Abstract
VMM (virtual machine monitor) provides the useful inspection and interposition of the guest OS. With proper modification of the guest OS and VMM, we can obtain incident-driven memory snapshot for malicious code forensics. In this paper we propose an asynchronous memory snapshot and forensics using split kernel module. Our split kernel module works for the virtualized interruption handling, which notifies the security incident on the guest OS. On frontend, we insert virtualized interruption into source code of MAC (mandatory access control) module and other security modules. Then, backend kernel module receives interruption as the asynchronous incident notification. In experiment, we take RAM snapshot of LKM-rootkit installation using system call extension. Frequently appeared strings are extracted in order to find the evidence memory blocks which was assigned for LKM-rootkit. Also, it is showed that asynchronous snapshot enables us to find the evidence of malicious software in memory snapshot by simple string analysis in linear time.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Hand, S., Warfield, A., Fraser, K., Kotsovinos, E., Magenheimer, D.: Are Virtual Machine Monitors Microkernels Done Right? In: Proceedings of the Tenth Workshop on Hot Topics in Operating Systems (HotOS-X) (June 2005)
Goth, G.: Virtualization: Old Technology Offers Huge New Potential. IEEE Distributed Systems Online 8(2) (2007)
Karger, P.A., Zurko, M.E., Bonin, D.W., Mason, A.H., Kahn, C.E.: A Retrospective on the VAX VMM Security Kernel. IEEE Trans. Software Eng. 17(11), 1147–1165 (1991)
Karger, P.A., Zurko, M.E., Bonin, D.W., Mason, A.H., Kahn, C.E.: A Retrospective on the VAX VMM Security Kernel. IEEE Trans. Software Eng. 17(11), 1147–1165 (1991)
XEN virtual machine monitor, http://www.cl.cam.ac.uk/Research/SRG/netos/xen/
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: SOSP 2003. Proceedings of the 19th Symposium on Operating System Principles, Bolton Landing, NY (October 2003)
KVM: Kernel-based virtualization driver, available at: http://kvm.qumranet.com/
Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: NDSS 2003. Proceedings of Network and Distributed System Security, pp. 191–206 (February 2003)
Quynh, N.A., Ando, R., Takefuji, Y.: Centralized Security Policy Support for Virtual Machine. In: LISA 2007. Proceedings of USENIX, 20th Large Installation System Administration Conference (December 2006)
Sailer, R., Jaeger, T., Valdez, E., Caceres, R., Perez, R., Berger, S., Griffin, J.L., van Doorn, L.: Building a MAC-Based Security Architecture for the Xen Opensource Hypervisor. In: Srikanthan, T., Xue, J., Chang, C.-H. (eds.) ACSAC 2005. LNCS, vol. 3740, Springer, Heidelberg (2005)
Xu, M., Malyugin, V., Sheldon, J., Venkitachalam, G., Weissman, B.: ReTrace: Collecting Execution Trace with Virtual Machine Deterministic Replay. In: MoBS 2007. Proceedings of Third Annual Workshop on Modeling, Benchmarking and Simulation (June 2007)
Bhansali, S., Chen, W.-K., De Jong, S., Edwards, A., Drinic, M.: Framework for Instruction-level Tracing and Analysis of Programs. In: VEE 2006. Proceedings of Second International Conference on Virtual Execution Environments (June 2006)
Dunlap, G.W., King, S.T., Cinar, S., Basrai, M., Chen, P.M.: ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In: OSDI 2002. Proceedings of the 2002 Symposium on Operating Systems Design and Implementation (December 2002)
King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: Implementing malware with virtual machines. In: Proceedings of IEEE Symp. on Security and Privacy (the Oakland Conference) (May 2006)
LIDS: Linux Intrusion Detection System, available at http://www.lids.org/
Uhlig, R., Neiger, G., Rodgers, D., Santoni, A.L., Martins, F.C.M., Anderson, A.V., Bennett, S.M., Kagi, A., Leung, F.H., Smith, L.: Intel Virtualization Technology. IEEE Computer 38(5), 48–56 (2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ando, R., Kadobayashi, Y., Shinoda, Y. (2007). Asynchronous Pseudo Physical Memory Snapshot and Forensics on Paravirtualized VMM Using Split Kernel Module. In: Nam, KH., Rhee, G. (eds) Information Security and Cryptology - ICISC 2007. ICISC 2007. Lecture Notes in Computer Science, vol 4817. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-76788-6_11
Download citation
DOI: https://doi.org/10.1007/978-3-540-76788-6_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-76787-9
Online ISBN: 978-3-540-76788-6
eBook Packages: Computer ScienceComputer Science (R0)