Secure and Robust Monitoring of Virtual Machines through Guest-Assisted Introspection

Carbone, Martim; Conover, Matthew; Montague, Bruce R.; Lee, Wenke

doi:10.1007/978-3-642-33338-5_2

Cited by 39 publications

(12 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The implemented security monitor is external to the target machine, similarly to some recent literature [7], [8], [9]. By leveraging VMI and current FMA tools, we developed a novel Hypervisor-Based Introspection System (HyBIS) for protecting a Windows OS from stealth malware, in particular from rootkits.…”

Section: Contributionmentioning

confidence: 99%

HyBIS: Advanced Introspection for Effective Windows Guest Protection

Pietro¹,

Franzoni²,

Lombardi³

2017

ICT Systems Security and Privacy Protection

View full text Add to dashboard Cite

Abstract-Effectively protecting the Windows OS is a challenging task, since most implementation details are not publicly known. Windows has always been the main target of malwares that have exploited numerous bugs and vulnerabilities. Recent trusted boot and additional integrity checks have rendered the Windows OS less vulnerable to kernel-level rootkits. Nevertheless, guest Windows Virtual Machines are becoming an increasingly interesting attack target. In this work we introduce and analyze a novel Hypervisor-Based Introspection System (HyBIS) we developed for protecting Windows OSes from malware and rootkits. The HyBIS architecture is motivated and detailed, while targeted experimental results show its effectiveness. Comparison with related work highlights main HyBIS advantages such as: effective semantic introspection, support for 64-bit architectures and for latest Windows (8.x and 10), advanced malware disabling capabilities. We believe the research effort reported here will pave the way to further advances in the security of Windows OSes.

show abstract

Section: Contributionmentioning

confidence: 99%

HyBIS: Advanced Introspection for Effective Windows Guest Protection

Pietro¹,

Franzoni²,

Lombardi³

2017

ICT Systems Security and Privacy Protection

View full text Add to dashboard Cite

show abstract

“…For example, [Srinivasan et al 2011] present a technique called process out-grafting, which relocates a suspect process from inside a VM to run side-by-side with the out-of-box VM. SYRINGE [Carbone et al 2012] protects the monitoring application by moving it in a separate VM where it can invoke guest functions using function-call injection. Another solution is Virtuoso [Dolan-Gavitt et al 2011], which is an approach to automatically creating introspection tools.…”

Section: Using An Admin Vm For Protectionmentioning

confidence: 99%

Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems

Sgandurra

Lupu

2016

ACM Comput. Surv.

View full text Add to dashboard Cite

Virtualization technology enables Cloud providers to efficiently use their computing services and resources. Even if the benefits in terms of performance, maintenance, and cost are evident, virtualization has also been exploited by attackers to devise new ways to compromise a system. To address these problems, research security solutions have considerably evolved over the years to cope with new attacks and threat models. In this work we review the protection strategies proposed in the literature and show how some of the solutions have been invalidated by new attacks, or threat models, that were previously not considered. The goal is to show the evolution of the threats, and of the related security and trust assumptions, in virtualized systems which have given rise to complex threat models and the corresponding sophistication of protection strategies to deal with such attacks. We also categorize threat models, security and trust assumptions, and attacks against a virtualized system at the different layers, in particular hardware, virtualization, OS, application.

show abstract

“…Any malicious agent inside the VM is unable to predict which guest process has been replaced and thus the injected code can run without detection. Rather than implant a complete process, SYRINGE [30] implants functions into the kernel, which can be called from the VM.…”

Section: B Code Implantingmentioning

confidence: 99%

“…Ensuring CFI is a broad problem with a range of techniques. For instance, Program Shepherding [59] protects the integrity of implanted functions [30] ( §III-B), using a machine code interpreter to monitor all control transfers and guarantee that each transfer satisfies a given security policy. Discovering efficient CFI mechanisms is a relevant, but complimentary problem to VMI.…”

Section: Kernel Executable Integritymentioning

confidence: 99%

SoK: Introspections on Trust and the Semantic Gap

Jain

Baig

Zhang

et al. 2014

2014 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

Abstract-An essential goal of Virtual Machine Introspection (VMI) is assuring security policy enforcement and overall functionality in the presence of an untrustworthy OS. A fundamental obstacle to this goal is the difficulty in accurately extracting semantic meaning from the hypervisor's hardwarelevel view of a guest OS, called the semantic gap. Over the twelve years since the semantic gap was identified, immense progress has been made in developing powerful VMI tools.Unfortunately, much of this progress has been made at the cost of reintroducing trust into the guest OS, often in direct contradiction to the underlying threat model motivating the introspection. Although this choice is reasonable in some contexts and has facilitated progress, the ultimate goal of reducing the trusted computing base of software systems is best served by a fresh look at the VMI design space.This paper organizes previous work based on the essential design considerations when building a VMI system, and then explains how these design choices dictate the trust model and security properties of the overall system. The paper then observes portions of the VMI design space which have been under-explored, as well as potential adaptations of existing techniques to bridge the semantic gap without trusting the guest OS.Overall, this paper aims to create an essential checkpoint in the broader quest for meaningful trust in virtualized environments through VM introspection.

show abstract

Secure and Robust Monitoring of Virtual Machines through Guest-Assisted Introspection

Cited by 39 publications

References 13 publications

HyBIS: Advanced Introspection for Effective Windows Guest Protection

HyBIS: Advanced Introspection for Effective Windows Guest Protection

Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems

SoK: Introspections on Trust and the Semantic Gap

Contact Info

Product

Resources

About