Xianxian Li,Changhui Jiang,Jianxin Li,Bo Li

DOI: https://doi.org/10.1109/NCIS.2011.21

2011-01-01

Abstract:Malicious software is one of the primary threats to information system on Internet, while the traditional host-based and network-based monitoring systems are vulnerable to prevent the malicious behavior of software because most current malicious software is capable of resisting security monitoring. Virtualization technology gives an impactful approach to monitoring the behavior of malicious software since it can provide an abstraction layer between the operating system and the hardware. In this paper, we propose a hardware-virtualization-based security monitor system named VMInsight, which can provide load-time and run-time monitoring for processes. VMInsight intercepts system calls and process behaviors by monitoring changes in the virtual machine CPU register, and it is implemented in the hyper visor, thus is completely transparent to the software and operating system running in the virtual machine. The experimental results show that the performance overhead of VMInsight is less than 10%, and it can be easily applied to the third-party security monitoring system.

杜海,陈榕

DOI: https://doi.org/10.3969/j.issn.1000-3428.2009.08.030

2009-01-01

Abstract:Aiming at the problems existed in Operating System(OS) process monitoring, a new full-virtualization-based process monitoring method is proposed. It uses full virtualization technology to detect and isolate all the harmful behaviors of untrusted processes in OS. Experimental results show this method has better performances of pellucidity and portability, which can prevent against multiple attacks and incur only a small amount of performance overhead.

guofeng wang,chuanyi liu,jie lin

DOI: https://doi.org/10.1007/978-3-662-43908-1_4

2014-01-01

Abstract:Modern malware attacks are designed intricately, transport data encrypted, so monitoring network traffic can't solve such attacks completely. Therefore, network monitoring and analysis need to be combined with system behavior monitoring and memory analysis, and the latter is more important. In this article we propose a hardware-based virtualization prototype system, combined with memory analysis tools to monitor and counterwork malicious attacks actively. The system is based on Xen virtualization platform, which monitoring virtual machine behavior by capturing specific events. The events are triggered by some specific behaviors associated with malicious software monitoring, such as executing privileged instruction, system calls, memory writing, etc. When necessary, we can dump the memory of the virtual machine, use memory analysis tools for detailed analysis, so as to achieve the purpose of monitoring and counterworking.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

XIANG Guo-Fu,JIN Hai,ZOU De-Qing,CHEN Xue-Guang

DOI: https://doi.org/10.3724/sp.j.1001.2012.04219

2012-01-01

Journal of Software

Abstract:In recent years, virtualization technology is the novel trendy of computer architecture, and it provides a solution for security monitoring.Due to the highest privilege and the smaller trusted computing base of virtual machine monitor, security tools, deployed in an isolated virtual machine, can inspect the target virtual machine with the help of virtual machine monitor.This approach can enhance the effectiveness and anti-attack ability of security tools.From the aspect of the implementation technologies, existing research works can be classified into internal monitoring and external monitoring.According to the different targets, the related works about virtualization-based monitoring are introduced in this paper in detail, such as intrusion detection, honeypot, file integrity monitoring, malware detection and analysis, security monitoring architecture and the generality of monitoring.Finally, this paper summarizes the shortcomings of existing works, and presents the future research directions.It is significant for virtualization research and security monitoring research.

