Bridging the semantic gap in virtual machine introspection via online kernel data redirection

ACM Transactions on Information and System Security

Volumn 16, Issue 2, 2013, Pages

  Fu, Yangchun ^a   Lin, Zhiqiang ^a  

^a UNIVERSITY OF TEXAS AT DALLAS   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CODE COVERAGE; ERROR-PRONE PROCESS; INSPECTION PROGRAMS; KERNEL MEMORY; MICROSOFT WINDOWS; SEMANTIC GAP; TRAINING PROCESS; VIRTUAL MACHINE INTROSPECTION;

COMPUTER OPERATING SYSTEMS; COMPUTER SIMULATION; TOOLS;

SEMANTICS;

EID: 84884996603     PISSN: 10949224     EISSN: 15577406     Source Type: Journal    
DOI: 10.1145/2505124     Document Type: Article

References (54)

1. Bach, M. J. 1986. The Design of the UNIX Operating System. Prentice Hall.
2. Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., and Xu, D. 2010. DKSM: Subverting virtualmachine introspection for fun and profit. In Proceedings of the 29th IEEE Symposium on Reliable Distributed Systems.
3. Baiardi, F. and Sgandurra, D. 2007. Building trustworthy intrusion detection through vm introspection. In Proceedings of the 3rd International Symposium on Information Assurance and Security. IEEE Computer Society. 209-214.
4. Bovet, D. and Cesati, M. 2005. Understanding the Linux Kernel. Oreilly & Associates Inc.
5. Caballero, J. and Song, D. 2007. Polyglot: Automatic extraction of protocol format using dynamic binary analysis. In Proceedings of the 14th ACM Conference on Computer and and Communications Security (CCS'07). 317-329.
6. Caballero, J., Johnson, N. M., McCamant, S., and Song, D. 2010. Binary code extraction and interface identification for security applications. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS'10).
7. Cadar, C., Ganesh, V., Pawlowski, P. M., Dill, D. L., and Engler, D. R. 2006. Exe: Automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS'06). ACM, 322-335. (Pubitemid 47131380)
8. Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., and Jiang, X. 2009. Mapping kernel objects to enable systematic integrity checking. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09). ACM, 555-565.
9. Chen, P. M. and Noble, B. D. 2001. When virtual is better than real. In Proceedings of the 8th Workshop on Hot Topics in Operating Systems.
10. Chow, J., Pfaff, B., Christopher, K., and Rosenblum, M. 2004. Understanding data lifetime via whole-system simulation. In Proceedings of the 13th USENIX Security Symposium.
11. Cui, W., Peinado, M., Chen, K., Wang, H. J., and Irun-Briz, L. 2008. Tupni: Automatic reverse engineering of input formats. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS'08). ACM, 391-402.
12. Dinaburg, A., Royal, P., Sharif, M., and Lee, W. 2008. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS'08). ACM, 51-62.
13. Dolan-Gavitt, B., Srivastava, A., Traynor, P., and Giffin, J. 2009. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09). ACM, 566-577.
14. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., and Lee, W. 2011a. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of IEEE Symposium on Security and Privacy. 297-312.
15. Dolan-Gavitt, B., Payne, B., and Lee, W. 2011b. Leveraging forensic tools for virtual machine introspection. Tech. rep. GT-CS-11-05.
16. Egele, M., Kruegel, C., Kirda, E., Yin, H., and Song, D. 2007. Dynamic spyware analysis. In Proceedings of the USENIX Annual Technical Conference (Usenix'07).
17. Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for unix processes. In Proceedings of the IEEE Symposium on Security and Privacy.
18. Fu, Y. and Lin, Z. 2012. Space traveling across vm: Automatically bridging the semantic-gap in virtual machine introspection via online kernel data redirection. In Proceedings of the IEEE Symposium on Security and Privacy.
19. Garfinkel, T. 2003. Traps and pitfalls: Practical problems in system call interposition based security tools. In In Proceedings of Network and Distributed Systems Security Symposium (NDSS'03). 163-176.
20. Garfinkel, T. and Rosenblum, M. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS'03).
21. Godefroid, P., Levin, M., and Molnar, D. 2008. Automated whitebox fuzz testing. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08).
22. Gu, Y., Fu, Y., Prakash, A., Lin, Z., and Yin, H. 2012. Os-sommelier: Memory-only operating system fingerprinting in the cloud. In Proceedings of the 3rd ACM Symposium on Cloud Computing (SOCC'12).
23. Hay, B. and Nance, K. 2008. Forensics examination of volatile system data using virtual introspection. SIGOPS Operat. Syst. Rev. 42, 74-82.
24. Hofmann, O. S., Dunn, A. M., Kim, S., Roy, I., and Witchel, E. 2011. Ensuring operating system kernel integrity with oSck. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'11).
