Michael Kiperberg scite author profile

2011

Truly-Protect: An Efficient VM-Based Software Protection

Averbuch

2013

IEEE Systems Journal

Abstract-We present Truly-Protect that is a software protection method. Previously published protection methods relied solely on obscurity. Rolles proposed a general approach for breaking systems that are based on obscurity. We show that, under certain assumptions, Truly-Protect is resistant not only to Rolles' attack but also to any other attacks that do not violate the assumptions. Truly-Protect is based on a virtual machine that enables us to execute encrypted programs. Truly-Protect can serve as a platform for preventing software piracy of obtaining unlicensed copies. Truly-Protect by itself is not a digital rights management system but can form a basis for such a system. We discuss several scenarios and implementations and validate the performance penalty of our protection. A preliminary version of this paper appeared in the 5th International Conference on Network and System Security (NSS2011). It was extended by expanding the system's description, adding more efficient parallel implementation, just-in-time decryption, and a comprehensive performance analysis. It also contains all the necessary proofs.

show abstract

Hypervisor Memory Introspection and Hypervisor Based Malware Honeypot

Yehuda

et al. 2020

Hypervisor-assisted Atomic Memory Acquisition in Modern Systems

Leon

Resh

et al. 2019

Modern Blue Pills and Red Pills

Algawi

Leon

et al. 2020

This article presents the concept of blue pill, a stealth hypervisor-based rootkit, that was introduced by Joanna Rutkowska in 2006. The blue pill is a malicious thin hypervisor-based rootkit that takes control of the victim machine. Furthermore, as the blue pill does not run under the operating system context, the blue pill is very difficult to detect easily. The red pill is the competing concept (i.e., a forensics software that runs on the inspected machine and detects the existence of malicious hypervisor or blue pill). The concept of attestation of a host ensuring that no hypervisor is running was first introduced by Kennel and Jamieson in 2002. Modern advances in hypervisor technology and hardware-assisted virtualization enables more stealth and detection methods. This article presents all the recent innovation in stealth blue pills and forensics red pills.

show abstract

Efficient DLP-visor: An efficient hypervisor-based DLP

Amit

Yeshooroon

et al. 2021

Remote Attestation of Software and Execution-Environment in Modern Machines

Resh

2015