A Survey on Hypervisor-Based Monitoring

Bauman, Erick; Ayoade, Gbadebo; Lin, Zhiqiang

doi:10.1145/2775111

Cited by 69 publications

(11 citation statements)

References 82 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…(11) Check and mark the loops in the traversed nodes. (12) end (13) else (14) Disassemble and parse block (15) while Get instruction ins from block successfully do (16) if ins is a system call instruction or has memory operations then (17) Mark block as abort (18) break (19) else if ins is a direct unconditional jump instruction then (20) Construct the node of target block, and push it to stack_dfs (21) break (22) else if ins is a conditional branch instruction then (23) Construct all successor nodes of block, and push them to stack_dfs (24) break (25) else if ins is an indirect branch instruction or other transfers then (26) Mark block as pending, and save the traversed nodes and execution paths (27) break (28) else if ins is the end_ins then (29) Mark block as the end (30) break (31) else (32) Save the parse result to block en we still need to reexecute part of the instructions in the paths to obtain the real execution path. For two possible…”

Section: Intercepting All Memory Reads and Writesmentioning

confidence: 99%

“…(13) Get the jump target address target_ins. (14) curr_ins ⟵ target_ins (15) break (16) else if curr_ins is a system call, interrupt or trap instruction then (17) break (18) end (19) else (20) Insert curr_ins and extra analysis code to buf has errors; otherwise the correct value is written to the simulated memory space (iii) Read from the address outside the stack. First we obtain the two memory writes before and after this operation of current thread from the log; meanwhile check if there exists a write to this address by another thread during the period of the two writes.…”

Section: Intercepting Only Memory Writes Except the Stackmentioning

confidence: 99%

“…In addition, some research works based on virtual machines (VM) or emulators to implement system-wide application analysis will also face the challenge of many types of detection methods [11,12], and the virtual machines themselves will cause difficulties in deployment and analysis efficiency. In recent years, due to the development of hardware technology, many studies have begun to take advantage of hardware features, especially hardware virtualization technology, which has been widely used in cloud computing, access control, vulnerability discovery, and program analysis [13][14][15]. Since the confrontation between analysis and antianalysis exists not only at the kernel level but also in virtualized environments and simulators [16], some studies use more hardware features to further improve the stealthiness of debugging, such as MALT [17] and SPIDER [18].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

BAHK: Flexible Automated Binary Analysis Method with the Assistance of Hardware and System Kernel

Pan

Zhuang

Sun

2020

Security and Communication Networks

View full text Add to dashboard Cite

To protect core functions, applications often utilize the countermeasure techniques such as antidebugging to avoid analysis by outsiders, especially the malware. Dynamic binary instrumentation is commonly used in the analysis of binary programs. However, it can be easily detected and has stability and applicability problems as it involves program rewriting and just-in-time compilation. This paper proposes a new lightweight analysis method for binary programs with the assistance of hardware features and the operating system kernel, named BAHK, which can automatically analyze the target program by stealth and has wide applicability. With the support of underlying infrastructures, this paper designs several optimization strategies and specific analysis approaches at instruction level to reduce the impact of fine-grained analysis on the performance of target program so that it can be well applied in practice. The experimental results show that the proposed method has good stealthiness, low memory consumption, and positive user experience. In some cases, it shows better analysis performance than the traditional dynamic binary instrumentation method. Finally, the real case studies further show its feasibility and effectiveness.

show abstract

Section: Intercepting All Memory Reads and Writesmentioning

confidence: 99%

Section: Intercepting Only Memory Writes Except the Stackmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

BAHK: Flexible Automated Binary Analysis Method with the Assistance of Hardware and System Kernel

Pan

Zhuang

Sun

2020

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Baliga et al [2] have demonstrated how easy to launch such an attack by manipulating Linux Netfilter to remove hook functions to packet filtering. To address that, researchers and practitioners have proposed a stream of "out-of-the-box" solutions [3][4][5][6][7][8]. They leverage the ability provided by virtualization, called virtual machine introspection(VMI), to deploy monitoring and protection components in the hypervisor or a privileged VM, which makes the security solutions more robust.…”

