ShadowMonitor: An Effective In-VM Monitoring Framework with Hardware-Enforced Isolation

Shi, Bin; Cui, Lei; Li, Bo; Li, Xudong; Hao, Zhiyu; Shen, Haiying

doi:10.1007/978-3-030-00470-5_31

Cited by 15 publications

(4 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Due to the memory isolation mechanism, the target kernel module may introduce considerable performance overhead when it interacts with OS kernel very frequently. To address this issue, we may make use of the new hardware feature [25] for efficient context switch without the VMM involvement. However, this solution may require some modifications to the target kernel module.…”

Section: Discussion and Limitationsmentioning

confidence: 99%

A Kernel Rootkit Detection Approach Based on Virtualization and Machine Learning

Tian

Jia

2019

IEEE Access

View full text Add to dashboard Cite

OS kernel is the core part of the operating system, and it plays an important role for OS resource management. A popular way to compromise OS kernel is through a kernel rootkit (i.e., malicious kernel module). Once a rootkit is loaded into the kernel space, it can carry out arbitrary malicious operations with high privilege. To defeat kernel rootkits, many approaches have been proposed in the past few years. However, existing methods suffer from some limitations: 1) most methods focus on user-mode rootkit detection; 2) some methods are limited to detect obfuscated kernel modules; and 3) some methods introduce significant performance overhead. To address these problems, we propose VKRD, a kernel rootkit detection system based on the hardware assisted virtualization technology. Compared with previous methods, VKRD can provide a transparent and an efficient execution environment for the target kernel module to reveal its run-time behavior. To select the important run-time features for training our detection models, we utilize the TF-IDF method. By combining the hardware assisted virtualization and machine learning techniques, our kernel rootkit detection solution could be potentially applied in the cloud environment. The experiments show that our system can detect windows kernel rootkits with high accuracy and moderate performance cost.

show abstract

Section: Discussion and Limitationsmentioning

confidence: 99%

A Kernel Rootkit Detection Approach Based on Virtualization and Machine Learning

Tian

Jia

2019

IEEE Access

View full text Add to dashboard Cite

show abstract

“…This limitation is shared by designs for secure hook insertion in a VM with a modified OS (e.g., [50], [51]), which are an alternative to invisible breakpoints. Recent developments in this area (e.g., [52], [53]) feature efficient isolation using the VMFUNC feature of VT extensions but introduce distinguishable code artifacts. Lately, the OASIS system [54] has made promising improvements in this direction.…”

Section: Other Related Workmentioning

confidence: 99%

Designing Robust API Monitoring Solutions

D’Elia

Nicchi

Mariani

et al. 2023

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Tracing the sequence of library calls and system calls that a program makes is very helpful to characterize its interactions with the surrounding environment and, ultimately, its semantics. However, due to the entanglements of real-world software stacks, accomplishing this task can be surprisingly challenging as we take accuracy, reliability, and transparency into the equation. In this article, we identify six challenges that API monitoring solutions should overcome in order to manage these dimensions effectively and outline actionable design points for building robust API tracers that can be used even for security research. We then detail and evaluate SNIPER, an open-source API tracing system available in two variants based on dynamic binary instrumentation (for simplified in-guest deployment) and hardware-assisted virtualization (realizing the first general user-space tracer of this kind), respectively.

show abstract

“…In fact, instead of relaxing permissions by walking the SLAT tables, altp2m allows switching to another, less restrictive view. Both external [29], [30] and internal monitors [26], [41] use altp2m to allocate and switch between views. Although altp2m introduces a powerful means to rapidly change the guest's memory view, it requires hardware support to establish primitives that can be used by guests for isolating selected memory regions.…”

Section: B the Xen Altp2m Subsystemmentioning

confidence: 99%

xMP: Selective Memory Protection for Kernel and User Space

Proskurin

Momeu

Ghavamnia

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Attackers leverage memory corruption vulnerabilities to establish primitives for reading from or writing to the address space of a vulnerable process. These primitives form the foundation for code-reuse and data-oriented attacks. While various defenses against the former class of attacks have proven effective, mitigation of the latter remains an open problem. In this paper, we identify various shortcomings of the x86 architecture regarding memory isolation, and leverage virtualization to build an effective defense against data-oriented attacks. Our approach, called xMP, provides (in-guest) selective memory protection primitives that allow VMs to isolate sensitive data in user or kernel space in disjoint xMP domains. We interface the Xen altp2m subsystem with the Linux memory management system, lending VMs the flexibility to define custom policies. Contrary to conventional approaches, xMP takes advantage of virtualization extensions, but after initialization, it does not require any hypervisor intervention. To ensure the integrity of in-kernel management information and pointers to sensitive data within isolated domains, xMP protects pointers with HMACs bound to an immutable context, so that integrity validation succeeds only in the right context. We have applied xMP to protect the page tables and process credentials of the Linux kernel, as well as sensitive data in various user-space applications. Overall, our evaluation shows that xMP introduces minimal overhead for real-world workloads and applications, and offers effective protection against data-oriented attacks.

show abstract

ShadowMonitor: An Effective In-VM Monitoring Framework with Hardware-Enforced Isolation

Cited by 15 publications

References 24 publications

A Kernel Rootkit Detection Approach Based on Virtualization and Machine Learning

A Kernel Rootkit Detection Approach Based on Virtualization and Machine Learning

Designing Robust API Monitoring Solutions

xMP: Selective Memory Protection for Kernel and User Space

Contact Info

Product

Resources

About