Skip to main content
SpringerLink
Log in
Book cover

International Conference on Algorithms and Architectures for Parallel Processing

ICA3PP 2015: Algorithms and Architectures for Parallel Processing pp 429–448Cite as

Exploring Efficient and Robust Virtual Machine Introspection Techniques

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 9530))

Abstract

Upon practical implementation of virtual machine introspection (VMI), administrators may be overwhelmed by dozens of research works. Specifically, the adopted introspection mechanism perform differently with regard to various performance and security requirements. Besides, most of previous works do not clarify the boundary between Trusted Computing Base (TCB) and attacks towards introspection. This paper aims to help administrators to determine the appropriate introspection approach. Firstly, we summarize current VMI technologies, and present a classification method mainly depending on whether hardware assistance is required, how it solves the semantic gap problem and how introspection is triggered. Secondly, we discuss how to achieve a good trade-off between the two metrics of performance and security. Thirdly, we propose a TCB threat model to employ VMI along with other enhancing mechanism to tackle attacks in different levels of TCB. Finally, we discuss some future trends related to VMI for further improving security.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Hypervisor is also referred to “Virtual Machine Monitor” (VMM), we do not differentiate them in this paper.

References

  1. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS 2003, pp.191–206 (2003)

    Google Scholar 

  2. Payne, B., Carbone, M., Lee, W.: Secure and flexible monitoring of virtual machines. In: ACSAC 2007, pp. 385–397 (2007)

    Google Scholar 

  3. The volatility framework. https://github.com/volatilityfoundation/volatility

  4. Volatilitux. https://code.google.com/p/volatilitux/

  5. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based “out-of-the-box” semantic view reconstruction. In: CCS 2007, pp. 128–138 (2007)

    Google Scholar 

  6. LibVMI library. https://github.com/libvmi/libvmi

  7. Jiang, X., Wang, X.: “Out-of-the-Box” monitoring of VM-based high-interaction honeypots. In: RAID 2007, pp. 198–218 (2007)

    Google Scholar 

  8. Xiang, G., Jin, H., Zou, D., Zhang, X., Wen, S., Zhao, F.: VMDriver: a driver-based monitoring mechanism for virtualization. In: SRDS 2010, pp. 72–81 (2010)

    Google Scholar 

  9. Andersen, L.O.: Program analysis and specialization for the C programming language. Ph.D. thesis, DIKU, University of Copenhagen (1994)

    Google Scholar 

  10. Heintze, N., Tardieu, O.: Ultra-fast aliasing analysis using CLA: a million lines of C code in a second. In: PLDI 2001, pp. 254–263 (2001)

    Google Scholar 

  11. Lin, Z., Rhee, J., Zhang, X., Xu, D., Jiang, X.: SigGraph: brute force scanning of kernel data structureinstances using graph-based signatures. In: NDSS 2011 (2011)

    Google Scholar 

  12. Cui, W., Peinado, M., Xu, Z., Chan, E.: Tracking rootkit footprints with a practical memory analysis system. In: USENIX Security 2012, p. 42 (2012)

    Google Scholar 

  13. Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: CCS 2009, pp. 555–565 (2009)

    Google Scholar 

  14. Xu, Z., Zhang, J., Gu, G., Lin, Z.: SigPath: a memory graph based approach for program data introspection and modification. In: Vaidya, J., Kutyłowski, M. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 237–256. Springer, Heidelberg (2014)

    Google Scholar 

  15. Liang, B., You, W., Shi, W., Liang, Z.: Detecting stealthy malware with inter-structure and imported signatures. In: ASICCS 2011, pp. 217–227 (2011)

    Google Scholar 

  16. Schneider, C., Pfoh, J., Eckert, C.: Bridging the semantic gap through static code analysis. In: EuroSec 2012 (2012)

    Google Scholar 

  17. Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.: Robust signatures for kernel data structures. In: CCS 2009, pp. 566–577 (2009)

    Google Scholar 

  18. Pham, C., Estrada, Z., Cao, P., et al.: Reliability and security monitoring of virtual machines using hardware architectural invariants. In: DSN 2014, pp. 13–24 (2014)

    Google Scholar 

  19. Quynh, N.A., Suzaki, K.: Xenprobe: a lightweight user-space probing framework for xen virtual machine. In: USENIX ATC 2007 (2007)

    Google Scholar 

  20. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: CCS 2008, pp. 51–62 (2008)

