Abstract:ABSTRACTA common application of virtual machines (VM) is to use and then throw away, basically treating a VM like a completely isolated and disposable entity. The disadvantage of this approach is that if there is no malicious activity, the user has to re-do all of the work in her actual workspace since there is no easy way to commit (i.e., merge) only the benign updates within the VM back to the host environment. In this work, we develop a VM commitment system called Secom to automatically eliminate malicious state changes when merging the contents of an OS-level VM to the host. Secom consists of three steps: grouping state changes into clusters, distinguishing between benign and malicious clusters, and committing benign clusters. Secom has three novel features. First, instead of relying on a huge volume of log data, it leverages OS-level information flow and malware behavior information to recognize malicious changes. As a result, the approach imposes a smaller performance overhead. Second, different from existing intrusion detection and recovery systems that detect compromised OS objects one by one, Secom classifies objects into clusters and then identifies malicious objects on a cluster by cluster basis. Third, to reduce the false positive rate when identifying malicious clusters, it simultaneously considers two malware behaviors that are of different types and the origin of the processes that exhibit these behaviors, rather than considers a single behavior alone as done by existing malware detection methods. We have successfully implemented Secom on the Feather-weight Virtual Machine (FVM) system, a Windows-based OS-level virtualization system. Experiments show that the prototype can effectively eliminate malicious state changes while committing a VM with small performance degradation. Moreover, compared with the commercial anti-malware tools, the Secom prototype has a smaller number of false negatives and thus can more thoroughly clean up malware side effects. In addition, the number of false positives of the Secom prototype is also lower than that achieved by the on-line behavior-based approach of the commercial tools.

Safe side effects commitment for OS-level virtualization.

Design and Implementation of SecPod, A Framework for Virtualization-Based Security Systems.

SEMMA: Secure Efficient Memory Management Approach in Virtual Environment.

On the effectiveness of virtualization-based security

Transparency and Semantics Coexist: When Malware Analysis Meets the Hardware Assisted Virtualization

A Protective Mechanism for the Access Control System in the Virtual Domain

Tamper-Resistant Execution in an Untrusted Operating System Using A Virtual Machine Monitor

VMInsight: Hardware Virtualization-Based Process Security Monitoring System

A Concurrent Security Monitoring Method for Virtualization Environments

VMScan: an Out-of-vm Malware Scanner

Secure Virtualization-Based Fine-Grained Process Execution Monitoring

Security Analysis of Virtual Machine Monitor

A Secure and Efficient Kernel Log Transfer Mechanism for Virtualization Environments.

Hiding "real" Machine from Attackers and Malware with a Minimal Virtual Machine Monitor

Inter-domain Communication Protocol for Real-time File Access Monitor of Virtual Machine

Hypervisor-based Protection of Sensitive Files in a Compromised System

SAVM: A Practical Secure External Approach for Automated In‐vm Management

The Application of Virtual Machines on System Security

Handling Anti-Virtual Machine Techniques in Malicious Software

A Safe Virtual Execution Environment Based on the Local Virtualization Technology

Research on Security Techniques Based on System Virtualization