Process Implanting: A New Active Introspection Framework for Virtualization

Gu, Zhongshu; Deng, Zhui; Xu, Dongyan; Jiang, Xuxian

doi:10.1109/srds.2011.26

Cited by 56 publications

(27 citation statements)

References 16 publications

(17 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, Process implanting [47] implants and executes a monitoring process within a randomly-selected process already present in the VM. Any malicious agent inside the VM is unable to predict which guest process has been replaced and thus the injected code can run without detection.…”

Section: B Code Implantingmentioning

confidence: 99%

SoK: Introspections on Trust and the Semantic Gap

Jain

Baig

Zhang

et al. 2014

2014 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

Abstract-An essential goal of Virtual Machine Introspection (VMI) is assuring security policy enforcement and overall functionality in the presence of an untrustworthy OS. A fundamental obstacle to this goal is the difficulty in accurately extracting semantic meaning from the hypervisor's hardwarelevel view of a guest OS, called the semantic gap. Over the twelve years since the semantic gap was identified, immense progress has been made in developing powerful VMI tools.Unfortunately, much of this progress has been made at the cost of reintroducing trust into the guest OS, often in direct contradiction to the underlying threat model motivating the introspection. Although this choice is reasonable in some contexts and has facilitated progress, the ultimate goal of reducing the trusted computing base of software systems is best served by a fresh look at the VMI design space.This paper organizes previous work based on the essential design considerations when building a VMI system, and then explains how these design choices dictate the trust model and security properties of the overall system. The paper then observes portions of the VMI design space which have been under-explored, as well as potential adaptations of existing techniques to bridge the semantic gap without trusting the guest OS.Overall, this paper aims to create an essential checkpoint in the broader quest for meaningful trust in virtualized environments through VM introspection.

show abstract

Section: B Code Implantingmentioning

confidence: 99%

SoK: Introspections on Trust and the Semantic Gap

Jain

Baig

Zhang

et al. 2014

2014 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

show abstract

“…Gu et al [25] implemented a similar technique and took various precautions to ensure the security of this technique. In the approach they used, all OS libraries needed by the monitoring process are compiled statically to avoid the use of guest VM libraries, which are possible baits for a malware.…”

Section: Every Monitoring Process Is Given Explicit Rootmentioning

confidence: 99%

“…The introspection technique rectified almost all security vulnerabilities detected with the process implantation technique Virtuoso [25]. Virtuoso restricts the selection of the monitoring process, and it can only use tools provided by the OS [25].…”

Section: Every Monitoring Process Is Given Explicit Rootmentioning

confidence: 99%

See 1 more Smart Citation

Virtual machine introspection: towards bridging the semantic gap

Tapaswi

2014

J Cloud Comp

View full text Add to dashboard Cite

Virtual machine introspection is a technique used to inspect and analyse the code running on a given virtual machine. Virtual machine introspection has gained considerable attention in the field of computer security research. In recent years, it has been applied in various areas, ranging from intrusion detection and malware analysis to complete cloud monitoring platforms. A survey of existing virtual machine introspection tools is necessary to address various possible research gaps and to focus on key features required for wide application of virtual machine introspection techniques. In this paper, we focus on the evolution of virtual machine introspection tools and their ability to address the semantic gap problem.

show abstract

“…Fu et al [14] proposed VMST tools that can automatically identify the introspection related data and redirect these data accesses to the in-guest kernel memory. Gu et al [33] presented a process implanting technique with the idea that, instead of inspecting the guest OS from the outside, it can implant a host process inside the guest OS and protect that process from the hypervisor. In this way, the implanted process can monitor the guest OS internally (as opposed to externally).…”

Section: A Virtual Machine Introspection (Vmi)mentioning

confidence: 99%

HyperLink: Virtual Machine Introspection and Memory Forensic Analysis without Kernel Source Code

Xiao

Lü

Wang

et al. 2016

2016 IEEE International Conference on Autonomic Computing (ICAC)

View full text Add to dashboard Cite

Abstract-Virtual Machine Introspection (VMI) is an approach to inspecting and analyzing the software running inside a virtual machine from the hypervisor. Similarly, memory forensics analyzes the memory snapshots or dumps to understand the runtime state of a physical or virtual machine. The existing VMI and memory forensic tools rely on up-to-date kernel information of the target operating system (OS) to work properly, which often requires the availability of the kernel source code. This requirement prevents these tools from being widely deployed in real cloud environments. In this paper, we present a VMI tool called HyperLink that partially retrieves running process information from a guest virtual machine without its source code. While current introspection and memory forensic solutions support only one or a limited number of kernel versions of the target OS, HyperLink is a one-for-many introspection and forensic tool, i.e., it supports most, if not all, popular OSes regardless of their versions. We implement both online and offline versions of HyperLink. We validate the efficacy of HyperLink under different versions of Linux, Windows, FreeBSD, and Mac OS X. For all the OSes we tested, HyperLink can successfully retrieve the process information in one minute or several seconds. Through online and offline analyses, we demonstrate that HyperLink can help users detect real-world kernel rootkits and play an important role in intrusion detection. Due to its version-agnostic property, HyperLink could become the first introspection and forensic tool that works well in autonomic cloud computing environments.

show abstract

Process Implanting: A New Active Introspection Framework for Virtualization

Cited by 56 publications

References 16 publications

SoK: Introspections on Trust and the Semantic Gap

SoK: Introspections on Trust and the Semantic Gap

Virtual machine introspection: towards bridging the semantic gap

HyperLink: Virtual Machine Introspection and Memory Forensic Analysis without Kernel Source Code

Contact Info

Product

Resources

About