SoK: Introspections on trust and the semantic gap

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2014, Pages 605-620

  Jain, Bhushan ^a   Baig, Mirza Basim ^a   Zhang, Dongli ^a   Porter, Donald E ^a   Sion, Radu ^a  

^a STONY BROOK UNIVERSITY   (United States)

Author keywords

semantic gap; trust; VM Introspection

Indexed keywords

BRIDGES; VIRTUAL MACHINE;

DESIGN CONSIDERATIONS; SECURITY POLICY ENFORCEMENT; SEMANTIC GAP; TRUST; TRUSTED COMPUTING BASE; VIRTUAL MACHINE INTROSPECTION; VIRTUALIZED ENVIRONMENT; VM INTROSPECTION;

SEMANTICS;

EID: 84914124212     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2014.45     Document Type: Conference Paper

References (94)

1. Draugr. Online at https://code.google.com/p/draugr/.
2. FatKit. Online at http://4tphi.net/fatkit/.
3. Foriana. Online at http://hysteria.sk/-niekt0/foriana/.
4. GREPEXEC: Grepping Executive Objects from Pool Memory). Online at http://uninformed.org/?v=4&a= 2&t=pdf.
5. idetect. Online at http://forensic.seccure.net/.
6. Intel 64 and IA-32 Architectures Developer's Manual: Vol. 3B.
7. Intel Software Guard Extensions (Intel SGX) Programming Reference.
8. Kernel object hooking rootkits (koh rootkits). http://my.opera.com/330205811004483jash520/blog/show.dml/314125.
9. Kntlist. Online at http://www.dfrws.org/2005/challenge/kntlist.shtml.
10. lsproc. Online at http://windowsir.blogspot.com/2006/04/lsproc-released.html.
11. Memparser. Online at http://www.dfrws.org/2005/challenge/memparser.shtml.
12. PROCENUM. Online at http://forensic.seccure.net/.
13. Red Hat Crash Utility. Online at http://people.redhat.com/anderson/.
14. The Linux Cross Reference. Online at http://lxr.linux. no/.
15. The Volatility framework. Online at https://code. google.com/p/volatility/.
16. Volatilitux. Online at https://code.google.com/p/volatilitux/.
17. Windows Memory Forensic Toolkit. Online at http://forensic.seccure.net/.
18. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In CCS, pages 340-353, 2005.
19. A. S. Aiyer, L. Alvisi, A. Clement, M. Dahlin, J.- P. Martin, and C. Porth. BAR Fault Tolerance for Cooperative Services. In SOSP, pages 45-58, 2005.
20. AMD. AMD I/O Virtualization Technology (IOMMU) Specification Revision 1.26. White Paper, AMD: http://support.amd.com/us/Processor TechDocs/34434-IOMMU-Rev 1.26 2-11-09.pdf, Nov 2009.
21. I. Anati, S. Gueron, S. Johnson, and V. Scarlata. Innovative technology for cpu based attestation and sealing. HASP '13, 2013.
22. A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky. Hypersentry: enabling stealthy incontext measurement of hypervisor integrity. In CCS, pages 38-49, 2010.
23. S. Bahram, X. Jiang, Z. Wang, M. Grace, J. Li, D. Srinivasan, J. Rhee, and D. Xu. Dksm: Subverting virtual machine introspection for fun and profit. In SRDS, pages 82-91, 2010.
24. A. Baliga, V. Ganapathy, and L. Iftode. Automatic inference and enforcement of kernel data structure invariants. In ACSAC, pages 77-86, 2008.
25. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In SOSP, pages 164-177, 2003.
26. E. Bugnion, S. Devine, M. Rosenblum, J. Sugerman, and E. Y. Wang. Bringing virtualization to the x86 architecture with the original vmware workstation. ACM TOCS, 30(4):12:1-12:51, Nov. 2012.
27. T. W. Burger. Intel Virtualization Technology for Directed I/O (VT-d): Enhancing Intel platforms for efficient virtualization of I/O devices. http://software.intel.com/en-us/articles/intel-virtualizationtechnology-for-directed-io-vt-d-enhancing-intelplatforms-for-efficient-virtualization-of-io-devices/, February 2009.
28. J. Butler and G. Hoglund. Vice - catch the hookers! In Black Hat USA 2004, Las Vegas, USA, 2004.
29. X. Cai, Y. Gui, and R. Johnson. Exploiting unix filesystem races via algorithmic complexity attacks. In Oakland, pages 27-41, 2009.
30. M. Carbone, M. Conover, B. Montague, and W. Lee. Secure and robust monitoring of virtual machines through guest-assisted introspection. In RAID, pages 22-41, 2012.
31. M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. Mapping kernel objects to enable systematic integrity checking. In CCS, pages 555-565, 2009.
