE Symposium on Security and Privacy (S&P'06), pp. 314-327, 2006.
5. T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, "Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds," in Proceedings of the 16th ACM conference on Computer and communications security, ser. CCS '09. New York, NY, USA: ACM, 2009, pp. 199-212. [Online]. Available: http://doi.acm.org/10.1145/1653662.1653687
6. C. Willems, T. Holz, and F. Freiling, "Toward Automated Dynamic Malware Analysis Using CWSandbox," IEEE Security and Privacy Magazine, vol. 5, no. 2, pp. 32-39, Mar. 2007.
7. T. Garfinkel and M. Rosenblum, "A virtual machine introspection based architecture for intrusion detection," in Proc. Network and Distributed Systems Security Symposium, February 2003.
8. X. Jiang, X. Wang, and D. Xu, "Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction," in Proceedings of the 14th ACM conference on Computer and communications security, ser. CCS '07. New York, NY, USA: ACM, 2007, pp. 128-138. [Online]. Available: http://doi.acm.org/10.1145/1315245.1315262
9. A. Dinaburg, P. Royal, M. Sharif, and W. Lee, "Ether : Malware Analysis via Hardware Virtualization Extensions," Analysis, pp. 51-62, 2008.
10. A. Moser, C. Kruegel, and E. Kirda, "Exploring Multiple Execution Paths for Malware Analysis," 2007 IEEE Symposium on Security and Privacy SP 07, vol. 0, pp. 231-245, 2007.
11. A. Stepan, "Improving proactive detection of packed malware." Virus Bulletin, vol. 1, no. March, 2006.
12. F. Guo, P. Ferrie, and T. Chiueh, "A study of the packer problem and its solutions," in Recent Advances in Intrusion Detection. Springer, 2008, pp. 98-115.
13. P. Bustamante, "Mal(ware)formation statistics," 2007, http://research.pandasecurity.com/malwareformation-statistics.
14. M. Sharif, V. Yegneswaran, H. Saidi, P. Porras, and W. Lee, "Eureka: A framework for enabling static malware analysis," Computer Security-ESORICS 2008, pp. 481-500, 2008.
15. K. Timm, "Malware Validation Techniques," 2010, http://blogs.cisco.com/security/malware validation techniques/.
16. G. Taha, "Counterattacking the packers," McAfee Avert Labs, Aylesbury, UK, 2007.
17. Kaspersky, "Virus.Win32.Sality.bh," 2011, http://www. securelist.com/en/descriptions/15312802/Virus.Win32.Sality.bh\#doc1.
18. J. Larimer, S. Researcher, and I. B. M. X-force, "An inside look at Stuxnet," Agenda, 2009.
19. M. Fossi, G. Egan, K. Haley, E. Johnson, T. Mack, T. Adams, J. Blackbird, L. Mo King, D. Mazurek, D. McKinney, and P. Wood, "Symantec Internet Security Threat Report: Trend for 2010," internet security threat, vol. 16, no. April, 2011.
20. M. Oberhumer, M.F. and J. ar, L., Reiser, "UPX: the Ultimate Packer for eXecutables (2007)," 2007, http://upx.sourceforge.net/.
21. Oreans Technologies, "Themida," http://www.oreans.com/.
22. ASPack Software, "ASPack," http://www.aspack.com/.
23. D. M. Chess and S. R. White, "An Undetectable Computer Virus," in Virus Bulletin Conference. Citeseer, 2000.
24. M. R. Chouchane and A. Lakhotia, "Using engine signature to detect metamorphic malware," Proceedings of the 4th ACM workshop on Recurring malcode - WORM '06, p. 73, 2006.
25. D. Bruschi, L. Martignoni, and M. Monga, "Code Normalization for Self-Mutating Malware," Ieee Security And Privacy, vol. 5, no. 2, pp. 46-54, 2007.
26. Fred and Cohen, "Computer viruses: Theory and experiments," Computers and Security, vol. 6, no. 1, pp. 22-35, 1987. [Online]. Available: http://www.sciencedirect.com/science/article/pii/0167404887901222
27. L. Litty, H. A. Lagar-Cavilla, and D. Lie, "Hypervisor support for identifying covertly executing binaries," in Proceedings of the 17th conference on Security symposium. Berkeley, CA, USA: USENIX Association, 2008, pp. 243-258.
28. Amazon, "Amazon EC2 FAQs," 2011, http://aws.amazon.com/ec2/ faqs/.
29. StratusLab, "EC2, Xen and Paravirtualization," http://stratuslab.eu/doku.php/ec2 xen and paravirtualization.
30. P. J. Salzman, M. Burian, and O. Pomerantz, "Talking to Device Files (writes and IOCTLs)," http://linux.die.net/lkmpg/x892.html.
31. D. Chisnall, "The definitive guide to the xen hypervisor," Journal of the Electrochemical Society, vol. 129, p. 2865, 2007.
32. J. Pfoh, C. Schneider, and C. Eckert, "A formal model for virtual machine introspection," Conference on Computer and Communications Security, pp. 1-10, 2009.
33. L. Martignoni, M. Christodorescu, and S. Jha, "OmniUnpack: Fast, Generic, and Safe Unpacking of Malware," Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp. 431-441, Dec. 2007.
34. M. G. Kang, P. Poosankam, and H. Yin, "Renovo : A Hidden Code Extractor for Packed Executables," October, pp. 46-53, 2007.
35. I. Corporation, "Intel 64 and IA-32 Architectures Software Developer s Manual Combined Volumes :," Architecture, no. October, 2011.
36. D. Quist, V. Smith, and O. Computing, "Detecting the Presence of Virtual Machines Using the Local Data Table," Offensive Computing-packetstormsecurity.org, 2006.
37. J. Rutkowska, "Redpill," 2004, http://www.invisiblethings.org/ papers/redpill.html.
38. T. Ooura, "Ooura's Mathematical Software Packages," 2006, http://www.kurims.kyoto-u.ac.jp/~ooura/.
39. J.-l. Gailly and M. Adler, "The gzip home page," http://www.gzip.org/.
40. B. Fitzgibbons, "The Linux slab allocator," 2000.