Full virtual machine state reconstruction for security applications
نویسنده
چکیده
System virtualization allows one to monitor, analyze, and manipulate the state of a virtual machine from the vantage point of the hypervisor. This method is known as virtual machine introspection (VMI). Various security mechanisms can be implemented by exercising the extensive control the hypervisor has over the virtual machines running on top of it, such as malware analysis, intrusion detection, secure logging, and digital forensics. As virtualization technology becomes increasingly ubiquitous in everyday computing, VMI represents a viable option to enhance system security from the hypervisor level. However, all systems that utilize VMI face a common challenge, namely the semantic gap. This challenge describes the disconnect between the low-level state that the hypervisor has access to and its semantics within the guest. In this work, we explore the possibilities and implications of bridging the semantic gap to support security applications from the hypervisor level. We define a formal model for VMI that allows us to describe and compare such approaches in a uniform way. Using our model, we identify three common patterns for bridging the semantic gap and describe the properties of the corresponding implementations. Based on these findings, we propose a novel VMI framework that allows one to analyze the full virtual machine state in a universal way. We apply semantic knowledge of the operating system kernel to recreate the graph of kernel objects from guest physical memory. Since dynamic pointer manipulations such as type-casting and pointer arithmetic are prevalent in kernel code, we develop a type-centric, semantic source code analysis technique to identify such runtime manipulations in the C programming language. The results of this analysis augment the static type information and allow us to over-approximate the possible data types of pointer values, thus increasing the overall coverage of the kernel object graph in a fully automated fashion. However, not all instances of runtime dependent type manipulations can be detected this way. As a solution, our framework additionally supports the manual formulation of simple, yet powerful type manipulation rules. These rules allow the user to extend the type knowledge with his own expertise in a generic, re-usable way. To give evidence for the effectiveness of our methods, we have implemented a prototype of this system as part of this work to perform virtual machine introspection. Our prototype faithfully reconstructs the graph of kernel objects of Linux guests almost perfectly. The identified objects can be exposed to arbitrary VMI applications for further analysis through a rich set of interfaces. From all the possible security applications that could work on the object graph, we choose malware detection as an example. The experimental evaluation shows that our approach is well suited to detect various kinds of kernel-level attacks, including those that are specifically designed to cover their tracks within the system.
منابع مشابه
Communication-Aware Traffic Stream Optimization for Virtual Machine Placement in Cloud Datacenters with VL2 Topology
By pervasiveness of cloud computing, a colossal amount of applications from gigantic organizations increasingly tend to rely on cloud services. These demands caused a great number of applications in form of couple of virtual machines (VMs) requests to be executed on data centers’ servers. Some of applications are as big as not possible to be processed upon a single VM. Also, there exists severa...
متن کاملVirtual Machine Security Systems
Current operating systems provide the process abstraction to achieve resource sharing and isolation. From a security perspective, however, an attacker who has compromised one process can usually gain control of the entire machine. This makes security systems running on the same computer, such as anti-virus programs or intrusion detection systems, also vulnerable to attack. In response to the im...
متن کاملUsing Hardware Performance Events for Instruction-Level Monitoring on the x86 Architecture
Full virtualization has become one of the basic technologies for the development of security applications. This is due to the fact that full virtualization provides important properties such as isolation and transparency that are essential for the development of robust security mechanisms. However, a fact that is often overlooked is that full virtualization also enables developers to make full ...
متن کاملMonitor and Control of Mobile Agent Applications
Mobile agents raise significant security concerns that have been the focus of several research activities. However, some security-related issues, such as the protection against denial of service attacks and the accounting of agent resource consumption, still need further investigation. Solutions to these problems require monitoring the resource state during agent execution, in order to control ...
متن کاملReverse Engineering of Network Software Binary Codes for Identification of Syntax and Semantics of Protocol Messages
Reverse engineering of network applications especially from the security point of view is of high importance and interest. Many network applications use proprietary protocols which specifications are not publicly available. Reverse engineering of such applications could provide us with vital information to understand their embedded unknown protocols. This could facilitate many tasks including d...
متن کامل