Multi-aspect, robust, and memory exclusive guest os fingerprinting

IEEE Transactions on Cloud Computing

Volumn 2, Issue 4, 2014, Pages 380-394

  Gu, Yufei ^a   Fu, Yangchun ^a   Prakash, Aravind ^b   Lin, Zhiqiang ^a   Yin, Heng ^b  

^a The University of Texas at Dallas   (United States)

^b Syracuse University   (United States)

Author keywords

memory forensics; Operating system fingerprinting; virtual machine introspection

Indexed keywords

CODES (SYMBOLS); LINUX; NETWORK SECURITY; VIRTUAL MACHINE;

EVALUATION RESULTS; FINGERPRINTING TECHNIQUES; MEMORY FORENSICS; OPERATING SYSTEM FINGERPRINTING; PENETRATION TESTING; PHYSICAL MEMORY; PROTOTYPE SYSTEM; VIRTUAL MACHINE INTROSPECTION;

COMPUTER FORENSICS;

EID: 84922329697     PISSN: None     EISSN: 21687161     Source Type: Journal    
DOI: 10.1109/TCC.2014.2338305     Document Type: Article

References (41)

1. Crash. (2014) [Online]. Available: http://mclx.com/projects/ crash/
2. QEMU: An open source processor emulator. (2014) [Online]. Available: http://www.qemu.org/
3. Xed: X86 encoder decoder. (2014) [Online]. Available: http:// www. pintool.org/docs/24110/Xed/html/
4. O. Arkin, F. Yarochkin, and M. Kydyraliev, "The present and future of xprobe2: The next generation of active operating system fingerprinting. sys-security group," Jul. 2003.
5. A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky, "Hypersentry: Enabling stealthy in-context measurement of hypervisor integrity," in Proc. 17th ACM Conf. Comput. Commun. Secur., 2010, pp. 38-49.
6. E. Bhatkar, D. C. Duvarney, and R. Sekar, "Address obfuscation: an efficient approach to combat a broad range of memory error exploits," in Proc. 12th USENIX Security Symp., 2003, pp.105-120.
7. S. Bhatkar, R. Sekar, and D. C. DuVarney, "Efficient techniques for comprehensive protection from memory error exploits," in Proc. 14th Conf. USENIX Security Symp., 2005, p. 17.
8. P. M. Chen and B. D. Noble, "When virtual is better than real," in Proc. 8th Workshop Hot Topics Operating Syst., 2001, pp. 133-138.
9. X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports, "Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems," in Proc. 13th Int. Conf. Archit. Support Program. Lang. Operating Syst., 2008, pp. 2-13.
10. M. Christodorescu, R. Sailer, D. L. Schales, D. Sgandurra, and D. Zamboni, "Cloud security is not (just) virtualization security: A short paper," in Proc. ACM Workshop Cloud Comput. Security, 2009, pp. 97-102.
11. D. E. Comer and J. C. Lin, "Probing tcp implementations," in Proc. USENIX Summer 1994 Tech. Conf., Boston, MA, USA, 1994, pp. 245-255.
12. G. Conti, S. Bratus, B. Sangster, R. Ragsdale, M. Supan, A. Lichtenberg, R. Perez, and A. Shubina, "Automated mapping of large binary objects using primitive fragment type classification," in Proc. DFRWS Annu. Conf., 2010, pp. 3-12.
13. Y. Fu and Z. Lin, "Space traveling across VM: Automatically bridging the semantic-gap in virtual machine introspection via online kernel data redirection," in Proc. IEEE Symp. Security Privacy, San Francisco, CA, USA, May 2012, pp. 586-600.
14. Y. Fu and Z. Lin, "Bridging the semantic gap in virtual machine introspection via online kernel data redirection," ACM Trans. Inf. Syst. Security, vol. 16, no. 2, pp. 7:1-7:29, 2013.
15. Y. Fu and Z. Lin, "Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery," in Proc. 9th Annu. Int. Conf. Virtual Execution Environ., Houston, TX, USA, Mar. 2013, pp. 97-110.
16. Fyodor. (2007, Jan.). Remote os detection via TCP/IP fingerprinting (2nd generation). insecure.org [online]. Available: http://insecure.org/nmap/osdetect/
17. T. Garfinkel and M. Rosenblum, "A virtual machine introspection based architecture for intrusion detection," in Proc. Netw. Distrib. Syst. Secur. Symp., Feb. 2003.
18. L. G. Greenwald and T. J. Thomas, "Toward undetected operating system fingerprinting," in Proc. 1st USENIX Workshop Offensive Technol., 2007, pp. 1-10.