25. Inoue, H., Adelstein, F., Donovan, M., and Brueckner, S. 2011. Automatically bridging the semantic gap using ac interpreter. In Proceedings of the Annual Symposium on Information Assurance.
26. Jiang, X., Wang, X., and Xu, D. 2007. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07). ACM, 128-138.
27. Jones, S. T., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. 2006. Antfarm: tracking processes in a virtual machine environment. In Proceedings of the USENIX Annual Technical Conference (Usenix'06).
28. Jones, S. T., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. 2008. Vmm-based hidden process detection and identification using lycosid. In Proceedings of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments.
29. Kolbitsch, C., Holz, T., Kruegel, C., and Kirda, E. 2010. Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In Proceedings of the IEEE Security and Privacy.
30. Lin, Z., Jiang, X., Xu, D., and Zhang, X. 2008. Automatic protocol format reverse engineering through contextaware monitored execution. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08).
31. Lin, Z., Zhang, X., and Xu, D. 2010a. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS'10).
32. Lin, Z., Zhang, X., and Xu, D. 2010b. Reuse-oriented camouflaging trojan: Vulnerability detection and attack construction. In Proceedings of the 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-DCCS 2010).
33. Lin, Z., Rhee, J., Zhang, X., Xu, D., and Jiang, X. 2011. SIGGRAPH: Brute force scanning of kernel data structure instances using graph-based signatures. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS'11).
34. Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. 2005. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'05). ACM, 190-200.
35. Newsome, J. and Song, D. 2005. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS'05).
36. Payne, B. D., Carbone, M., and Lee, W. 2007. Secure and flexible monitoring of virtual machines. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007).
37. Payne, B. D., Carbone, M., Sharif, M. I., and Lee, W. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 233-247.
38. Petroni, N. L. Jr. and Hicks, M. 2007. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07). ACM, 103-115.
39. Petroni, N. L. Jr., Fraser, T., Molina, J., and Arbaugh, W. A. 2004. Copilot - A coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium. USENIX, 179-194.
40. Portokalidis, G., Slowinska, A., and Bos, H. 2006. Argos: An emulator for fingerprinting zero-day attacks. In Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems.
41. Provos, N. 2003. Improving host security with system call policies. In Proceedings of the 12th USENIX Security Symposium. USENIX, 257-272.
42. QEMU: An open source processor emulator. http://www.qemu.org/.
43. Riley, R., Jiang, X., and Xu, D. 2008. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In Proceedings of Recent Advances in Intrusion Detection (RAID'08). 1-20.
44. Sekar, R. Classification and grouping of linux system calls. http://seclab.cs.sunysb.edu/sekar/papers/syscallclassif.htm.
45. Srinivasan, D., Wang, Z., Jiang, X., and Xu, D. 2011. Process out-grafting: an efficient "out-of-vm" approach for fine-grained process execution monitoring. In Proceedings of the 18th ACM conference on Computer and communications security (CCS'11). ACM, 363-374.
46. Srivastava, A. and Giffin, J. 2008. Tamper-resistant, application-aware blocking of malicious network connections. In Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection (RAID'08). 39-58.
47. VProbe:a VMI framework. http://communities.vmware.com/community/vmtn/ developer/forums/vprobes.
48. Walters, A. The volatility framework: Volatile memory artifact extraction utility framework. https://www.volatilesystems.com/default/volatility.
49. Wang, Y.-M., Beck, D., Vo, B., Roussev, R., and Verbowski, C. 2005. Detecting stealth software with strider ghostbuster. In Proceedings of the International Conference on Dependable Systems and Networks.
50. Wondracek, G., Milani, P., Kruegel, C., and Kirda, E. 2008. Automatic network protocol analysis. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08).
51. Xed: X86 encoder decoder. http://www.pintool.org/docs/24110/Xed/html/.
52. Xiong, X., Tian, D., and Liu, P. 2011. Practical protection of kernel integrity for commodity OS from untrusted extensions. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS'11).
53. Yin, H. and Song, D. 2010. Temu: Binary code analysis via whole-system layered annotative execution. Tech. rep. UCB/EECS-2010-3, EECS Department, University of California, Berkeley.
54. Yin, H., Song, D., Manuel, E., Kruegel, C., and Kirda, E. 2007. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conferences on Computer and Communication Security (CCS'07).