Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2012, Pages 586-600

  Fu, Yangchun ^a   Lin, Zhiqiang ^a  

^a The University of Texas at Dallas   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER OPERATING SYSTEMS; NETWORK SECURITY; VIRTUAL MACHINE;

AM GENERALS; DATA ACCESS; ERROR-PRONE PROCESS; INSPECTION PROGRAMS; KERNEL MEMORY; LINUX KERNEL; SEMANTIC GAP; TOOL GENERATION; VIRTUAL MACHINE INTROSPECTION;

SEMANTICS;

EID: 84876945112     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2012.40     Document Type: Conference Paper

References (43)

1. T. Garfinkel and M. Rosenblum, "A virtual machine introspection based architecture for intrusion detection," in Proc. Network and Distributed Systems Security Symposium (NDSS'03), February 2003.
2. M. Rosenblum and T. Garfinkel, "Virtual machine monitors: Current technology and future trends," IEEE Computer, May 2005.
3. B. D. Payne, M. Carbone, and W. Lee, "Secure and flexible monitoring of virtual machines," in Proc. of the 23rd Annual Computer Security Applications Conference (ACSAC 2007), December 2007.
4. B. D. Payne, M. Carbone, M. I. Sharif, and W. Lee, "Lares: An architecture for secure active monitoring using virtualization," in Proc. of 2008 IEEE Symposium on Security and Privacy, May 2008.
5. X. Jiang, X. Wang, and D. Xu, "Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction," in Proc. of the 14th ACM Conference on Computer and Communications Security (CCS'07), October 2007.
6. A. Dinaburg, P. Royal, M. Sharif, and W. Lee, "Ether: malware analysis via hardware virtualization extensions," in Proc. of the 15th ACM conference on Computer and communications security (CCS'08), October 2008.
7. D. Srinivasan, Z. Wang, X. Jiang, and D. Xu, "Process out-grafting: an efficient "out-of-vm" approach for fine-grained process execution monitoring," in Proc. of the 18th ACM conference on Computer and communications security (CCS'11), October 2011.
8. B. Hay and K. Nance, "Forensics examination of volatile system data using virtual introspection," SIGOPS Operating System Review, vol. 42, pp. 74-82, April 2008.
9. P. M. Chen and B. D. Noble, "When virtual is better than real," in Proc. of the 8th Workshop on HotOS, 2001.
10. N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh, "Copilot - A coprocessor-based kernel runtime integrity monitor," in Proc. of the 13th USENIX Security Symposium, August 2004.
11. F. Baiardi and D. Sgandurra, "Building trustworthy intrusion detection through vm introspection," in Proc. of the Third International Symposium on Information Assurance and Security. 2007.
12. T. Garfinkel, "Traps and pitfalls: Practical problems in system call interposition based security tools," in Proc. of Network and Distributed Systems Security Symposium (NDSS'03), February 2003.
13. B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee, "Virtuoso: Narrowing the semantic gap in virtual machine introspection," in Proc. of 2011 IEEE Symposium on Security and Privacy, May 2011.
14. J. Caballero, N. M. Johnson, S. McCamant, and D. Song, "Binary code extraction and interface identification for security applications," in Proc. of the 17th Annual Network and Distributed System Security Symposium (NDSS'10), February 2010.
15. C. Kolbitsch, T. Holz, C. Kruegel, and E. Kirda, "Inspector gadget: Automated extraction of proprietary gadgets from malware binaries," in Proc. of 2010 IEEE Security and Privacy, May 2010.
16. D. Bovet and M. Cesati, Understanding The Linux Kernel. Oreilly & Associates Inc, 2005.
17. M. J. Bach, The Design of the UNIX Operating System. Prentice Hall, 1986.
18. J. Chow, B. Pfaff, K. Christopher, and M. Rosenblum, "Understanding data lifetime via whole-system simulation," in Proc. of the 13th USENIX Security Symposium, 2004.
19. J. Newsome and D. Song, "Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software," in Proc. of the 14th Annual Network and Distributed System Security Symposium (NDSS'05), February 2005.
20. M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. Song, "Dynamic spyware analysis," in Proc. of the 2007 USENIX Annual Technical Conference (Usenix'07), June 2007.
