Zheyuan Liu,Dejun Mu

2012-01-01

Journal of Xidian University

Abstract:Computer malware has forced the transfer of the traditional in-host security tools to the development of VMM-based solutions which isolate the anti-malware software from untrusted systems.However,the inherent semantic gap poses a great challenge in supporting existing monitoring tools.In this paper,we present a process transferring method for fine-grained process execution monitoring to address both isolation and compatibility problems.Also by redirecting system calls invoked by the suspect process we guarantee the execution flow of the transferred process.Evaluation results show its effectiveness and feasibility with a tiny influence on the system.

XIANG Guo-Fu,JIN Hai,ZOU De-Qing,CHEN Xue-Guang

DOI: https://doi.org/10.3724/sp.j.1001.2012.04219

2012-01-01

Journal of Software

Abstract:In recent years, virtualization technology is the novel trendy of computer architecture, and it provides a solution for security monitoring.Due to the highest privilege and the smaller trusted computing base of virtual machine monitor, security tools, deployed in an isolated virtual machine, can inspect the target virtual machine with the help of virtual machine monitor.This approach can enhance the effectiveness and anti-attack ability of security tools.From the aspect of the implementation technologies, existing research works can be classified into internal monitoring and external monitoring.According to the different targets, the related works about virtualization-based monitoring are introduced in this paper in detail, such as intrusion detection, honeypot, file integrity monitoring, malware detection and analysis, security monitoring architecture and the generality of monitoring.Finally, this paper summarizes the shortcomings of existing works, and presents the future research directions.It is significant for virtualization research and security monitoring research.

Jianhua Che,Qinming He,Qinghua Gao,Dawei Huang

DOI: https://doi.org/10.1109/euc.2008.127

2008-01-01

Abstract:With its growth and wide applications, virtualization has come through a revival in computer system community. Virtualization offers a lot of benefits including flexibility, security, ease to configuration and management, reduction of cost and so forth, but at the same time it also brings a certain degree of performance overhead. Furthermore, virtual machine monitor (VMM) is the core component of virtual machine (VM) system and its effectiveness greatly impacts the performance of whole system. In this paper, we measure and analyze the performance of two open source virtual machine monitors-Xen and KVM using LINPACK, LMbench and IOzone, and provide a quantitative and qualitative comparison of both virtual machine monitors.

Xueyuan Yin,Xingshu? Chen,Shusong Tao,Lin Chen

DOI: https://doi.org/10.13232/j.cnki.jnju.2019.02.007

2019-01-01

Abstract:To solve the problem of user virtual machine monitoring in cloud environment,a virtual machine security monitoring method based on real time online analysis of virtual machine memory was proposed.With high privilege of the virtualization layer,virtual machine memory could be obtained outside of virtual machines online transparently. By using the memory analysis mechanism derived from the field of internal forensics,the semantic knowledge of virtual machine memory can be revealed by analyzing some important kernel structures of the virtual machine memory online in the virtualization layer,which effectively solves the semantic gap between the virtual machine and the virtualization layer and leads to achieving fine granularity of information monitoring of virtual machines.Because the monitoring code is under the virtualization layer,outside of the monitored virtual machine and isolated from virtual machine internal codes by the virtualization mechanism,there is no need to deploy monitoring agents in the users’virtual machine.Therefore,any malicious code inside the virtual machine can not bypass and destroy the security monitoring code under the virtualization layer and the transparency and security of the method is improved. The experimental results show that the method can provide a cloud security monitoring service for virtual machines at lower performance cost with agentless.

Xianxian Li,Changhui Jiang,Jianxin Li,Bo Li

DOI: https://doi.org/10.1109/NCIS.2011.21

2011-01-01

Abstract:Malicious software is one of the primary threats to information system on Internet, while the traditional host-based and network-based monitoring systems are vulnerable to prevent the malicious behavior of software because most current malicious software is capable of resisting security monitoring. Virtualization technology gives an impactful approach to monitoring the behavior of malicious software since it can provide an abstraction layer between the operating system and the hardware. In this paper, we propose a hardware-virtualization-based security monitor system named VMInsight, which can provide load-time and run-time monitoring for processes. VMInsight intercepts system calls and process behaviors by monitoring changes in the virtual machine CPU register, and it is implemented in the hyper visor, thus is completely transparent to the software and operating system running in the virtual machine. The experimental results show that the performance overhead of VMInsight is less than 10%, and it can be easily applied to the third-party security monitoring system.