Nan Li,Bo Li,Jianxin Li,Tianyu Wo,Jinpeng Huai

DOI: https://doi.org/10.1109/HPCC.and.EUC.2013.194

2013-01-01

Abstract:Cloud computing service has been evolved in providing a whole virtual data center from selling scattered virtual machines (VMs). Process Monitoring of a VM is a fundamental feature to guarantee the security of the virtual data center because of the rapid growth of the malware. Existing approaches are mainly based on virtual machine introspection (VMI) technique to isolate the monitor out-of-vm and designed to inspect the VM internal processes. However, few of them consider the real time control of process execution in the VMs, such as process termination or files operation conducted by the process. Early VMI-based solutions relied on some specific OS kernel data structures, so they need to know the OS information in advance instead of identifying the OS version at runtime for operating system compatible. In this paper, we propose a novel out-of-the-box process monitor named vMON, which can not only identify different guest OS versions and reconstruct rich semantic information for the target VM processes at runtime, but also control the behaviors of processes with fine granularity. In addition, vMON provides uniform programming interfaces to support the development of application-level security tools. A prototype of vMON has been implemented in kernel-based virtual machine (KVM) hypervisor, and its effectiveness and performance have also been evaluated through several experiments. The results show that vMON can successfully identify, analyze and control the behaviors of the processes in Guest OS with acceptable performance overhead. vMon incurs 0.74%similar to 10.20% I/O overhead and 0.003s average interface return time.

Yan Wen,Jinjing Zhao,Huaimin Wang

DOI: https://doi.org/10.1145/1460877.1460904

2008-01-01

Abstract:With security researchers relying on the virtual machine (VM) in their analysis work, malware has a significant stake in detecting the presence of a VM to avoid executing its vicious behavior. But hiding a VM from malware by building a transparent virtual machine monitor (VMM) is fundamentally infeasible, as well as impractical from a performance and engineering standpoint. This paper proposes a new idea from another perspective: hiding the "real" machine from the VMM-aware malware. We propose a minimal VMM called MiniVMM which can migrate a booted OS, our protecting concern, to this VMM on demand. In our protection model, all the untrusted code, although having been verified by VMM-based malware detectors, should be executed in this migrated OS. Instead of building a transparent VMM, MiniVMM advisedly exposes the VMM fingerprints to prevent the computer against VMM-aware malicious programs by deceiving them into deactivating their destructive behavior by themselves. MiniVMM has two key features: dynamic OS migration and commodity VMM fingerprints emulation. Unlike existing VMM solutions, MiniVMM can make the protected OS transfer between VMM mode and native mode dynamically. MiniVMM can also emulate the fingerprints of prevalent VMMs to make the protected computer more like a "real" VM. MiniVMM might be deployed as a considerable complement of the existing VMM-based security approaches to make the native OSes immune to the VMM-aware malware.

Muhammad Shams Ul haq,Lejian Liao,Ma Lerong

DOI: https://doi.org/10.1109/is3c.2016.108

2016-01-01

Abstract:In presence of known and unknown vulnerabilities in code and flow control of programs, virtual machine alike isolation and sandboxing to confine maliciousness of process, by monitoring and controlling the behaviour of untrusted application, is an effective strategy. A confined malicious application cannot effect system resources and other applications running on same operating system. But present techniques used for sandboxing have some drawbacks ranging from scope to methodology. Some of proposed techniques restrict specific aspect of execution e.g. system calls and file system access. In the same way techniques that truly isolate the application by providing separate execution environment either require modification in kernel or full blown operating system. Moreover these do not provide isolation from top to bottom but only virtualize operating system services.In this paper, we propose a design to confine native Linux process in virtual machine equivalent isolation by using hardware virtualization extensions with nominal initialization and acceptable execution overheads. We implemented our prototype called Process Virtual Machine that transition a native process into virtual machine, provides minimal possible execution environment, intercept and virtualize system calls to execute it on host kernel. Experimental results show effectiveness of our proposed technique.

Bo Li,Jianxin Li,Tianyu Wo,Chunming Hu,Liang Zhong

DOI: https://doi.org/10.1109/icpads.2010.53

2010-01-01

Abstract:System call interposition is a powerful method for regulating and monitoring program behavior. A wide variety of security tools have been developed which use this technique. However, traditional system call interposition techniques are vulnerable to kernel attacks and have some limitations on effectiveness and transparency. In this paper, we propose a novel approach named VSyscall, which leverages virtualization technology to enable system call interposition outside the operating system. A system call correlating method is proposed to identify the coherent system calls belonging to the same process from the system call sequence. We have developed a prototype of VSyscall and implemented it in two mainstream virtual machine monitors, Qemu and KVM, respectively. We also evaluate the effectiveness and performance overhead of our approach by comprehensive experiments. The results show that VSyscall achieves effectiveness with a small overhead, and our experiments with six real-world applications indicate its practicality.

