SoK: Introspections on Trust and the Semantic Gap

Jain, Bhushan; Baig, Mirza Basim; Zhang, Dongli; Porter, Donald E.; Sion, Radu

doi:10.1109/sp.2014.45

Cited by 84 publications

(37 citation statements)

References 62 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…By bridging the semantic gap within the SMI handler, we can ascertain the state of the thread executing in Protected Mode. This is similar to Virtual Machine Introspection (VMI) systems [47]. We need to continue our analysis in the SMI handler only if the SMRAM state belongs to a thread we are interested in debugging.…”

Section: B Debugging Servermentioning

confidence: 99%

Using Hardware Features for Increased Debugging Transparency

Zhang

Leach

Stavrou

et al. 2015

2015 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

Abstract-With the rapid proliferation of malware attacks on the Internet, understanding these malicious behaviors plays a critical role in crafting effective defense. Advanced malware analysis relies on virtualization or emulation technology to run samples in a confined environment, and to analyze malicious activities by instrumenting code execution. However, virtual machines and emulators inevitably create artifacts in the execution environment, making these approaches vulnerable to detection or subversion. In this paper, we present MALT, a debugging framework that employs System Management Mode, a CPU mode in the x86 architecture, to transparently study armored malware. MALT does not depend on virtualization or emulation and thus is immune to threats targeting such environments. Our approach reduces the attack surface at the software level, and advances state-of-the-art debugging transparency. MALT embodies various debugging functions, including register/memory accesses, breakpoints, and four stepping modes. We implemented a prototype of MALT on two physical machines, and we conducted experiments by testing an array of existing anti-virtualization, anti-emulation, and packing techniques against MALT. The experimental results show that our prototype remains transparent and undetected against the samples. Furthermore, our prototype of MALT introduces moderate but manageable overheads on both Windows and Linux platforms.

show abstract

Section: B Debugging Servermentioning

confidence: 99%

Using Hardware Features for Increased Debugging Transparency

Zhang

Leach

Stavrou

et al. 2015

2015 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

show abstract

“…Over the past few years, concrete contributions to VMI have been made, and various methods have been suggested to inspect VM data from the outside [22][23][24]. As mentioned above, the difficulty in interpreting the lowlevel bits and bytes of a VM into the high-level semantic state of a guest OS is called the "semantic gap problem" [25][26][27][28]. It is very difficult to derive a complete view of a guest OS from outside a GM without knowledge of the hardware architecture or guest OS [29].…”

Section: Vmi-based Malwarementioning

confidence: 99%

Secure Virtualization Environment Based on Advanced Memory Introspection

Zhang

Meng

Wang

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Most existing virtual machine introspection (VMI) technologies analyze the status of a target virtual machine under the assumption that the operating system (OS) version and kernel structure information are known at the hypervisor level. In this paper, we propose a model of virtual machine (VM) security monitoring based on memory introspection. Using a hardware-based approach to acquire the physical memory of the host machine in real time, the security of the host machine and VM can be diagnosed. Furthermore, a novel approach for VM memory forensics based on the virtual machine control structure (VMCS) is put forward. By analyzing the memory of the host machine, the running VMs can be detected and their high-level semantic information can be reconstructed. Then, malicious activity in the VMs can be identified in a timely manner. Moreover, by mutually analyzing the memory content of the host machine and VMs, VM escape may be detected. Compared with previous memory introspection technologies, our solution can automatically reconstruct the comprehensive running state of a target VM without any prior knowledge and is strongly resistant to attacks with high reliability. We developed a prototype system called the VEDefender. Experimental results indicate that our system can handle the VMs of mainstream Linux and Windows OS versions with high efficiency and does not influence the performance of the host machine and VMs.

show abstract

“…This problem has been a main motivation for a significant portion of research over the last decade. However, with recent advances in forensics tools, the semantic gap problem can be considered a solved engineering problem [21].…”

Section: Intrusion Detection and Analysismentioning

confidence: 99%

CloudIDEA: A Malware Defense Architecture for Cloud Data Centers

Fischer

Kittel

Kolosnjaji

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Due to the proliferation of cloud computing, cloud-based systems are becoming an increasingly attractive target for malware. In an Infrastructure-as-a-Service (IaaS) cloud, malware located in a customer's virtual machine (VM) affects not only this customer, but may also attack the cloud infrastructure and other co-hosted customers directly. This paper presents CloudIDEA, an architecture that provides a security service for malware defense in cloud environments. It combines lightweight intrusion monitoring with on-demand isolation, evidence collection, and in-depth analysis of VMs on dedicated analysis hosts. A dynamic decision engine makes on-demand decisions on how to handle suspicious events considering cost-efficiency and quality-of-service constraints.

show abstract

SoK: Introspections on Trust and the Semantic Gap

Cited by 84 publications

References 62 publications

Using Hardware Features for Increased Debugging Transparency

Using Hardware Features for Increased Debugging Transparency

Secure Virtualization Environment Based on Advanced Memory Introspection

CloudIDEA: A Malware Defense Architecture for Cloud Data Centers

Contact Info

Product

Resources

About