Checking virtual machine kernel control-flow integrity using a page-level dynamic tracing approach

Zhan, Dongyang; Ye, Lin; Fang, Binxing; Zhang, Hongli; Du, Xiaojiang

doi:10.1007/s00500-017-2745-x

Cited by 6 publications

(3 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Similarly, Dinaburg et al proposed the malware analysis framework Ether [14], which can trace the instruction execution, memory writes, and system calls. Zhan et al proposed the solution of kernel control flow integrity based on the virtualization [39], but it provided protections on the page-level check. In addition, Deng et al proposed the more stealthy binary instrumentation framework SPIDER [18], which can trap the target program by invisible breakpoints.…”

Section: Related Workmentioning

confidence: 99%

BAHK: Flexible Automated Binary Analysis Method with the Assistance of Hardware and System Kernel

Pan

Zhuang

Sun

2020

Security and Communication Networks

View full text Add to dashboard Cite

To protect core functions, applications often utilize the countermeasure techniques such as antidebugging to avoid analysis by outsiders, especially the malware. Dynamic binary instrumentation is commonly used in the analysis of binary programs. However, it can be easily detected and has stability and applicability problems as it involves program rewriting and just-in-time compilation. This paper proposes a new lightweight analysis method for binary programs with the assistance of hardware features and the operating system kernel, named BAHK, which can automatically analyze the target program by stealth and has wide applicability. With the support of underlying infrastructures, this paper designs several optimization strategies and specific analysis approaches at instruction level to reduce the impact of fine-grained analysis on the performance of target program so that it can be well applied in practice. The experimental results show that the proposed method has good stealthiness, low memory consumption, and positive user experience. In some cases, it shows better analysis performance than the traditional dynamic binary instrumentation method. Finally, the real case studies further show its feasibility and effectiveness.

show abstract

Section: Related Workmentioning

confidence: 99%

BAHK: Flexible Automated Binary Analysis Method with the Assistance of Hardware and System Kernel

Pan

Zhuang

Sun

2020

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…With the development of virtual machine introspection (VMI) [4] technique, agentless security tools are widely be used because of the security and transparency features, such as virtual machine monitoring [20,21], virus analysis [22], etc. In addition, CloudVMI [23] provides the VMI service for cloud users.…”

Section: Related Workmentioning

confidence: 99%

A high-performance virtual machine filesystem monitor in cloud-assisted cognitive IoT

Zhan

Zhang

et al. 2018

Future Generation Computer Systems

Self Cite

View full text Add to dashboard Cite

Cloud-assisted Cognitive Internet of Things has powerful data analytics abilities based on the computing and data storage capabilities of cloud virtual machines, which makes protecting virtual machine filesystem very important for the whole system security. Agentless periodic filesystem monitors are optimal solutions to protect cloud virtual machines because of the secure and low-overhead features. However, most of the periodic monitors usually scan all of the virtual machine filesystem or protected files in every scanning poll, so lots of secure files are scanned again and again even though they are not corrupted. In this paper, we propose a novel agentless periodic filesystem monitor framework for virtual machines with different image formats to improve the performance of agentless periodic monitors. Our core idea is to minimize the scope of the scanning files in both file integrity checking and virus detection. In our monitor, if a file is considered secure, it will not be scanned when it has not been modified. Since our monitor only scans the newly created and modified files, it can check less files than other filesystem monitors. To that end, we propose two monitor methods for different types of virtual machine disks to reduce the number of scanning files. For virtual machine with single disk image, we hook the backend driver to capture the disk modification information. For virtual machine with multiple copy-onwrite images, we leverage the copy-on-write feature of QCOW2 images to achieve the disk modification analysis. In 2 addition, our system can restore and remove the corrupted files. The experimental results show that our system is effective for both Windows and Linux virtual machines with different image formats and can reduce the number of scanning files and scanning time.

show abstract

“…Because of the isolation of the hypervisor, VMI‐based monitors are more secure and transparent. VMI technique is widely used for VM security, such as checking the control flow integrity,() protecting critical files, and monitoring processes. () With the development of cloud computing, many VMI‐based security tools are proposed to protect VMs in cloud.…”

Section: Related Workmentioning

confidence: 99%

SAVM: A practical secure external approach for automated in‐VM management

Zhan

Fang

et al. 2018

Concurrency and Computation

Self Cite

View full text Add to dashboard Cite

Summary In‐VM management is usually needed by cloud service providers for cloud management, which includes monitoring the in‐VM application running state, reconfiguring VM system settings, etc. In‐VM management is also very useful in green cloud computing, because it provides the abilities of in‐VM monitoring, VM reconfiguration, performance measurement, etc. Leveraging a shell or an in‐VM agent to manage VMs is faced with generality and security challenges. In this paper, we propose a secure automated in‐VM management approach, ie, SAVM, which likes a hypervisor‐based shell managing the VMs in an out‐of‐box way. To bridge the semantic gap, we reuse the target VM's system calls to process the semantic information automatically. More importantly, we introduce a secure instruction fetch approach to enhance the system security. As a result, SAVM does not rely on the target VM's kernel integrity. In addition, we also present a dummy process selection and a system call injection method to further enhance the system security and transparency. After the implementation, we evaluate the prototype. The experimental results show that SAVM can achieve most of the in‐VM management operations. Furthermore, SAVM can work correctly under the target VM attacked by several popular rootkits.

show abstract

Checking virtual machine kernel control-flow integrity using a page-level dynamic tracing approach

Cited by 6 publications

References 25 publications

BAHK: Flexible Automated Binary Analysis Method with the Assistance of Hardware and System Kernel

BAHK: Flexible Automated Binary Analysis Method with the Assistance of Hardware and System Kernel

A high-performance virtual machine filesystem monitor in cloud-assisted cognitive IoT

SAVM: A practical secure external approach for automated in‐VM management

Contact Info

Product

Resources

About