Chaoyuan Cui,Yun Wu,Ping Li,Rujing Wang

DOI: https://doi.org/10.2991/ccis-13.2013.59

2013-01-01

Abstract:With the development of the Cloud computing, more and more people are accustomed to resource sharing or online shopping. And malware has become a major threat to the Cloud safety. Process hiding is a powerful technique commonly used by stealthy malware to evade detection by anti-malware. In this paper, we present a novel approach called VMPmonitor-an efficient modularity approach for hidden process detection. With the help of the guest OS register information (mainly the ESP) collected by virtual machine monitor, VMPmonitor can implicitly capture the hidden process information of target guest OS. Compared to other approaches, VMPmonitor obtains guest process information implicitly. Using implicit information reduces its susceptibility to guest evasion attack. Experimental result shows that VMPmonitor has better reliability and accuracy.

Menglong Jiang,Zhengwei Qi,Haibing Guan,Anil Kumar Karna

DOI: https://doi.org/10.1109/FCST.2009.26

2009-01-01

Abstract:With the development of network malicious code, the existing security holes in present systems facilitate data loss. Though protection methods and software are updated day by day, some recent rootkits, that can still invisibly access kernel, make new challenges for the system security. The focal point on system security is how to protect a chosen process on the infected operating system. Process protection and monitoring are becoming more and more important for emerging networks and systems. In this paper, we present a new technique, Croth, which is based on hardware virtualization technology. It introduces a novel mechanism, Cape, that is located in virtual machine monitor (VMM). The main work of Cape is to emulate most of the operations originally done by operating system. This primitive offers an additional dimension of protection beyond the hierarchical protection domains, implemented by traditional operating systems and processor architectures. The design and implementation of hiding sensitive data is also presented in this paper. Our design has been fully implemented and used to protect a wide range of legacy process without any modification on Windows operating system. Our experimental result shows that the operating system could not get accurate data while the chosen process is controlled by Croth. It has provided a little performance overhead, however, performance is still acceptable.

Haibo Chen,Pengcheng Liu,Rong Chen,Binyu Zang

2007-01-01

Abstract:Processes in commodity operating systems are “wild” 1 in nature: They are usually granted with excessive privileges, yet can be easily compromised and abused. Unfortunately, since commodity operating systems are big, complex, thus inherently untrusted, monitoring process behaviors within them is inherently insecure and could be circumvented or tampered. In this paper, we present an approach, named VMM-based process shepherding, to prevent, detect and isolate harmful behaviors (e.g. intrusions) of wild processes. The key idea of our approach is using a virtual machine monitor (VMM) to shepherd all privileged operations made by a wild process, in terms of system calls. As a VMM can easily be adjusted to intercept all system calls from a process running within operating systems thereon, such interception is mandatory and can not be bypassed. Further, as our approach is completely implemented in VMMs, it can result in good operating system transparency and portability. We provide three techniques as building blocks to process shepherding. First, the VMM prohibits any unauthorized accesses to privileged resources (e.g. system configuration files) using policy-based system call auditing. Second, the VMM uses system call sequences to detect possible malicious behaviors. Unexpected system call sequences should be considered as evidences for misbehaving. Third, the VMM isolates all suspect operations and discard them once a wild process is identified as malicious. Based on the three techniques, our approach tends to be safe and non-intrusive, that is, it can isolate damages made by a wild process. We present Shepherd, a prototype system based on Xen VMM, and evaluate it against real-life applications. According to our evaluation, Shepherd is resistant against several recent real-life attacks. Performance measurements show that our implementation incurs only a small amount of performance overhead.