21. H. Yin, D. Song, E. Manuel, C. Kruegel, and E. Kirda, "Panorama: Capturing system-wide information flow for malware detection and analysis," in Proc. of the 14th ACM Conferences on Computer and Communication Security (CCS'07), October 2007.
22. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, "A sense of self for unix processes," in Proc. of the 1996 IEEE Symposium on Security and Privacy, May 1996.
23. N. Provos, "Improving host security with system call policies," in Proc. of the 12th USENIX Security Symposium, August 2003.
24. R. Sekar, "Classification and grouping of linux system calls," http://seclab.cs.sunysb.edu/sekar/papers/syscallclassif.htm.
25. "QEMU: an open source processor emulator," http://www.qemu.org/ .
26. H. Yin and D. Song, "Temu: Binary code analysis via whole-system layered annotative execution," EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS-2010-3, January 2010.
27. "Xed: X86 encoder decoder," http://www.pintool.org/docs/24110/ Xed/html/.
28. C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood, "Pin: Building customized program analysis tools with dynamic instrumentation," in Proc. of ACM SIGPLAN PLDI 2005.
29. Z. Lin, X. Zhang, and D. Xu, "Automatic reverse engineering of data structures from binary execution," in Proc. of the 17th Annual Network and Distributed System Security Symposium (NDSS'10), February 2010.
30. B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin, "Robust signatures for kernel data structures," in Proc. of the 16th ACM Conference on Computer and Communications Security (CCS'09). October 2009.
31. Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang, "Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures," in Proc. of the 18th Annual Network and Distributed System Security Symposium (NDSS'11), February 2011.
32. A. Walters, "The Volatility framework: Volatile memory artifact extraction utility framework," https://www.volatilesystems.com/default/ volatility
33. S. Bahram, X. Jiang, Z. Wang, M. Grace, J. Li, D. Srinivasan, J. Rhee, and D. Xu, "Dksm: Subverting virtual machine introspection for fun and profit," in Proc. of the 29th IEEE Symposium on Reliable Distributed Systems, 2010.
34. Z. Lin, X. Zhang, and D. Xu, "Reuse-oriented camouflaging trojan: Vulnerability detection and attack construction," in Proc. of the 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, June 2010.
35. H. Inoue, F. Adelstein, M. Donovan, and S. Brueckner, "Automatically bridging the semantic gap using a c interpreter," in Proc. of the 2011 Annual Symposium on Information Assurance, June 2011.
36. C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler, "Exe: Automatically generating inputs of death," in Proc. of the 13th ACM Conference on Computer and Communications Security (CCS'06). October 2006.
37. P. Godefroid, M. Levin, and D. Molnar, "Automated whitebox fuzz testing," in Proc. of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008.
38. J. Caballero, H. Yin, Z. Liang, and D. Song, "Polyglot: Automatic extraction of protocol format using dynamic binary analysis," in Proc. of the 14th ACM Conference on Computer and and Communications Security (CCS'07), October 2007.
39. W. Cui, M. Peinado, K. Chen, H. J. Wang, and L. Irun-Briz, "Tupni: Automatic reverse engineering of input formats," in Proc. of the 15th ACM Conference on Computer and Communications Security (CCS'08), October 2008.
40. Z. Lin, X. Jiang, D. Xu, and X. Zhang, "Automatic protocol format reverse engineering through context-aware monitored execution," in Proc. of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008.
41. G. Wondracek, P. Milani, C. Kruegel, and E. Kirda, "Automatic Network Protocol Analysis," in Proc. of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008.
42. B. Dolan-Gavitt, B. Payne, and W. Lee, "Leveraging forensic tools for virtual machine introspection," Technical Report; GT-CS-11-05, 2011.
43. M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang, "Mapping kernel objects to enable systematic integrity checking," in Proc. of the 16th ACM Conference on Computer and Communications Security (CCS'09), October 2009.