19. Y. Gu, Y. Fu, A. Prakash, Z. Lin, and H. Yin, "Os-sommelier: Memory-only operating system fingerprinting in the cloud," in Proc. 3rd ACM Symp. Cloud Comput., San Jose, CA, USA, Oct. 2012, pp. 5:1-5:13.
20. S. Hand, Z. Lin, G. Gu, and B. Thuraisingham, "Bin-carver: Automatic recovery of binary executable files," in Proc. 12th Annu. Digit. Forensics Res. Conf., Washington, DC, USA, Aug. 2012, pp. 108-117.
21. Intel-64 and IA-32 architectures software developer's manual combined volumes 3A, 3B, and 3C: System programming guide, parts 1 and 2: 11-28, 2012.
22. X. Jiang, X. Wang, and D. Xu, "Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction," in Proc. 14th ACM Conf. Comput. Commun. Security, Alexandria, VA, USA, Nov. 2007, pp. 128-138.
23. R. W. Jones and M. Booth, Virt-inspector-Display operating system version and other information about a virtual machine. (2012) [Online]. Available: http://libguestfs.org/virt-inspector.1.html
24. D. E. Knuth, J. H. Morris Jr, and V. R. Pratt, "Fast pattern matching in strings," SIAM J. Comput., vol. 6, no. 2, pp. 323-350, 1977.
25. C. Kruegel, W. Robertson, F. Valeur, and G. Vigna, "Static disassembly of obfuscated binaries," in Proc. 13th Conf. USENIX Security Symp., San Diego, CA, USA, 2004, pp. 255-270.
26. Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang, "Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures," presented at the Proc. 18th Annual Network and Distributed System Security Symp., San Diego, CA, USA, Feb. 2011.
27. J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig, "Trustvisor: Efficient tcb reduction and attestation," in Proc. IEEE Symp. Security Privacy, 2010, pp. 143-158.
28. V. Paxson, "Automated packet trace analysis of TCP implementations," in Proc. ACM SIGCOMM, 1997, pp. 167-179.
29. B. D. Payne, M. Carbone, and W. Lee, "Secure and flexible monitoring of virtual machines," in Proc. 23rd Annu. Comput. Security Appl. Conf., Dec. 2007, pp. 385-397.
30. N. A. Quynh, "Operating system fingerprinting for virtual machines," in Proc. DEFCON 18, 2010.
31. A. Saberi, Y. Fu, and Z. Lin, "Hybrid-bridge: Efficiently bridging the semantic-gap in virtual machine introspection via decoupled execution and training memoization," presented at the 21st Annu. Network and distributed system security symposium, San Diego, CA, USA, Feb. 2014.
32. B. Schwarz, S. Debray, and G. Andrews, "Disassembly of executable code revisited," in Proc. 9th Working Conf. Reverse Eng., 2002, pp. 45-54.
33. A. Seshadri, M. Luk, N. Qu, and A. Perrig, "Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses," in Proc. 21st ACM SIGOPS Symp. Oper. Syst. Principles, 2007, pp. 335-350.
34. C. Smith and P. Grundl, "Know your enemy: Passive fingerprinting. Identifying remote hosts without them knowing," Tech. Rep., Honeynet Project, Ann Arbor, MI, USA, 2002.
35. A. Sotirov, "Hotpatching and the rise of third-party patches," in Proc. Black Hat Tech. Security Conf., Las Vegas, NV, USA, Aug. 2006.
36. G. Taleck, "Synscan: Towards complete tcp/ip fingerprinting," presented at the Canada Security West Conf., Vancouver, BC, Canada, 2004.
37. P. Team, Pax address space layout randomization (ASLR). (2003) [Online]. Available: http://pax.grsecurity.net/docs/aslr.txt
38. A. Walters, The volatility framework: Volatile memory artifact extraction utility framework. (2014) [Online]. Available: https:// www.volatilesystems.com/default/volatility
39. J. Xu, Z. Kalbarczyk, and R. K. Iyer, "Transparent runtime randomization for security," in Proc. 22nd Int. Symp. Reliable Distrib. Syst., 2003, pp. 260-269.
40. F. Yarochkin, O. Arkin, M. Kydyraliev, S.-Y. Dai, Y. Huang, and S.-Y. Kuo, "Xprobe2++: Low volume remote network information gathering tool," in Proc. IEEE/IFIP Int. Conf. Dependable Syst. Netw., 2009, pp. 205-210.
41. F. Zhang, J. Chen, H. Chen, and B. Zang, "Cloudvisor: Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization," in Proc. 23rd ACM Symp. Operating Syst. Principles, 2011, pp. 203-216.