Bin Shi,Lei Cui,Bo Li,Xudong Liu,Zhiyu Hao,Haiying Shen

DOI: https://doi.org/10.1007/978-3-030-00470-5_31

2018-01-01

Abstract:Virtual machine introspection (VMI) is one compelling technique to enhance system security in clouds. It is able to provide strong isolation between untrusted guests and security tools placed in guests, thereby enabling dependability of the security tools even if the guest has been compromised. Due to this benefit, VMI has been widely used for cloud security such as intrusion detection, security monitoring, and tampering forensics. However, existing VMI solutions suffer significant performance degradation mainly due to the high overhead upon frequent memory address translations and context-switches. This drawback limits its usage in many real-world scenarios, especially when fine-grained monitoring is desired. In this paper, we present ShadowMonitor, an effective VMI framework that enables efficient in-VM monitoring without imposing significant overhead. ShadowMonitor decomposes the whole monitoring system into two compartments and then assigns each compartment with isolated address space. By placing the monitored components in the protected compartment, ShadowMonitor guarantees the safety of both monitoring tools and guests. In addition, ShadowMonitor employs hardware-enforced instructions to design the gates across two compartments, thereby providing efficient switching between compartments. We have implemented ShadowMonitor on QEMU/KVM exploiting several hardware virtualization features. The experimental results show that ShadowMonitor could prevent several types of attacks and achieves 10\(\times \) speedup over the existing method in terms of both event monitoring and overall application performance.

Ying Wang,Chunming Hu,Bo Li

DOI: https://doi.org/10.1109/hase.2011.41

2011-01-01

Abstract:Recently, "rootkit" becomes a popular hacker malware on the Internet, which controls the hosts on the Internet by hiding itself, and raises a serious security threat. Existing host-based and hardware-based solutions have some disadvantages, such as hardware overhead and being discovered by root kits, where the development of virtualization technology provides a better solution to avoid those. Virtual machine monitor has the highest authority on the virtual machine, and has the right to control the activities in the virtual machine without being found by root kits in the virtual machines. We propose VM Detector based on this hardware virtualization technology, using multi-view detection mechanism, to detect hidden processes inside the virtual machine on many aspects, then to improve the virtual machine's security. Through several experiments, VM Detector carried on the process detection effectively, and introduced less than 10% performance overhead.

Tian Donghai,Jia Xiaoqi,Chen Junhua,Hu Changzhen

DOI: https://doi.org/10.1109/cc.2016.7405709

2016-01-01

Abstract:Recently, virtualization technologies have been widely used in industry. In order to monitor the security of target systems in virtualization environments, conventional methods usually put the security monitoring mechanism into the normal functionality of the target systems. However, these methods are either prone to be tempered by attackers or introduce considerable performance overhead for target systems. To address these problems, in this paper, we present a concurrent security monitoring method which decouples traditional serial mechanisms, including security event collector and analyzer, into two concurrent components. On one hand, we utilize the SIM framework to deploy the event collector into the target virtual machine. On the other hand, we combine the virtualization technology and multi-core technology to put the event analyzer into a trusted execution environment. To address the synchronization problem between these two concurrent components, we make use of Lamport's ring buffer algorithm. Based on the Xen hypervisor, we have implemented a prototype system named COMO. The experimental results show that COMO can monitor the security of the target virtual machine concurrently within a little performance overhead.