Nan Li,Bo Li,Jianxin Li,Tianyu Wo,Jinpeng Huai

DOI: https://doi.org/10.1109/HPCC.and.EUC.2013.194

2013-01-01

Abstract:Cloud computing service has been evolved in providing a whole virtual data center from selling scattered virtual machines (VMs). Process Monitoring of a VM is a fundamental feature to guarantee the security of the virtual data center because of the rapid growth of the malware. Existing approaches are mainly based on virtual machine introspection (VMI) technique to isolate the monitor out-of-vm and designed to inspect the VM internal processes. However, few of them consider the real time control of process execution in the VMs, such as process termination or files operation conducted by the process. Early VMI-based solutions relied on some specific OS kernel data structures, so they need to know the OS information in advance instead of identifying the OS version at runtime for operating system compatible. In this paper, we propose a novel out-of-the-box process monitor named vMON, which can not only identify different guest OS versions and reconstruct rich semantic information for the target VM processes at runtime, but also control the behaviors of processes with fine granularity. In addition, vMON provides uniform programming interfaces to support the development of application-level security tools. A prototype of vMON has been implemented in kernel-based virtual machine (KVM) hypervisor, and its effectiveness and performance have also been evaluated through several experiments. The results show that vMON can successfully identify, analyze and control the behaviors of the processes in Guest OS with acceptable performance overhead. vMon incurs 0.74%similar to 10.20% I/O overhead and 0.003s average interface return time.

Ding Shun,Li Minglu,Weng Chuliang,Liu Qian

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.06.015

2012-01-01

Abstract:As virtualization is widely applied to various fields such as cloud computing,it gradually becomes a target that various malicious attacks aim at.The runtime security of virtual machines is of the most importance.Aiming at this problem,a monitoring scheme suitable for virtualized environments is proposed.Moreover a security monitoring prototype system of a virtual machine is implemented in Xen.With this scheme,a privileged virtual machine can execute dynamic and customized monitoring upon the massive client virtual machines hosted in a same physical machine.Particularly,this system is very effective at detecting rootkits inside OS kernels.The security monitoring scheme can effectively increase the security not only of client virtual machines but also of the whole VM system.

Chaoyuan Cui,Yun Wu,Ping Li,Rujing Wang

DOI: https://doi.org/10.2991/ccis-13.2013.59

2013-01-01

Abstract:With the development of the Cloud computing, more and more people are accustomed to resource sharing or online shopping. And malware has become a major threat to the Cloud safety. Process hiding is a powerful technique commonly used by stealthy malware to evade detection by anti-malware. In this paper, we present a novel approach called VMPmonitor-an efficient modularity approach for hidden process detection. With the help of the guest OS register information (mainly the ESP) collected by virtual machine monitor, VMPmonitor can implicitly capture the hidden process information of target guest OS. Compared to other approaches, VMPmonitor obtains guest process information implicitly. Using implicit information reduces its susceptibility to guest evasion attack. Experimental result shows that VMPmonitor has better reliability and accuracy.

Ying Wang,Chunming Hu,Bo Li

DOI: https://doi.org/10.1109/hase.2011.41

2011-01-01

Abstract:Recently, "rootkit" becomes a popular hacker malware on the Internet, which controls the hosts on the Internet by hiding itself, and raises a serious security threat. Existing host-based and hardware-based solutions have some disadvantages, such as hardware overhead and being discovered by root kits, where the development of virtualization technology provides a better solution to avoid those. Virtual machine monitor has the highest authority on the virtual machine, and has the right to control the activities in the virtual machine without being found by root kits in the virtual machines. We propose VM Detector based on this hardware virtualization technology, using multi-view detection mechanism, to detect hidden processes inside the virtual machine on many aspects, then to improve the virtual machine's security. Through several experiments, VM Detector carried on the process detection effectively, and introduced less than 10% performance overhead.

Tian Donghai,Jia Xiaoqi,Chen Junhua,Hu Changzhen

DOI: https://doi.org/10.1109/cc.2016.7405709

2016-01-01

Abstract:Recently, virtualization technologies have been widely used in industry. In order to monitor the security of target systems in virtualization environments, conventional methods usually put the security monitoring mechanism into the normal functionality of the target systems. However, these methods are either prone to be tempered by attackers or introduce considerable performance overhead for target systems. To address these problems, in this paper, we present a concurrent security monitoring method which decouples traditional serial mechanisms, including security event collector and analyzer, into two concurrent components. On one hand, we utilize the SIM framework to deploy the event collector into the target virtual machine. On the other hand, we combine the virtualization technology and multi-core technology to put the event analyzer into a trusted execution environment. To address the synchronization problem between these two concurrent components, we make use of Lamport's ring buffer algorithm. Based on the Xen hypervisor, we have implemented a prototype system named COMO. The experimental results show that COMO can monitor the security of the target virtual machine concurrently within a little performance overhead.