    Google Scholar 

  21. Nguyen, A.M., Schear, N., Jung, H., Godiyal, A., King, S.T., Nguyen, H.D.: MAVMM: lightweight and purpose built VMM for malware analysis. In: ACSAC 2009, pp. 441–450 (2009)

    Google Scholar 

  22. Vogl, S., Eckert, C.: Using hardware performance events for instruction-level monitoring on the x86 architecture. In: EuroSec 2012 (2012)

    Google Scholar 

  23. Willems, C., et al.: Down to the bare metal: using processor features for binary analysis. In: ACSAC 2012, pp. 189–198 (2012)

    Google Scholar 

  24. Yan, L., Jayachandra, M., Zhang, M., Heng, Y.: V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis. In: ACM SIGPLAN Notices, pp. 227–238 (2012)

    Google Scholar 

  25. Deng, Z., Zhang, X., Xu, D.: SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization. In: ACSAC 2013, pp. 289–298 (2013)

    Google Scholar 

  26. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.:. Antfarm: tracking processes in a virtual machine environment. In: USENIX ATC 2006, pp. 1–14 (2006)

    Google Scholar 

  27. Jones, S.T., Arpaci-Dusseau, A.C., ArpaciDusseau, R.H.: VMM-based hidden process detection and identification using lycosid. In: VEE 2008, pp. 91–100 (2008)

    Google Scholar 

  28. Forrest, S., Hofmeyr, S., Somayaji, A.: The evolution of system-call monitoring. In: ACSAC 2008, pp. 418–430 (2008)

    Google Scholar 

  29. Intel corp. Intel 64 and IA-32 Architectures Developer’s Manual, vol. 3B (2013)

    Google Scholar 

  30. AMD64 Architecture Programmer’s Manual. Volume 2: System Programming. AMD Inc. (2013)

    Google Scholar 

  31. Li, B., et al.: A VMM-based system call interposition framework for program monitoring. In: ICPADS 2010, pp. 706–711 (2010)

    Google Scholar 

  32. Payne, B., Carbone, M., Sharif, M., Lee, W.: Lares: anarchitecture for secure active monitoring using virtualization. In: SP 2008, pp. 233–247 (2008)

    Google Scholar 

  33. Pfoh, J., Schneider, C., Eckert, C.: Nitro: hardware-based system call tracing for virtual machines. In: AICS 2011, pp. 96–112 (2011)

    Google Scholar 

  34. Martignoni, L., Fattori, A., Paleari, R., Cavallaro, L.: Live and trustworthy forensic analysis of commodity production systems. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 297–316. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  35. Sebek. http://www.honeynet.org/tools/sebek/

  36. Lin, Z., Zhang, X., Xu, D.: Automatic reverse engineering of data structures from binary execution. In: NDSS 2010 (2010)

    Google Scholar 

  37. Deng, Z., Xu, D., Zhang, X., Jiang, X.: Introlib: efficient and transparent library call introspection for malware forensics. In: DFRW 2012, pp.13–23 (2012)

    Google Scholar 

  38. Shinagawa, T., et al.: BitVisor: a thin hypervisor for enforcing I/O device security. In: VEE 2009, pp. 121–130 (2009)

    Google Scholar 

  39. Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: USENIX Security 2014, pp. 287–301 (2014)

    Google Scholar 

  40. Srivastava, A., Giffin, J.: Efficient monitoring of untrusted kernel-mode execution. In: NDSS 2011 (2011)

    Google Scholar 

  41. Srinivasan, D., Wang, Z., Jiang, X., Xu, D.: Process out-grafting: an efficient “out-of-VM” approach for fine-grained process execution monitoring. In: CCS 2011, pp. 363–374 (2011)

    Google Scholar 

  42. Wu, R., Chen, P., Liu, P., Andmao, B.: System call redirection: a practical approach to meeting real-world VMI needs. In: DSN 2014, pp. 574–585 (2014)

    Google Scholar 

  43. Gu, Z., Deng, Z., Xu, D., Jiang, X.: Process implanting: a new active introspection framework for virtualization. In: SRDS 2011, pp. 147–156 (2011)

    Google Scholar 

  44. Carbone, M., Conover, M., Montague, B., Lee, W.: Secure and robust monitoring of virtual machines through guest-assisted introspection. In: RAID 2012, pp. 22–41 (2012)

    Google Scholar 

  45. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: S&P 2011, pp. 297–312 (2011)

