HYBRID-BRIDGE: Efficiently Bridging the Semantic Gap in Virtual Machine Introspection via Decoupled Execution and Training Memoization

21st Annual Network and Distributed System Security Symposium, NDSS 2014

Volumn , Issue , 2014, Pages

  Saberi, Alireza ^a   Fu, Yangchun ^a   Lin, Zhiqiang ^a  

^a UNIVERSITY OF TEXAS AT DALLAS   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

BENCHMARKING; BINARY CODES; NETWORK SECURITY; SEMANTICS; VIRTUAL MACHINE; VIRTUAL REALITY;

CLOUD PROVIDERS; MACHINE STATE; MEMOIZATION; OFF-LINE TRAINING; PERFORMANCE; REAL TIME MONITORING; REUSE; SEMANTIC GAP; VIRTUAL MACHINE INTROSPECTION; VIRTUALIZATIONS;

VIRTUALIZATION;

EID: 85080477586     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss/2014.23226     Document Type: Conference Paper

References (56)

1. Dynamorio dynamic instrumentation tool platform. http://dynamorio.org.
2. Intel 64 and ia-32 architectures software developer’s manual volume 3b: System programming guide. http://www.intel.com/Assets/PDF/manual/253669.pdf.
3. QEMU: an open source processor emulator. http://www.qemu.org/.
4. Vprobe toolkit. https://github.com/vmware/vprobe-toolkit.
5. F. Baiardi and D. Sgandurra. Building trustworthy intrusion detection through vm introspection. In Proceedings of the 3rd International Symposium on Information Assurance and Security (IAS’07), pages 209–214, 2007.
6. D. Bovet and M. Cesati. Understanding The Linux Kernel. Oreilly & Associates Inc, 2005.
7. B. Buck and J. K. Hollingsworth. An api for runtime code patching. International Journal of High Performance Computing Applications, 14(4):317–329, 2000.
8. J. Caballero, N. M. Johnson, S. McCamant, and D. Song. Binary code extraction and interface identification for security applications. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10), San Diego, CA, February 2010.
9. M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. Mapping kernel objects to enable systematic integrity checking. In The 16th ACM Conference on Computer and Communications Security (CCS’09), pages 555–565, Chicago, IL. October 2009.
10. P. M. Chen and B. D. Noble. When virtual is better than real. In Proceedings of the Eighth Workshop on Hot Topics in Operating Systems (HOTOS’01), pages 133–138, Elmau/Oberbayern, Germany. 2001.
11. H. Cui, J. Wu, C.-C. Tsai, and J. Yang. Stable deterministic multithreading through schedule memoization. In Proceedings of the Ninth Symposium on Operating Systems Design and Implementation (OSDI’10). October 2010.
12. W. Cui, M. Peinado, Z. Xu, and E. Chan. Tracking rootkit footprints with a practical memory analysis system. In Proceedings of USENIX Security Symposium. August, 2012.
13. A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security (CCS’08), pages 51–62, Alexandria, Virginia. October 2008.
14. B. Dolan-Gavitt. Virtuoso: Whole-system binary code extraction for introspection. https://code.google.com/p/virtuoso/.
15. B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (SP’11), pages 297–312, Oakland, CA. May 2011.
16. B. Dolan-Gavitt, B. Payne, and W. Lee. Leveraging forensic tools for virtual machine introspection. Technical Report; GT-CS-11-05, 2011.
17. J. Edge. Randomizing the kernel, 2013. http://lwn.net/Articles/546686/.
18. B. Fabrice. Qemu, a fast and portable dynamic translator. In Proceedings of the 2005 USENIX Annual Technical Conference (ATC’05), Anaheim, CA. June 2005.
19. Y. Fu and Z. Lin. Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP’12), pages 586–600, San Fransisco, CA. May 2012.
20. Y. Fu and Z. Lin. Bridging the semantic gap in virtual machine introspection via online kernel data redirection. ACM Trans. Inf. Syst. Secur., 16(2):7:1–7:29, Sept. 2013.
21. Y. Fu and Z. Lin. Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery. In Proceedings of the Ninth Annual International Conference on Virtual Execution Environments (VEE’13), Houston, TX. March 2013.
22. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings Network and Distributed Systems Security Symposium (NDSS’03), San Diego, CA. February 2003.
23. R. P. Goldberg. Architectural Principles of virtual machines. PhD thesis. PhD thesis, Harvard University. 1972.
24. Y. Gu, Y. Fu, A. Prakash, Z. Lin, and H. Yin. Os-sommelier: Memory-only operating system fingerprinting in the cloud. In Proceedings of the 3rd ACM Symposium on Cloud Computing (SOCC’12), San Jose, CA. October 2012.
25. Z. Gu, Z. Deng, D. Xu, and X. Jiang. Process implanting: A new active introspection framework for virtualization. In Proceedings of the 30th IEEE Symposium on Reliable Distributed Systems (SRDS 2011), pages 147–156, Madrid, Spain. October 4-7, 2011.
26. B. Hay and K. Nance. Forensics examination of volatile system data using virtual introspection. SIGOPS Operating System Review, 42:74–82, April 2008.
27. A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection using demand emulation. In Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems (EuroSys’06), pages 29–41. 2006.
28. O. S. Hofmann, A. M. Dunn, S. Kim, I. Roy, and E. Witchel. Ensuring operating system kernel integrity with osck. In Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems (ASPLOS’11), pages 279–290, Newport Beach, California. March 2011.
29. H. Inoue, F. Adelstein, M. Donovan, and S. Brueckner. Automatically bridging the semantic gap using a c interpreter. In Proceedings of the 2011 Annual Symposium on Information Assurance (ASIA’11), Albany, NY. June 2011.
30. K. Jee, G. Portokalidis, V. P. Kemerlis, S. Ghosh, D. I. August, and A. D. Keromytis. A general approach for efficiently accelerating software-based dynamic data flow tracking on commodity hardware. In Proceedings Network and Distributed Systems Security Symposium (NDSS’12), San Diego, CA. February 2012.
31. X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07), pages 128–138, Alexandria, Virginia. October 2007.
32. P. M. Chen, J. Chow, and T. Garfinkel. Decoupling dynamic program analysis from execution in virtual environments. In USENIX 2008 Annual Technical Conference on Annual Technical Conference (ATC’08), pages 1–14, 2008.
33. A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori. kvm: the linux virtual machine monitor. In Proceedings of the Linux Symposium, volume 1, pages 225–230, 2007.
34. C. Kolbitsch, T. Holz, C. Kruegel, and E. Kirda. Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In Proceedings of 2010 IEEE Security and Privacy (SP’10), Oakland, CA. May 2010.
35. A. Kotok. Dec debugging tape (ddt). Massachusetts Institute of Technology (MIT), 1964.
36. W. Li, L.-c. Lam, and T.-c. Chiueh. Accurate application-specific sandboxing for win32/intel binaries. In Proceedings of the 3rd International Symposium on Information Assurance and Security (IAS’07), pages 375–382, Manchester, UK. 2007.
37. Z. Lin, X. Zhang, and D. Xu. Reuse-oriented camouflaging trojan: Vulnerability detection and attack construction. In Proceedings of the 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-DCCS 2010), Chicago, IL. June 2010.
38. C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. In ACM SIGPLAN Notices, volume 40, pages 190–200, 2005.
39. D. Michie.”Memo” Functions and Machine Learning. Nature, 218(5136):19–22, Apr. 1968.
40. N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation (PLDI’07), pages 89–100, San Diego, CA. 2007.
41. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS’05), San Diego, CA. February 2005.
42. H. Pan, K. Asanović, R. Cohn, and C.-K. Luk. Controlling program execution through binary instrumentation. SIGARCH Comput. Archit. News, 33(5):45–50, Dec. 2005.
43. B. D. Payne, M. Carbone, and W. Lee. Secure and flexible monitoring of virtual machines. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC’07). December 2007.
44. B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (SP’08), pages 233–247, Oakland, CA. May 2008.
45. N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - A coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium (Security’04), pages 179–194, San Diego, CA. August 2004.
46. N. L. Petroni, Jr., T. Fraser, A. Walters, and W. A. Arbaugh. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In Proceedings of the 15th USENIX Security Symposium (Security’06), Vancouver, B.C., Canada. August 2006.
47. J. Pfoh, C. Schneider, and C. Eckert. Nitro: Hardware-based system call tracing for virtual machines. In Advances in Information and Computer Security (IWSEC’11), volume 7038 of Lecture Notes in Computer Science, pages 96–112. November 2011.
48. N. A. Quynh. Operating system fingerprinting for virtual machines, 2010. In DEFCON 18.
49. M. Rajagopalan, S. Perianayagam, H. He, G. Andrews, and S. Debray. Biray rewriting of an operating system kernel. In Proc. Workshop on Binary Instrumentation and Applications, 2006.
50. J. Seward and N. Nethercote. Using valgrind to detect undefined value errors with bit-precision. In Proceedings of the annual conference on USENIX Annual Technical Conference (ATC’05), pages 2–2, Anaheim, CA. 2005.
51. D. Srinivasan, Z. Wang, X. Jiang, and D. Xu. Process out-grafting: an efficient”out-of-vm” approach for fine-grained process execution monitoring. In Proceedings of the 18th ACM conference on Computer and communications security (CCS’11), pages 363–374, Chicago, Illinois. October 2011.
52. A. Tamches and B. P. Miller. Fine-grained dynamic instrumentation of commodity operating system kernels. In Proceedings of the 3rd symposium on Operating systems design and implementation (OSDI’99), pages 117–130, 1999.
53. A. Tamches and B. P. Miller. Dynamic kernel i-cache optimization. In Proceedings of the 3rd Workshop on Binary Translation, 2001.
54. G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. Flexitaint: A programmable accelerator for dynamic taint propagation. In Proceedings of the 4th International Symposium on High Performance Computer Architecture (HPCA’08), Salt Lake City, UT. 2008.
55. L.-K. Yan, M. Jayachandra, M. Zhang, and H. Yin. V2e: Combining hardware virtualization and software emulation for transparent and extensible malware analysis. In Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments (VEE’12), pages 227–238, London, UK, 2012.
56. J. Zeng, Y. Fu, K. Miller, Z. Lin, X. Zhang, and D. Xu. Obfuscation-resilient binary code reuse through trace-oriented programming. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS’13), Berlin, Germany. November 2013.