Kernel Memory Protection by an Insertable Hypervisor Which Has VM Introspection and Stealth Breakpoints

  • Kuniyasu Suzaki
  • Toshiki Yagi
  • Kazukuni Kobara
  • Toshiaki Ishiyama
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8639)


Recent device drivers are under threat of targeted attack called Advanced Persistent Threat (APT) since some device drivers handle industrial infrastructure systems and/or contain sensitive data e.g., secret keys for disk encryption and passwords for authentication. Even if attacks are found in these systems, it is not easy to update device drivers since these systems are required to be non-stop operation and these attacks are based on zero-day attacks. DriverGuard is developed to mitigate such problems. It is a light weight hypervisor and can be inserted into pre-installed OS (Windows) from USB memory at boot time. The memory regions for sensitive data in a Windows kernel are protected by VM introspection and stealth breakpoints in the hypervisor. The hypervisor recognizes memory structure of guest OS by VM introspection and manipulates a page table entry (PTE) using stealth breakpoints technique. DriverGuard prevents malicious write-access to code region that causes Blue Screen of Death of Windows, and malicious read and write access to data region which causes information leakage. Current implementation is applied on pre-installed Windows7 and increases security of device drivers from outside of OS.


Computer Security Information Leakage Virtual Machine Introspection Stealth Breakpoints 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: 15th European Institute for Computer Antivirus Research, EICAR (2006)Google Scholar
  2. 2.
    Ben-Cohen, O., Wool, A.: Korset: Automated, Zero False-Alarm Intrusion Detection for Linux. In: Linux Symposium (2008)Google Scholar
  3. 3.
    Bencsáth, B., Pék, G., Buttyán, L., Félegyházi, M.: Duqu: Analysis, Detection, and Lessons Learned. In: European Workshop on System Security, EuroSec (2012)Google Scholar
  4. 4.
    Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware Analysis via Hardware Virtualization Extensions. In: ACM Conference on Computer and Communications Security, CCS (2008)Google Scholar
  5. 5.
    Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet Dossier, Symantec Security Response (2011)Google Scholar
  6. 6.
    Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: 10th Annual Network & Distributed System Security Symposium, NDSS (2003)Google Scholar
  7. 7.
    King, S.T., Dunlap, G.W., Chen, P.M.: Operating System Support for Virtual Machines. USENIX Annual Tech. (2003)Google Scholar
  8. 8.
    Murakami, J.: FFR GreenKiller - Automatic kernel-mode malware analysis system. In: 12th Associates of Anti-Virus Asia Reserachers International Conference (2009),
  9. 9.
    Nance, K., Bishop, M., Hay, B.: Virtual Machine Introspection: Observation or Interference? IEEE Security and Privacy 6(5) (2008)Google Scholar
  10. 10.
    Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In: The 21st ACM Symposium on Operating Systems Principles, SOSP (2007)Google Scholar
  11. 11.
    Shinagawa, T., et al.: BitVisor: A Thin Hypervisor for Enforcing I/O Device Security, Virtual Execution Environments, VEE (2009)Google Scholar
  12. 12.
    Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A New Approach to Computer Security via Binary Analysis. In: International Conference on Information Systems Security, ICISS (2008)Google Scholar
  13. 13.
    Swift, M.M., Bershad, B.N., Levy, H.M.: Improving the Reliability of Commodity Operating Systems. In: 19th ACM Symposium on Operating Systems Principles, SOSP (2003)Google Scholar
  14. 14.
    Vasudevan, A., Yerraballi, R.: Stealth Breakpoints. In: 21st Annual Computer Security Applications Conference, ACSAC (2005)Google Scholar
  15. 15.
    Xiong, X., Tian, D., Liu, P.: Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extension. In: 18th Annual Network & Distributed System Security Symposium, NDSS (2011)Google Scholar
  16. 16.
    Yan, L., Jayachandra, M., Zhang, M., Yin, H.: V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis, Virtual Execution Environments, VEE (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Kuniyasu Suzaki
    • 1
  • Toshiki Yagi
    • 1
  • Kazukuni Kobara
    • 1
  • Toshiaki Ishiyama
    • 2
  1. 1.National Institute of Advanced Industrial Science and TechnologyJapan
  2. 2.FFRI, Inc.Japan

Personalised recommendations