    Google Scholar 

  46. Fu, Y., Lin, Z.: Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: S&P 2012, pp. 586–600 (2012)

    Google Scholar 

  47. Fu, Y., Lin, Z.: Exterior: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery. In: VEE 2013, pp. 97–110 (2013)

    Google Scholar 

  48. Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in VM monitoring using hardware virtualization. In: CCS 2009, pp. 477–487 (2009)

    Google Scholar 

  49. Liu, Y., Xia, Y., Guan, H., Zang, B., Chen, H.: Concurrent and consistent virtual machine introspection with hardware transactional memory. In: HPCA 2014, pp. 416–427 (2014)

    Google Scholar 

  50. Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: CCS 2012, pp. 28–37 (2012)

    Google Scholar 

  51. Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: CCS 2012, pp. 28–37 (2012)

    Google Scholar 

  52. Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy incontext measurement of hypervisor integrity. In: CCS 2010, pp. 38–49 (2010)

    Google Scholar 

  53. Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: SRDS 2010, pp. 82–91 (2010)

    Google Scholar 

  54. Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: USENIX Security 2009, pp. 383–398 (2009)

    Google Scholar 

  55. Butler, J., Hoglund, G.: Vice - catch the hookers!. In: Black Hat USA (2004)

    Google Scholar 

  56. Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: S&P 2010, pp. 380–395 (2010)

    Google Scholar 

  57. Wang, J., Stavrou, A., Ghosh, A.: Hypercheck: a hardware-assisted integrity monitor. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 158–177. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  58. Wang, Z., Wu, C., Grace, M., Jiang, X.: Isolating commodity hosted hypervisors with hyperlock. In: EuroSys 2012, pp. 127–140 (2012)

    Google Scholar 

  59. Zhang, F., Chen, J., Chen, H., Zang, B.: CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: SOSP 2011, pp. 203–216 (2011)

    Google Scholar 

  60. Seshadri, A., Luk, M., Qu, N., Perring, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: SOSP 2007, pp. 335–350 (2007)

    Google Scholar 

  61. Litty, L., Lagar-Cavilla, H., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: USENIX Security 2008, pp. 243–258 (2008)

    Google Scholar 

  62. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: RAID 2008, pp. 1–20 (2008)

    Google Scholar 

  63. Hofmann, O.S., Dunn, A.M., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with OSck. In: ASPLOS 2011, pp. 279–290 (2011)

    Google Scholar 

  64. Fu, Y., Zeng, J., Lin, Z.: HYPERSHELL: a practical hypervisor layer guest OS shell for automated in-VM management. In: USENIX ATC 2014, pp. 85–96 (2014)

    Google Scholar 

  65. Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: SoK: introspections on trust and the semantic gap. In: S&P 2014, pp. 605–620 (2014)

    Google Scholar 

  66. Zhang, F., Leach, K., Sun, K., Stavrou, A.: SPECTRE: a dependable introspection framework via system management mode. In: DSN 2013, pp. 1–12 (2013)

    Google Scholar 

  67. Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: CCS 2009, pp. 545–554 (2009)

    Google Scholar 

Download references

Acknowledgement

We would like to thank the anonymous reviewers for their valuable comments and help in improving this paper. This work is supported by China National Key Technology Support Program (2012BAH46B02).

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093, China

    Chonghua Wang, Xiaochun Yun, Zhiyu Hao, Lei Cui, Yandong Han & Qingxin Zou

  2. School of Computer and Control Engineering, University of Chinese Academy of Sciences, Beijing, 100049, China

    Chonghua Wang & Yandong Han

Authors
  1. Chonghua Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiaochun Yun
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhiyu Hao
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lei Cui
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yandong Han
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Qingxin Zou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhiyu Hao .

Editor information

Editors and Affiliations

  1. Central South University, Changsha, China

    Guojun Wang

  2. The University of Sydney, Sydney, New South Wales, Australia

    Albert Zomaya

  3. University of Murcia, Murcia, Murcia, Spain

    Gregorio Martinez

  4. Hunan University, Changsha, China

    Kenli Li

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Wang, C., Yun, X., Hao, Z., Cui, L., Han, Y., Zou, Q. (2015). Exploring Efficient and Robust Virtual Machine Introspection Techniques. In: Wang, G., Zomaya, A., Martinez, G., Li, K. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2015. Lecture Notes in Computer Science(), vol 9530. Springer, Cham. https://doi.org/10.1007/978-3-319-27137-8_32

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-27137-8_32

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-27136-1

  • Online ISBN: 978-3-319-27137-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation