Exploiting the x86 Architecture to Derive Virtual Machine State Information

Pfoh, Jonas; Schneider, Christian; Eckert, Claudia

doi:10.1109/securware.2010.35

Cited by 14 publications

(6 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Over the past few years, concrete contributions to VMI have been made, and various methods have been suggested to inspect VM data from the outside [22][23][24]. As mentioned above, the difficulty in interpreting the lowlevel bits and bytes of a VM into the high-level semantic state of a guest OS is called the "semantic gap problem" [25][26][27][28]. It is very difficult to derive a complete view of a guest OS from outside a GM without knowledge of the hardware architecture or guest OS [29].…”

Section: Vmi-based Malwarementioning

confidence: 99%

Secure Virtualization Environment Based on Advanced Memory Introspection

Zhang

Meng

Wang

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Most existing virtual machine introspection (VMI) technologies analyze the status of a target virtual machine under the assumption that the operating system (OS) version and kernel structure information are known at the hypervisor level. In this paper, we propose a model of virtual machine (VM) security monitoring based on memory introspection. Using a hardware-based approach to acquire the physical memory of the host machine in real time, the security of the host machine and VM can be diagnosed. Furthermore, a novel approach for VM memory forensics based on the virtual machine control structure (VMCS) is put forward. By analyzing the memory of the host machine, the running VMs can be detected and their high-level semantic information can be reconstructed. Then, malicious activity in the VMs can be identified in a timely manner. Moreover, by mutually analyzing the memory content of the host machine and VMs, VM escape may be detected. Compared with previous memory introspection technologies, our solution can automatically reconstruct the comprehensive running state of a target VM without any prior knowledge and is strongly resistant to attacks with high reliability. We developed a prototype system called the VEDefender. Experimental results indicate that our system can handle the VMs of mainstream Linux and Windows OS versions with high efficiency and does not influence the performance of the host machine and VMs.

show abstract

Section: Vmi-based Malwarementioning

confidence: 99%

Secure Virtualization Environment Based on Advanced Memory Introspection

Zhang

Meng

Wang

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…The problem of extracting high-level semantic information from low-level data sources is known as the semantic gap, and has sparked much research activity in recent years [7,21]. We now discuss how DiskDuster bridges it.…”

Section: The Process Monitor: Tracking Attacks At Thread Granularitymentioning

confidence: 99%

System-Level Support for Intrusion Recovery

Bacs

Vermeulen

Slowinska

et al. 2013

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

Abstract.Recovering from attacks is hard and gets harder as the time between the initial infection and its detection increases. Which files did the attackers modify? Did any of user data depend on malicious inputs? Can I still trust my own documents or binaries? When malcode has been active for some time and its actions are mixed with those of benign applications, these questions are impossible to answer on current systems. In this paper, we describe DiskDuster, an attack analysis and recovery system capable of recovering from complicated attacks in a semi-automated manner. DiskDuster traces malcode at byte-level granularity both in memory and on disk in a modified version of QEMU. Using taint analysis, DiskDuster also tracks all bytes written by the malcode, to provide a detailed view on what (bytes in) files derive from malicious data. Next, it uses this information to remove malicious actions at recovery time.

show abstract

“…It has already been shown [13,17] that VT microprocessor support features can be used for introspection activities. Useful information related to guest VM implementation can be retrieved by monitoring the VM control structure (VMCS) of the processor.…”

Section: Introspection Using Virtualization Supportmentioning

confidence: 99%

Virtual machine introspection: towards bridging the semantic gap

Tapaswi

2014

J Cloud Comp

View full text Add to dashboard Cite

Virtual machine introspection is a technique used to inspect and analyse the code running on a given virtual machine. Virtual machine introspection has gained considerable attention in the field of computer security research. In recent years, it has been applied in various areas, ranging from intrusion detection and malware analysis to complete cloud monitoring platforms. A survey of existing virtual machine introspection tools is necessary to address various possible research gaps and to focus on key features required for wide application of virtual machine introspection techniques. In this paper, we focus on the evolution of virtual machine introspection tools and their ability to address the semantic gap problem.

show abstract

Exploiting the x86 Architecture to Derive Virtual Machine State Information

Cited by 14 publications

References 3 publications

Secure Virtualization Environment Based on Advanced Memory Introspection

Secure Virtualization Environment Based on Advanced Memory Introspection

System-Level Support for Intrusion Recovery

Virtual machine introspection: towards bridging the semantic gap

Contact Info

Product

Resources

About