Skip to main content
SpringerLink
Log in

A Lightweight Access Log Filter of Windows OS Using Simple Debug Register Manipulation

  • Conference paper
Security Technology (SecTech 2011)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 259))

Included in the following conference series:

  • 776 Accesses

Abstract

Recently, leveraging hypervisor for inspecting Windows OS which is called as VM instospection has been proposed. In this paper, we propose a thin debugging layer to provide several solutions for current VM instrospection. First, out-of-the box monitoring has not been develoed for monitoring complicated event such as registry access of Windows OS. Second, logging inside guest OS is resource-intensive and therefore detactable. Third, shared memory should be prepared for notifying events which makes the system so complicated. To solve these problems, we emdded a simple debug register manipulation inside guest VM and modify its handler of hypervisor. In proposed system, we only change a few generic and debug register to cope with highly frequent events without allocating memory and generating file I/O. As a result, resource utilization of CPU, memory and I/O can be drastically reduced compared with commodity logging software inside Windows OS. In experiment, we have shown the result of tracking registry access of malware running on Windos OS. It is shown that proposed system can achive the same function of ProcMon of Windows OS with reasonable resource utilization. Particularly, we have achieved more than 84% of memory usage and 97% of disk access reduction compared with the case of using ProcMon.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Garfinkel, T., Rosenblu, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: The Internet Society’s 2003 Symposium on Network and Distributed System Security (NDSS), pp. 191–206 (February 2003)

    Google Scholar 

  2. Nance, K., Bishop, M., Hay, B.: Virtual Machine Introspection: Observation or Interference? IEEE Security and Privacy 6(5), 32–37 (2008)

    Article  Google Scholar 

  3. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Wareld, A.: Xen and the Art of Virtualization. In: Proceedings of the 19th ACM SOSP, pp. 164–177 (October 2003)

    Google Scholar 

  4. Waldspurger, C.A.: Memory resource management in VMware ESX server. In: Proceedings of the 5th Symposium on Operating Systems Design and Implementation, pp. 181–194 (December 2002)

    Google Scholar 

  5. Kernal Virtual Machine, http://sourceforge.net/projects/kvm

  6. Dunlap, G.W., King, S.T., Cinar, S., Basrai, M., Chen, P.M.: ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In: Proceedings of the 2002 Symposium on Operating Systems Design and Implementation (OSDI 2002), Boston, MA (December 2002)

    Google Scholar 

  7. King, S., Dunlap, G., Chen, P.: Debugging Operating Systems with Time-Traveling Virtual Machines. In: Proc. Annual Usenix Tech. Conf., Usenix Assoc. (2005), www.usenix.org/events/usenix05/tech/general/king/king.pdf

  8. Whitaker, A., et al.: Constructing Services with Interposable Virtual Hardware. In: Proc. 1st Symp. Networked Systems Design and Implementation (NSDI 2004) (March 2004)

    Google Scholar 

  9. Payne, B., et al.: Lares: An Architecture for Secure Active Monitoring Using Virtualization. In: Proc. IEEE Symp. Security and Privacy, pp. 233–247. IEEE CS Press (2008)

    Google Scholar 

  10. Jones, S., Arpaci-Dusseau, A., Arpaci-Dusseau, R.: VMM-based Hidden Process Detection and Identification Using Lycosid. In: Proc. ACM Int. Conf. Virtual Execution Environments (VEE 2008), pp. 91–100. ACM Press (2008)

    Google Scholar 

  11. Jones, S., Arpaci-Dusseau, A., Arpaci-Dusseau, R.: AntFarm: Tracking Processes in a Virtual Machine Environment. In: Proc. Annual Usenix Tech. Conf., Usenix Assoc., pp. 1–14 (2008)

    Google Scholar 

  12. Litty, L., Lagar-Cavilla, H.A.: Hypervisor Support for Identifying Covertly Executing Binaries. In: The 17th USENIX Security Symposium, Usenix 2008 (July - August 2008)

    Google Scholar 

  13. XenAccess, http://doc.xenaccess.org/

Download references

Author information

Authors and Affiliations

  1. National Institute of Information and Communication Technology, 4-2-1 Nukui-Kitamachi, Koganei, Tokyo, 184-8795, Japan

    Ruo Ando

  2. Advanced Industrial Science and Technology, 1-1-1 Umezono Central-2, Tsukuba, Ibaraki, 305-8568, Japan

    Kuniyasu Suzaki

Authors
  1. Ruo Ando
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kuniyasu Suzaki
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Multimedia Engineering Department, Hannam University, 133 Ojeong-dong, Daeduk-gu, Daejeon, Korea

    Tai-hoon Kim

  2. The Ohio State University, 470 Hitchcock Hall, 2070 Neil Avenue, 43210-1275, Columbus, OH, USA

    Hojjat Adeli

  3. National Chiao Tung University, Hsinchu, Taiwan, R.O.C.

    Wai-chi Fang

  4. Universidad Complutense de Madrid, 28040, Madrid, Spain

    Javier García Villalba

  5. Mississippi State University, Mississippi State, MS, USA

    Kirk P. Arnett

  6. Center of Excellence in Information Assurance, King Saud University, Kingdom of Saudi Arabia

    Muhammad Khurram Khan

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ando, R., Suzaki, K. (2011). A Lightweight Access Log Filter of Windows OS Using Simple Debug Register Manipulation. In: Kim, Th., Adeli, H., Fang, Wc., Villalba, J.G., Arnett, K.P., Khan, M.K. (eds) Security Technology. SecTech 2011. Communications in Computer and Information Science, vol 259. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27189-2_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-27189-2_23

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-27188-5

  • Online ISBN: 978-3-642-27189-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation