research-article

Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection

Authors:

Zhiqiang LinAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 16, Issue 2

Article No.: 7, Pages 1 - 29

https://doi.org/10.1145/2505124

Published: 01 September 2013 Publication History

Abstract

It is generally believed to be a tedious, time-consuming, and error-prone process to develop a virtual machine introspection (VMI) tool because of the semantic gap. Recent advance shows that the semantic-gap can be largely narrowed by reusing the executed code from a trusted OS kernel. However, the limitation for such an approach is that it only reuses the exercised code through a training process, which suffers the code coverage issues. Thus, in this article, we present Vmst, a new technique that can seamlessly bridge the semantic gap and automatically generate the VMI tools. The key idea is that, through system wide instruction monitoring, Vmst automatically identifies the introspection related data from a secure-VM and online redirects these data accesses to the kernel memory of a product-VM, without any training. Vmst offers a number of new features and capabilities. Particularly, it enables an in-VM inspection program (e.g., ps) to automatically become an out-of-VM introspection program. We have tested Vmst with over 25 commonly used utilities on top of a number of different OS kernels including Linux and Microsoft Windows. The experimental results show that our technique is general (largely OS-independent), and it introduces 9.3X overhead for Linux utilities and 19.6X overhead for Windows utilities on average for the introspected program compared to the native in-VM execution without data redirection.

References

[1]

Bach, M. J. 1986. The Design of the UNIX Operating System. Prentice Hall.

Digital Library

[2]

Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., and Xu, D. 2010. DKSM: Subverting virtual machine introspection for fun and profit. In Proceedings of the 29th IEEE Symposium on Reliable Distributed Systems.

Digital Library

[3]

Baiardi, F. and Sgandurra, D. 2007. Building trustworthy intrusion detection through vm introspection. In Proceedings of the 3rd International Symposium on Information Assurance and Security. IEEE Computer Society. 209--214.

Digital Library

[4]

Bovet, D. and Cesati, M. 2005. Understanding the Linux Kernel. Oreilly & Associates Inc.

Digital Library

[5]

Caballero, J. and Song, D. 2007. Polyglot: Automatic extraction of protocol format using dynamic binary analysis. In Proceedings of the 14th ACM Conference on Computer and and Communications Security (CCS’07). 317--329.

Digital Library

[6]

Caballero, J., Johnson, N. M., McCamant, S., and Song, D. 2010. Binary code extraction and interface identification for security applications. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10).

[7]

Cadar, C., Ganesh, V., Pawlowski, P. M., Dill, D. L., and Engler, D. R. 2006. Exe: Automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS’06). ACM, 322--335.

Digital Library

[8]

Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., and Jiang, X. 2009. Mapping kernel objects to enable systematic integrity checking. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, 555--565.

Digital Library

[9]

Chen, P. M. and Noble, B. D. 2001. When virtual is better than real. In Proceedings of the 8th Workshop on Hot Topics in Operating Systems.

Digital Library

[10]

Chow, J., Pfaff, B., Christopher, K., and Rosenblum, M. 2004. Understanding data lifetime via whole-system simulation. In Proceedings of the 13th USENIX Security Symposium.

Digital Library

[11]

Cui, W., Peinado, M., Chen, K., Wang, H. J., and Irun-Briz, L. 2008. Tupni: Automatic reverse engineering of input formats. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM, 391--402.

Digital Library

[12]

Dinaburg, A., Royal, P., Sharif, M., and Lee, W. 2008. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM, 51--62.

Digital Library

[13]

Dolan-Gavitt, B., Srivastava, A., Traynor, P., and Giffin, J. 2009. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, 566--577.

Digital Library

[14]

Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., and Lee, W. 2011a. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of IEEE Symposium on Security and Privacy. 297--312.

Digital Library

[15]

Dolan-Gavitt, B., Payne, B., and Lee, W. 2011b. Leveraging forensic tools for virtual machine introspection. Tech. rep. GT-CS-11-05.

[16]

Egele, M., Kruegel, C., Kirda, E., Yin, H., and Song, D. 2007. Dynamic spyware analysis. In Proceedings of the USENIX Annual Technical Conference (Usenix’07).

Digital Library

[17]

Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for unix processes. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[18]

Fu, Y. and Lin, Z. 2012. Space traveling across vm: Automatically bridging the semantic-gap in virtual machine introspection via online kernel data redirection. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[19]

Garfinkel, T. 2003. Traps and pitfalls: Practical problems in system call interposition based security tools. In In Proceedings of Network and Distributed Systems Security Symposium (NDSS’03). 163--176.

[20]

Garfinkel, T. and Rosenblum, M. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS’03).

[21]

Godefroid, P., Levin, M., and Molnar, D. 2008. Automated whitebox fuzz testing. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).

[22]

Gu, Y., Fu, Y., Prakash, A., Lin, Z., and Yin H. 2012. Os-sommelier: Memory-only operating system fingerprinting in the cloud. In Proceedings of the 3rd ACM Symposium on Cloud Computing (SOCC’12).

Digital Library

[23]

Hay, B. and Nance, K. 2008. Forensics examination of volatile system data using virtual introspection. SIGOPS Operat. Syst. Rev. 42, 74--82.

Digital Library

[24]

Hofmann, O. S., Dunn, A. M., Kim, S., Roy, I., and Witchel, E. 2011. Ensuring operating system kernel integrity with oSck. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’11).

Digital Library

[25]

Inoue, H., Adelstein, F., Donovan, M., and Brueckner, S. 2011. Automatically bridging the semantic gap using ac interpreter. In Proceedings of the Annual Symposium on Information Assurance.

[26]

Jiang, X., Wang, X., and Xu, D. 2007. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, 128--138.

Digital Library

[27]

Jones, S. T., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. 2006. Antfarm:tracking processes in a virtual machine environment. In Proceedings of the USENIX Annual Technical Conference (Usenix’06).

Digital Library

[28]

Jones, S. T., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. 2008. Vmm-based hidden process detection and identification using lycosid. In Proceedings of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments.

Digital Library

[29]

Kolbitsch, C., Holz, T., Kruegel, C., and Kirda, E. 2010. Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In Proceedings of the IEEE Security and Privacy.

Digital Library

[30]

Lin, Z., Jiang, X., Xu, D., and Zhang, X. 2008. Automatic protocol format reverse engineering through context-aware monitored execution. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).

[31]

Lin, Z., Zhang, X., and Xu, D. 2010a. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10).

[32]

Lin, Z., Zhang, X., and Xu, D. 2010b. Reuse-oriented camouflaging trojan: Vulnerability detection and attack construction. In Proceedings of the 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-DCCS 2010).

[33]

Lin, Z., Rhee, J., Zhang, X., Xu, D., and Jiang, X. 2011. SIGGRAPH: Brute force scanning of kernel data structure instances using graph-based signatures. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS’11).

[34]

Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. 2005. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’05). ACM, 190--200.

Digital Library

[35]

Newsome, J. and Song, D. 2005. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS’05).

[36]

Payne, B. D., Carbone, M., and Lee, W. 2007. Secure and flexible monitoring of virtual machines. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007).

[37]

Payne, B. D., Carbone, M., Sharif, M. I., and Lee, W. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 233--247.

Digital Library

[38]

Petroni, N. L., Jr. and Hicks, M. 2007. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, 103--115.

Digital Library

[39]

Petroni, N. L., Jr., Fraser, T., Molina, J., and Arbaugh, W. A. 2004. Copilot - A coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium. USENIX, 179--194.

Digital Library

[40]

Portokalidis, G., Slowinska, A., and Bos, H. 2006. Argos: An emulator for fingerprinting zero-day attacks. In Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems.

Digital Library

[41]

Provos, N. 2003. Improving host security with system call policies. In Proceedings of the 12th USENIX Security Symposium. USENIX, 257--272.

Digital Library

[42]

QEMU: An open source processor emulator. http://www.qemu.org/.

[43]

Riley, R., Jiang, X., and Xu, D. 2008. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In Proceedings of Recent Advances in Intrusion Detection (RAID’08). 1--20.

Digital Library

[44]

Sekar, R. Classification and grouping of linux system calls. http://seclab.cs.sunysb.edu/sekar/papers/syscallclassif.htm.

[45]

Srinivasan, D., Wang, Z., Jiang, X., and Xu, D. 2011. Process out-grafting: An efficient ”out-of-vm” approach for fine-grained process execution monitoring. In Proceedings of the 18th ACM conference on Computer and communications security (CCS’11). ACM, 363--374.

Digital Library

[46]

Srivastava, A. and Giffin, J. 2008. Tamper-resistant, application-aware blocking of malicious network connections. In Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection (RAID’08). 39--58.

Digital Library

[47]

VProbe:a VMI framework. http://communities.vmware.com/community/vmtn/developer/forums/vprobes.

[48]

Walters, A. The volatility framework: Volatile memory artifact extraction utility framework. https://www.volatilesystems.com/default/volatility.

[49]

Wang, Y.-M., Beck, D., Vo, B., Roussev, R., and Verbowski, C. 2005. Detecting stealth software with strider ghostbuster. In Proceedings of the International Conference on Dependable Systems and Networks.

Digital Library

[50]

Wondracek, G., Milani, P., Kruegel, C., and Kirda, E. 2008. Automatic network protocol analysis. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).

[51]

Xed: X86 encoder decoder. http://www.pintool.org/docs/24110/Xed/html/.

[52]

Xiong, X., Tian, D., and Liu, P. 2011. Practical protection of kernel integrity for commodity OS from untrusted extensions. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS’11).

[53]

Yin, H. and Song, D. 2010. Temu: Binary code analysis via whole-system layered annotative execution. Tech. rep. UCB/EECS-2010-3, EECS Department, University of California, Berkeley.

[54]

Yin, H., Song, D., Manuel, E., Kruegel, C., and Kirda, E. 2007. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conferences on Computer and Communication Security (CCS’07).

Digital Library

Cited By

Ma BYang YLi JZhang FShen WZhou YMa JMeng WJensen CCremers CKirda E(2023)Travelling the Hypervisor and SSD: A Tag-Based Approach Against Crypto Ransomware with Fine-Grained Data RecoveryProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616665(341-355)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616665
Gnanavel SNarayana KJayashree KNancy PTeressa D(2022)Implementation of Block-Level Double Encryption Based on Machine Learning Techniques for Attack Detection and PreventionWireless Communications & Mobile Computing10.1155/2022/42552202022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/4255220
Paundu AFall DMiyamoto DKadobayashi Y(2018)Leveraging KVM Events to Detect Cache-Based Side Channel Attacks in a Virtualization EnvironmentSecurity and Communication Networks10.1155/2018/42162402018Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1155/2018/4216240
Show More Cited By

Index Terms

Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software notations and tools
    1. Context specific languages

Recommendations

QEMU-based framework for non-intrusive virtual machine instrumentation and introspection
ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

This paper presents the framework based on the emulator QEMU. Our framework provides set of multi-platform analysis tools for the virtual machines and mechanism for creating instrumentation and analysis tools. Our framework is based on a lightweight ...
Transparently bridging semantic gap in CPU management for virtualized environments

Consolidated environments are progressively accommodating diverse and unpredictable workloads in conjunction with virtual desktop infrastructure and cloud computing. Unpredictable workloads, however, aggravate the semantic gap between the virtual ...
Virtual Machine Introspection
SIN '14: Proceedings of the 7th International Conference on Security of Information and Networks

Due to exposure to the Internet, virtual machines (VMs) as forms of delivering virtualized infrastructures and resources represent a first point-of-target for security attackers who want to gain access into the virtualization environment. In-VM ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security

ACM Transactions on Information and System Security Volume 16, Issue 2

September 2013

120 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/2516951

Issue’s Table of Contents

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 September 2013

Accepted: 01 June 2013

Revised: 01 April 2013

Received: 01 December 2012

Published in TISSEC Volume 16, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
717
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)3

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ma BYang YLi JZhang FShen WZhou YMa JMeng WJensen CCremers CKirda E(2023)Travelling the Hypervisor and SSD: A Tag-Based Approach Against Crypto Ransomware with Fine-Grained Data RecoveryProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616665(341-355)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616665
Gnanavel SNarayana KJayashree KNancy PTeressa D(2022)Implementation of Block-Level Double Encryption Based on Machine Learning Techniques for Attack Detection and PreventionWireless Communications & Mobile Computing10.1155/2022/42552202022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/4255220
Paundu AFall DMiyamoto DKadobayashi Y(2018)Leveraging KVM Events to Detect Cache-Based Side Channel Attacks in a Virtualization EnvironmentSecurity and Communication Networks10.1155/2018/42162402018Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1155/2018/4216240
Botacin MGeus Pgrégio A(2018)Who Watches the WatchmenACM Computing Surveys10.1145/319967351:4(1-34)Online publication date: 13-Jul-2018
https://dl.acm.org/doi/10.1145/3199673
Bushouse MReeves DZhao ZAhn GKrishnan RGhinita G(2018)HyperagentsProceedings of the Eighth ACM Conference on Data and Application Security and Privacy10.1145/3176258.3176317(212-223)Online publication date: 13-Mar-2018
https://dl.acm.org/doi/10.1145/3176258.3176317
M.A. AC.D. J(2018)Automated multi-level malware detection system based on reconstructed semantic view of executables using machine learning techniques at VMMFuture Generation Computer Systems10.1016/j.future.2017.06.00279:P1(431-446)Online publication date: 1-Feb-2018
https://dl.acm.org/doi/10.1016/j.future.2017.06.002
Bauman EAyoade GLin Z(2015)A Survey on Hypervisor-Based MonitoringACM Computing Surveys10.1145/277511148:1(1-33)Online publication date: 10-Aug-2015
https://dl.acm.org/doi/10.1145/2775111
Aboughadareh SCsallner CAzarmi MPreda MMcDonald J(2014)Mixed-Mode Malware and Its AnalysisProceedings of the 4th Program Protection and Reverse Engineering Workshop10.1145/2689702.2689703(1-12)Online publication date: 9-Dec-2014
https://dl.acm.org/doi/10.1145/2689702.2689703

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents