Abstract
Recently, leveraging hypervisor for inspecting Windows OS which is called as VM instospection has been proposed. In this paper, we propose a thin debugging layer to provide several solutions for current VM instrospection. First, out-of-the box monitoring has not been develoed for monitoring complicated event such as registry access of Windows OS. Second, logging inside guest OS is resource-intensive and therefore detactable. Third, shared memory should be prepared for notifying events which makes the system so complicated. To solve these problems, we emdded a simple debug register manipulation inside guest VM and modify its handler of hypervisor. In proposed system, we only change a few generic and debug register to cope with highly frequent events without allocating memory and generating file I/O. As a result, resource utilization of CPU, memory and I/O can be drastically reduced compared with commodity logging software inside Windows OS. In experiment, we have shown the result of tracking registry access of malware running on Windos OS. It is shown that proposed system can achive the same function of ProcMon of Windows OS with reasonable resource utilization. Particularly, we have achieved more than 84% of memory usage and 97% of disk access reduction compared with the case of using ProcMon.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Garfinkel, T., Rosenblu, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: The Internet Society’s 2003 Symposium on Network and Distributed System Security (NDSS), pp. 191–206 (February 2003)
Nance, K., Bishop, M., Hay, B.: Virtual Machine Introspection: Observation or Interference? IEEE Security and Privacy 6(5), 32–37 (2008)
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Wareld, A.: Xen and the Art of Virtualization. In: Proceedings of the 19th ACM SOSP, pp. 164–177 (October 2003)
Waldspurger, C.A.: Memory resource management in VMware ESX server. In: Proceedings of the 5th Symposium on Operating Systems Design and Implementation, pp. 181–194 (December 2002)
Kernal Virtual Machine, http://sourceforge.net/projects/kvm
Dunlap, G.W., King, S.T., Cinar, S., Basrai, M., Chen, P.M.: ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In: Proceedings of the 2002 Symposium on Operating Systems Design and Implementation (OSDI 2002), Boston, MA (December 2002)
King, S., Dunlap, G., Chen, P.: Debugging Operating Systems with Time-Traveling Virtual Machines. In: Proc. Annual Usenix Tech. Conf., Usenix Assoc. (2005), www.usenix.org/events/usenix05/tech/general/king/king.pdf
Whitaker, A., et al.: Constructing Services with Interposable Virtual Hardware. In: Proc. 1st Symp. Networked Systems Design and Implementation (NSDI 2004) (March 2004)
Payne, B., et al.: Lares: An Architecture for Secure Active Monitoring Using Virtualization. In: Proc. IEEE Symp. Security and Privacy, pp. 233–247. IEEE CS Press (2008)
Jones, S., Arpaci-Dusseau, A., Arpaci-Dusseau, R.: VMM-based Hidden Process Detection and Identification Using Lycosid. In: Proc. ACM Int. Conf. Virtual Execution Environments (VEE 2008), pp. 91–100. ACM Press (2008)
Jones, S., Arpaci-Dusseau, A., Arpaci-Dusseau, R.: AntFarm: Tracking Processes in a Virtual Machine Environment. In: Proc. Annual Usenix Tech. Conf., Usenix Assoc., pp. 1–14 (2008)
Litty, L., Lagar-Cavilla, H.A.: Hypervisor Support for Identifying Covertly Executing Binaries. In: The 17th USENIX Security Symposium, Usenix 2008 (July - August 2008)
XenAccess, http://doc.xenaccess.org/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ando, R., Suzaki, K. (2011). A Lightweight Access Log Filter of Windows OS Using Simple Debug Register Manipulation. In: Kim, Th., Adeli, H., Fang, Wc., Villalba, J.G., Arnett, K.P., Khan, M.K. (eds) Security Technology. SecTech 2011. Communications in Computer and Information Science, vol 259. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27189-2_23
Download citation
DOI: https://doi.org/10.1007/978-3-642-27189-2_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27188-5
Online ISBN: 978-3-642-27189-2
eBook Packages: Computer ScienceComputer Science (R0)