Section: Introductionmentioning

confidence: 99%

Tenant-Oriented Monitoring for Customized Security Services in the Cloud

Zhou

Wang

et al. 2019

Symmetry

View full text Add to dashboard Cite

The dramatic proliferation of cloud computing makes it an attractive target for malicious attacks. Increasing solutions resort to virtual machine introspection (VMI) to deal with security issues in the cloud environment. However, the existing works are not feasible to support tenants to customize individual security services based on their security requirements flexibly. Additionally, adoption of VMI-based security solutions makes tenants at the risk of exposing sensitive information to attackers. To alleviate the security and privacy anxieties of tenants, we present SECLOUD, a framework for monitoring VMs in the cloud for security analysis in this paper. By extending VMI techniques, SECLOUD provides remote tenants or their authorized security service providers with flexible interfaces for monitoring runtime information of guest virtual machines (VMs) in a non-intrusive manner. The proposed framework enhances effectiveness of monitoring by taking advantages of architectural symmetry of cloud environment. Moreover, we harden our framework with a privacy-preserving capacity for tenants. The flexibility and effectiveness of SECLOUD is demonstrated through a prototype implementation based on Xen hypervisor, which results in acceptable performance overhead.

show abstract

“…The external approach is inspired by the feature that the VMM has supervisory privilege on guest VMs. Antivirus software is totally moved out of the VM [8][9] [10], and gets necessary information from the guest OS using VMI techniques [11] [40] [46]. The existing work following this approach can only detect virus in guest files or memory, and can't prohibit it properly.…”

Section: Introductionmentioning

confidence: 99%

VirtAV: an Agentless Runtime Antivirus System for Virtual Machines

2017

KSII TIIS

View full text Add to dashboard Cite

Antivirus is an important issue to the security of virtual machine (VM). According to where the antivirus system resides, the existing approaches can be categorized into three classes: internal approach, external approach and hybrid approach. However, for the internal approach, it is susceptible to attacks and may cause antivirus storm and rollback vulnerability problems. On the other hand, for the external approach, the antivirus systems built upon virtual machine introspection (VMI) technology cannot find and prohibit viruses promptly. Although the hybrid approach performs virus scanning out of the virtual machine, it is still vulnerable to attacks since it completely depends on the agent and hooks to deliver events in the guest operating system. To solve the aforementioned problems, based on in-memory signature scanning, we propose an agentless runtime antivirus system VirtAV, which scans each piece of binary codes to execute in guest VMs on the VMM side to detect and prevent viruses. As an external approach, VirtAV does not rely on any hooks or agents in the guest OS, and exposes no attack surface to the outside world, so it guarantees the security of itself to the greatest extent. In addition, it solves the antivirus storm problem and the rollback vulnerability problem in virtualization environment. We implemented a prototype based on Qemu/KVM hypervisor and ClamAV antivirus engine. Experimental results demonstrate that VirtAV is able to detect both user-level and kernel-level virus programs inside Windows and Linux guest, no matter whether they are packed or not. From the performance aspect, the overhead of VirtAV on guest performance is acceptable. Especially, VirtAV has little impact on the performance of common desktop applications, such as video playing, web browsing and Microsoft Office series.

show abstract

A Survey on Hypervisor-Based Monitoring

Cited by 69 publications

References 82 publications

BAHK: Flexible Automated Binary Analysis Method with the Assistance of Hardware and System Kernel

BAHK: Flexible Automated Binary Analysis Method with the Assistance of Hardware and System Kernel

Tenant-Oriented Monitoring for Customized Security Services in the Cloud

VirtAV: an Agentless Runtime Antivirus System for Virtual Machines

Contact Info

Product

Resources

About