32. R. Chandra, T. Kim, M. Shah, N. Narula, and N. Zeldovich. Intrusion recovery for database-backed web applications. In SOSP, pages 101-114, 2011.
33. S. Checkoway and H. Shacham. Iago attacks: Why the system call api is a bad untrusted rpc interface. In ASPLOS, 2013.
34. P. M. Chen and B. D. Noble. When virtual is better than real. In HotOS, pages 133-, 2001.
35. X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In ASPLOS, pages 2-13, 2008.
36. J. Corbet. A new adore root kit. LWN, March 2004. http://lwn.net/Articles/75990/.
37. A. Cristina, L. Marziale, G. G. Ru Iii, and V. Roussev. Face: Automated digital evidence discovery and correlation. In Digital Forensics, 2005.
38. W. Cui, M. Peinado, Z. Xu, and E. Chan. Tracking rootkit footprints with a practical memory analysis system. In USENIX Security, pages 42-42, 2012.
39. A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In CCS, pages 51-62, 2008.
40. B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Oakland, pages 297-312, 2011.
41. B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In CCS, pages 566-577, 2009.
42. G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. Revirt: enabling intrusion analysis through virtual-machine logging and replay. In OSDI, 2002.
43. M. D. Ernst, J. H. Perkins, P. J. Guo, S. McCamant, C. Pacheco, M. S. Tschantz, and C. Xiao. The daikon system for dynamic detection of likely invariants. Sci. Comput. Program., 69(1-3):35-45, Dec. 2007.
44. Y. Fu and Z. Lin. Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Oakland, pages 586-600, 2012.
45. Y. Fu and Z. Lin. Exterior: using a dual-vm based external shell for guest-os introspection, configuration, and recovery. In VEE, pages 97-110, 2013.
46. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In NDSS, pages 191-206, 2003.
47. Z. Gu, Z. Deng, D. Xu, and X. Jiang. Process implanting: A new active introspection framework for virtualization. In SRDS, pages 147-156, 2011.
48. R. T. Hall and J. Taylor. A framework for networkwide semantic event correlation, 2013.
49. N. Heintze and O. Tardieu. Ultra-fast aliasing analysis using cla: a million lines of c code in a second. In PLDI, pages 254-263, 2001.
50. M. Hoekstra, R. Lal, P. Pappachan, V. Phegade, and J. Del Cuvillo. Using innovative instructions to create trustworthy software solutions. In HASP, 2013.
51. O. S. Hofmann, A. M. Dunn, S. Kim, I. Roy, and E. Witchel. Ensuring operating system kernel integrity with OSck. In ASPLOS, pages 279-290, 2011.
52. O. S. Hofmann, S. Kim, A. M. Dunn, M. Z. Lee, and E. Witchel. Inktag: secure applications on an untrusted operating system. In ASPLOS, pages 265-278, 2013.
53. X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction. In CCS, pages 128-138, 2007.
54. S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Geiger: Monitoring the buffer cache in a virtual machine environment. In ASPLOS, ASPLOS XII, pages 14-24, 2006.
55. S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. VMM-based Hidden Process Detection and Identification Using Lycosid. In VEE, pages 91-100, 2008.
56. D. Kienzle, N. Evans, and M. Elder. NICE: Network Introspection by Collaborating Endpoints. In Communications and Network Security, pages 411-412, 2013.
57. T. Kim, R. Chandra, and N. Zeldovich. Recovering from intrusions in distributed systems with DARE. In APSYS, pages 10:1-10:7, 2012.
58. T. Kim, X. Wang, N. Zeldovich, and M. F. Kaashoek. Intrusion recovery using selective re-execution. In OSDI, pages 1-9, 2010.
59. V. Kiriansky, D. Bruening, and S. P. Amarasinghe. Secure execution via program shepherding. In USENIX Security, pages 191-206, 2002.
60. H. Lee, H. Moon, D. Jang, K. Kim, J. Lee, Y. Paek, and B. B. Kang. Ki-mon: a hardware-assisted eventtriggered monitoring platform for mutable kernel object. In USENIX Security, pages 511-526, 2013.
61. J. Li, M. Krohn, D. Mazières, and D. Shasha. Secure untrusted data repository (SUNDR). In OSDI, pages 9-9, 2004.
62. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with "return-less" kernels. In EuroSys, pages 195-208, 2010.
63. D. Lie, C. A. Thekkath, and M. Horowitz. Implementing an untrusted operating system on trusted hardware. In SOSP, pages 178-192, 2003.
64. Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In NDSS, 2011.
65. L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor support for identifying covertly executing binaries. In SS, pages 243-258, 2008.
66. L. Liu, J. Han, D. Gao, J. Jing, and D. Zha. Launching return-oriented programming attacks against randomized relocatable executables. In TRUSTCOM, pages 37-44, 2011.
67. Z. Liu, J. Lee, J. Zeng, Y. Wen, Z. Lin, and W. Shi. Cpu transparent protection of os kernel and hypervisor integrity with programmable dram. In ISCA, pages 392-403, 2013.
68. J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. Trustvisor: Efficient tcb reduction and attestation. In Oakland, pages 143-158, 2010.
69. J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: An execution infrastructure for tcb minimization. In EuroSys, pages 315-328, 2008.
70. F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In HASP, 2013.
71. H. Moon, H. Lee, J. Lee, K. Kim, Y. Paek, and B. B. Kang. Vigilare: toward snoop-based kernel integrity monitor. In CCS, pages 28-37, 2012.
72. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-free: defeating return-oriented programming through gadget-less binaries. In ACSAC, pages 49-58, 2010.
73. B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Oakland, pages 233-247, 2008.
74. N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - a coprocessor-based kernel runtime integrity monitor. In USENIX Security, pages 13-13, 2004.
75. N. L. Petroni, Jr. and M. Hicks. Automated detection of persistent kernel control-flow attacks. In CCS, pages 103-115, 2007.
76. G. J. Popek and R. P. Goldberg. Formal requirements for virtualizable third generation architectures. CACM, 17(7):412-421, July 1974.
77. J. Rhee, R. Riley, D. Xu, and X. Jiang. Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In RAID, pages 178-197, 2010.
78. W. Richter, G. Ammons, J. Harkes, A. Goode, N. Bila, E. De Lara, V. Bala, and M. Satyanarayanan. Privacysensitive VM Retrospection. In HotCloud, pages 10-10, 2011.
79. R. Riley, X. Jiang, and D. Xu. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In RAID, pages 1-20, 2008.
80. A. Saberi, Y. Fu, and Z. Lin. HYBRID-BRIDGE: Efficiently Bridging the Semantic Gap in Virtual Machine Introspection via Decoupled Execution and Training Memoization. In NDSS, 2014.
81. A. Schuster. Pool allocations as an information source in Windows memory forensics. In IMF, pages 104-115, 2006.
82. A. Schuster. The impact of Microsoft Windows pool allocation strategies on memory forensics. Digital Investigation, 5:S58-S64, 2008.
83. A. Seshadri, M. Luk, N. Qu, and A. Perrig. Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In SOSP, pages 335-350, 2007.
84. M. I. Sharif, W. Lee, W. Cui, and A. Lanzi. Secure in-VM monitoring using hardware virtualization. In CCS, pages 477-487, 2009.
85. Y. Shin and L. Williams. An Empirical Model to Predict Security Vulnerabilities Using Code Complexity Metrics. In ESEM, pages 315-317, 2008.
86. D. Srinivasan, Z. Wang, X. Jiang, and D. Xu. Process out-grafting: An efficient "out-of-VM" approach for fine-grained process execution monitoring. In CCS, pages 363-374, 2011.
87. V. Tarasov, D. Jain, D. Hildebrand, R. Tewari, G. Kuenning, and E. Zadok. Improving I/O performance using virtual disk introspection. In HotStorage, pages 11-11, 2013.
88. J. Wang, A. Stavrou, and A. Ghosh. Hypercheck: A hardware-assisted integrity monitor. In RAID, pages 158-177, 2010.
89. Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In CCS, pages 545-554, 2009.
90. R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In CCS, pages 157-168, 2012.
91. C. Wright, C. Cowan, S. Smalley, J. Morris, and G. K. Hartman. Linux security modules: General security support for the Linux kernel. In USENIX Security Symposium, 2002.
92. J. Yang, A. Cui, S. Stolfo, and S. Sethumadhavan. Concurrency attacks. In HotPar, pages 15-15, 2012.
93. Y. Zhang, Y. Gu, H. Wang, and D. Wang. Virtualmachine-based intrusion detection on file-aware block level storage. In SBAC-PAD, pages 185-192, 2006.
94. Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Cross-VM side channels and their use to extract private keys. In CCS, pages 305-316, 2012.