Min Zhu,Miao Yu,Mingyuan Xia,Bingyu Li,Peijie Yu,Shang Gao,Zhengwei Qi,Liang Liu,Ying Chen,Haibing Guan

DOI: https://doi.org/10.1145/1982185.1982305

2011-01-01

Abstract:Numerous operating systems have been designed to manage and control system resources with large and complicated features, so they need high security protection. However, previous security applications can not provide adequate protection due to the untrusted execution environment. Furthermore, these security strategies cannot support a universal cross-platform system security requirements. This paper presents VASP, a hypervisor based monitor which allows a trusted execution environment to monitor various malicious behaviors in the operating system. This is achieved by taking advantage of ×86 hardware virtualization and self-transparency technology, and providing a unified security protection to unmodified operating systems such as Linux and Windows. Our design is targeted at establishing a security monitor which resides completely outside of the target OS environment with a negligible overhead. According to the security analysis and performance experiment result, our approach can effectively protect applications and the kernel at a modest overhead of only 0.9% average in Windows XP and 2.6% average in Linux.

Hai Jin,Guofu Xiang,Deqing Zou,Feng Zhao,Min Li,Chen Yu

DOI: https://doi.org/10.1016/j.camwa.2010.01.007

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:The file system becomes the usual target of malicious attacks because it contains lots of sensitive data, such as executable programs, configuration and authorization information. File integrity monitoring is an effective approach to discover aggressive behavior by detecting modification actions on these sensitive files. Traditional real-time integrity monitoring tools, which insert hooks into the OS kernel, are easily controlled and disabled by malicious software. Such existing methods, which insert kernel module into OS, are hard to be compatible because of the diversity of OS. In this paper, we present a non-intrusive real-time file integrity monitoring method in virtual machine-based computing environment, which is transparent to the monitored system. The monitor is isolated from the monitored system, since it observes the state of the monitored system from the outside. This method brings two benefits: detecting file operations in real time and being invisible to malicious attackers in the monitored system. Furthermore, a kind of file classification algorithm based on file security level is proposed to improve efficiency in this paper. The proposed file integrity monitoring method is implemented in the full-virtualization mode supported by the Xen platform. The experimental results show that the method is effective with acceptable overhead.

Guofu Xiang,Hai Jin,Deqing Zou

DOI: https://doi.org/10.1109/icoin.2012.6164438

2012-01-01

Abstract:Virtualization can divide or aggregate the underlying resource flexibly, and it attracts attention from both academic and industry in recent years. Guest operating systems in virtual machines can be various, and the states of virtual machines changes all the time. Due to the complexity of virtual computing environment, it brings tremendous challenges for security monitoring. Existing monitoring mechanism can not adapt to the dynamic and diversity of virtual machines. Therefore, a comprehensive monitoring framework, named ComMon, is proposed in this paper, which implements comprehensive monitoring from three aspects: network, process, and file. It has the characteristics of real-time, transparency and generality.

Xingshu Chen,Dandan Zhao,Hui Li,Lei Zhang

DOI: https://doi.org/10.13245/j.hust.160307

2016-01-01

Abstract:To trace the behavior of LKM (loadable kernel modules)rootkits,a hardware assisted vir-tualization based framework for kernel modules running in isolation was proposed to isolate drivers in an address space separate from the kernel by two sets of hardware assisted page tables and to protect integrity of the kernel stack basing on the chain composed of base pointers of stack frames.Eventually a prototype system on the full-virtualization platform of KVM was implemented which was called Hy-per-ISO (Hyper-ISOlation).The experimental result shows that the Hyper-ISO is able to monitor the control transfer processes between the untrusted module and the kernel timely,monitor the untrusted module accessing kernel code or data,and protect the kernel stack from the untrusted module.