Zhiyong Shan,Xin Wang,Tzi-cker Chiueh,Xiaofeng Meng

DOI: https://doi.org/10.1145/1998582.1998601

2011-01-01

Abstract:ABSTRACTA common application of virtual machines (VM) is to use and then throw away, basically treating a VM like a completely isolated and disposable entity. The disadvantage of this approach is that if there is no malicious activity, the user has to re-do all of the work in her actual workspace since there is no easy way to commit (i.e., merge) only the benign updates within the VM back to the host environment. In this work, we develop a VM commitment system called Secom to automatically eliminate malicious state changes when merging the contents of an OS-level VM to the host. Secom consists of three steps: grouping state changes into clusters, distinguishing between benign and malicious clusters, and committing benign clusters. Secom has three novel features. First, instead of relying on a huge volume of log data, it leverages OS-level information flow and malware behavior information to recognize malicious changes. As a result, the approach imposes a smaller performance overhead. Second, different from existing intrusion detection and recovery systems that detect compromised OS objects one by one, Secom classifies objects into clusters and then identifies malicious objects on a cluster by cluster basis. Third, to reduce the false positive rate when identifying malicious clusters, it simultaneously considers two malware behaviors that are of different types and the origin of the processes that exhibit these behaviors, rather than considers a single behavior alone as done by existing malware detection methods. We have successfully implemented Secom on the Feather-weight Virtual Machine (FVM) system, a Windows-based OS-level virtualization system. Experiments show that the prototype can effectively eliminate malicious state changes while committing a VM with small performance degradation. Moreover, compared with the commercial anti-malware tools, the Secom prototype has a smaller number of false negatives and thus can more thoroughly clean up malware side effects. In addition, the number of false positives of the Secom prototype is also lower than that achieved by the on-line behavior-based approach of the commercial tools.

JIN Wei,LI Ming-lu,WENG Chu-liang

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.15.036

2011-01-01

Abstract:This paper aims to explore the security of the Virtual Machine Monitor(VMM),combined with open source virtualization software Xen to analyze the potential threats and vulnerabilities,such as tampering with hypercalls,malicious direct memory access.It designs and implements a way to undermine the stability of virtual machine by modifying VCPU state and meanwhile give countermeasures,such as verifying critical data structures to discover whether it is invaded,or forbidding the loading of module to eliminate all possible security risks posed by the module.

Ding Shun,Li Minglu,Weng Chuliang,Liu Qian

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.06.015

2012-01-01

Abstract:As virtualization is widely applied to various fields such as cloud computing,it gradually becomes a target that various malicious attacks aim at.The runtime security of virtual machines is of the most importance.Aiming at this problem,a monitoring scheme suitable for virtualized environments is proposed.Moreover a security monitoring prototype system of a virtual machine is implemented in Xen.With this scheme,a privileged virtual machine can execute dynamic and customized monitoring upon the massive client virtual machines hosted in a same physical machine.Particularly,this system is very effective at detecting rootkits inside OS kernels.The security monitoring scheme can effectively increase the security not only of client virtual machines but also of the whole VM system.

Chen Wen-Zhi,Zhu Hong-Wei,Huang Wei

DOI: https://doi.org/10.1109/CW.2008.110

2008-01-01

Abstract:The security problem became more severe since the security requirement of different applications may conflict with the others in distributed application or grid computing. Virtualization technology can improvethe system's security, but did not satisfy the requirement of virtual resource sharing and inner-domain communication in distributed services and grid computing. By dividing the virtual resources into sharing virtual resources and normal ones, SeVMM provided secure mechanism for inter-domain communication control, which formed the base of multi-level security control model for virtual machine monitors, operating systems and applications. Case study and application showed that SeVMM improved the system's security without causing significant performance penalty.

Xiaoguang Wang,Yong Qi,Yuehua Dai,Jianbao Ren

DOI: https://doi.org/10.1109/compsacw.2013.38

2013-01-01

Abstract:Ensuring the correctness of security sensitive application running on a potentially malicious operating system is an open problem. Existing approaches for protecting a sensitive process are either losing deployment transparency or lack of the inter-process communication ability for the protected process. In this paper, we present a novel approach called shadow process execution (SPE), which can provide security sensitive applications with executing integrity. With the help of virtualization layer, SPE shadows the sensitive application in a separate virtual machine (VM), which significantly removes the complex and potentially malicious software stack from trusted computing base (TCB). At the same time, SPE maintains dynamic runtime protection without application source code. Finally we demonstrate the feasibility of SPE by designing and implementing a prototype system based on KVM hypervisor. And we show the transparent and dynamic feature of SPE by running and protecting a real world encryption utility program.