Hypervisor-Based White Listing of Executables

Leon, Roee; Kiperberg, Michael; Zabag, Anat Anatey Leon; Resh, Amit; Algawi, Asaf; Zaidenberg, Nezer Jacob

doi:10.1109/msec.2019.2910218

Cited by 9 publications

(3 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, the threat model often assumes that the kernel code is not to be trusted. Our method can be extended with a kernel integrity verification method (Leon et al 2018). Because the performance impact of the method described in (Leon et al 2018) is negligible, we believe the combination with our method will not yield a significant performance loss.…”

Section: Kernel Integritymentioning

confidence: 99%

Hypervisor-assisted dynamic malware analysis

et al. 2021

Self Cite

View full text Add to dashboard Cite

Malware analysis is a task of utmost importance in cyber-security. Two approaches exist for malware analysis: static and dynamic. Modern malware uses an abundance of techniques to evade both dynamic and static analysis tools. Current dynamic analysis solutions either make modifications to the running malware or use a higher privilege component that does the actual analysis. The former can be easily detected by sophisticated malware while the latter often induces a significant performance overhead. We propose a method that performs malware analysis within the context of the OS itself. Furthermore, the analysis component is camouflaged by a hypervisor, which makes it completely transparent to the running OS and its applications. The evaluation of the system’s efficiency suggests that the induced performance overhead is negligible.

show abstract

Section: Kernel Integritymentioning

confidence: 99%

Hypervisor-assisted dynamic malware analysis

et al. 2021

Self Cite

View full text Add to dashboard Cite

show abstract

“…In the specific domain of hypervisor technologies, [13] suggested a monitoring technique that can keep executables in check throughout runtime. Two modes of operations are proposed: user mode and kernel mode.…”

Section: B Runtime Security Monitoringmentioning

confidence: 99%

A Runtime Security Monitoring Architecture for Embedded Hypervisors

Hui,

McLaughlin,

Siddiqui

et al. 2023

2023 IEEE 36th International System-on-Chip Conference (SOCC)

View full text Add to dashboard Cite

Technical advances in automation, embedded hardware and virtualization nurtured the rapid development of safety-critical embedded systems. Avionic and Automotive are two of the domains that have seen significant development in recent years. However, the consideration of security of these embedded controllers often lags behind other functional improvements. This paper presents a brief threat landscape of embedded controllers and proposes a runtime security monitoring architecture aiming to protect these systems against threats that emerge during runtime. To facilitate rapid prototyping and encourage correct adaptation of security, similar to software development toolchains that guide development, the proposed architecture aims to provide a means for security monitoring that can be applicable to generic platforms.

show abstract

“…Leon et al [28] proposed a system that prevents the execution of unauthorized code in user mode. This system is also based on a thin hypervisor.…”

Section: Related Workmentioning

confidence: 99%

H-KPP: Hypervisor-Assisted Kernel Patch Protection

Kiperberg

Zaidenberg

2022

Applied Sciences

Self Cite

View full text Add to dashboard Cite

We present H-KPP, hypervisor-based protection for kernel code and data structures. H-KPP prevents the execution of unauthorized code in kernel mode. In addition, H-KPP protects certain object fields from malicious modifications. H-KPP can protect modern kernels equipped with BPF facilities and loadable kernel modules. H-KPP does not require modifying or recompiling the kernel. Unlike many other systems, H-KPP is based on a thin hypervisor and includes a novel SLAT switching mechanism, which allows H-KPP to achieve very low (≈6%) performance overhead compared to baseline Linux.

show abstract

Hypervisor-Based White Listing of Executables

Cited by 9 publications

References 4 publications

Hypervisor-assisted dynamic malware analysis

Hypervisor-assisted dynamic malware analysis

A Runtime Security Monitoring Architecture for Embedded Hypervisors

H-KPP: Hypervisor-Assisted Kernel Patch Protection

Contact Info

Product

Resources

About