温研,赵金晶,王怀民

DOI: https://doi.org/10.3969/j.issn.1001-3695.2008.11.078

2008-01-01

Abstract:With more and more PC users were accustomed to download and execute programs from Internet,stealth malware had become a major threat to the PC computers.Process hiding was a powerful stealth technique commonly used by stealth malware to evade detection by computer users and anti-malware scanners.This paper proposed a new approach called Libra for detect hidden processes implicitly.Libra implemented a novel lightweight hardware-assisted VMM to obtain the true process list(TPL) from deep within the system.Compared to existing VMM-based approaches,Libra provides two unique advantages: dynamic OS migration and implicit introspection of TPL.The functionality evaluation shows the completeness and effectiveness of Libra.

CHEN Xing-shu,ZHAOCheng,TAOShu-song

DOI: https://doi.org/10.3969/j.issn.1001-0548.2016.06.013

2016-01-01

Abstract:To protect the process memory and execution paths of system calls from the threat of malicious code on Windows virtual machine, a KVM-based virtual machine user process protection solution is proposed. Combined with hardware virtualization technologies, a shadow kernel is built for Windows virtual machine to protect the original kernel system call paths from being hooked by malicious code. Meanwhile, the process memory is secured through filtering out-of-process system calls in the monitoring agent, intercepting the switching behaviors of page tables, monitoring the exceptions of breakpoints, and debugging of the virtual machine. In addition, a shadow monitoring agent is built to safeguard the virtual machine’s monitor agent memory. A prototype system VMPPS was thus designed and implemented with its validity tests and analysis results showing that process memory and execution paths of system calls of the virtual machine are effectively protected within an acceptable performance loss range.

Bo Li,Jianxin Li,Tianyu Wo,Chunming Hu,Liang Zhong

DOI: https://doi.org/10.1109/icpads.2010.53

2010-01-01

Abstract:System call interposition is a powerful method for regulating and monitoring program behavior. A wide variety of security tools have been developed which use this technique. However, traditional system call interposition techniques are vulnerable to kernel attacks and have some limitations on effectiveness and transparency. In this paper, we propose a novel approach named VSyscall, which leverages virtualization technology to enable system call interposition outside the operating system. A system call correlating method is proposed to identify the coherent system calls belonging to the same process from the system call sequence. We have developed a prototype of VSyscall and implemented it in two mainstream virtual machine monitors, Qemu and KVM, respectively. We also evaluate the effectiveness and performance overhead of our approach by comprehensive experiments. The results show that VSyscall achieves effectiveness with a small overhead, and our experiments with six real-world applications indicate its practicality.

Zhiyuan Shao,Hai Jin,Xiaowen Lu

DOI: https://doi.org/10.1109/ETCS.2009.688

2009-01-01

Abstract:Performance monitor for virtual machines can monitor the performance metrics of virtual machines and gain the resource consumption status, and thus provide reliable basis for system performance evaluation and further management. However, at current stage, such performance monitor systems for the virtualized systems are inadequate and inefficient. In this paper, we propose a lightweight performance monitor system model for virtual machines, called PMonitor. Through prototype implementation and experiments, we find that PMonitor consumes very few processing power, which is much lower than other open source performance monitors running on the virtualized environments.

JIANG Nan,WU Jun-Min,ZHU Xiao-Dong,LI Li-Feng,ZHANG Peng-Fei,HUANG Jing

DOI: https://doi.org/10.3969/j.issn.1003-3254.2012.09.003

2012-01-01

Abstract:With the era of multi-core processors,virtualization technology is widely used,and multi-core virtual machine is one of them.The current multi-core virtual machine monitors are generally used hardware virtualization technology through simulating a number of virtual serial ports to monitor for the purpose.This inventive,given based on shared memory multi-core system-level monitoring system virtualization solution,and gives a complete design and implementation.

CHEN Xing-shu,CHEN Meng-meng,JIN Xin

DOI: https://doi.org/10.3969/j.issn.1001-0548.2018.01.012

2018-01-01

Abstract:To improve security of process in virtual machine (VM) and avoid system service descriptor table (SSDT) and system call execution path being hooked, a agentless method based on shadow memory of protecting process security in VM is proposed. First, a block of shadow memory is constructed in nonpaged pool of VM by using of high privilege level of virtual machine manager (VMM), then new system service descriptor table (SSDT) and system call execution path are injected to shadow memory. The process sensitive behavior is detected by using of characteristic of hardware virtualization and hook technology, and the invalid operation to targeted process is filtered in VMM so as to implement protecting process security without agent in VM. Analysis and test results show that almost all the attacks from rootkits can be prevented, and the targeted process in VM can be protected well with almost no performance loss.