安全虚拟环境中的进程执行精确监控

doi:10.3969/j.issn.1001-2400.2012.06.030

Abstract

Abstract:

Computer malware has forced the transfer of the traditional in-host security tools to the development of VMM-based solutions which isolate the anti-malware software from untrusted systems. However, the inherent semantic gap poses a great challenge in supporting existing monitoring tools. In this paper, we present a process transferring method for fine-grained process execution monitoring to address both isolation and compatibility problems. Also by redirecting system calls invoked by the suspect process we guarantee the execution flow of the transferred process. Evaluation results show its effectiveness and feasibility with a tiny influence on the system.

Key words: process monitoring, semantic gap, virtual machine introspection

LIU Zheyuan;MU Dejun. Secure virtualization-based fine-grained process execution monitoring[J].J4, 2012, 39(6): 181-186.

References

［1］ McAfee Threats Report. Fourth Quarter［R/OL］. ［2011-12-20］. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2010.pdf.
［2］ Azab A M, Ning P, Sezer E C, et al. HIMA: A Hypervisor-based Integrity Measurement Agent ［C］//Proc of the 25th Annual Computer Security Applications Conference. Honolulu: IEEE, 2009: 461-470.
［3］ Garfinkel T, Rosenblum M. A Virtual Machine Introspection Based Architecture for Intrusion Detection ［C］//Proc of Network and Distributed Systems Security Symposium. San Diego: ISOC, 2003: 191-206.
［4］ Payne B D, de Carbone M, Lee W K. Secure and Flexible Monitoring of Virtual Machines ［C］//Proc of the 23rd Annual Computer Security Applications Conference. Miami Beach: IEEE, 2007: 385-397.
［5］ Payne B D, de Carbone M, Sharif M, et al. Lares: An Architecture for Secure Active Monitoring Using Virtualization ［C］//Proc of the 29th IEEE Symposium on Security and Privacy. Oakland: IEEE, 2008: 233-247.
［6］ Dolan-Gavitt B, Leek T, Zhivich M, et al. Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection ［C］//Proc of the 32nd IEEE Symposium on Security and Privacy. Berkeley: IEEE, 2011: 297-312.
［7］ Dolan-Gavitt B, Payne B D, Lee W K. Leveraging Forensic Tools for Virtual Machine Introspection ［R］. Atlanta: Technical Report. Georgia Institute of Technology, GT-CS-11-05, 2011.
［8］ Klein G, Elphinstone K, Heiser G, et al. seL4: Formal Verification of an OS Kernel ［C］//Proc of the 22nd Symposium on Operating Systems Principles. New York: ACM, 2009: 207-220.
［9］ Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual ［M］. Raleigh: Intel Corporation, 2012: Volume 3B.
［10］ Wikipedia. Kernel-based Virtual Machine ［EB/OL］. ［2012-01-10］. http://en.wikipedia.org/wiki/Kernel-based_Virtual_Machine.
［11］ Wikipedia. QEMU ［EB/OL］. ［2011-12-20］. http://en.wikipedia.org/wiki/QEMU.
［12］ Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual ［M］. Raleigh: Intel Corporation, 2012: Volume 3A.
［13］ Forrest S, Hofmeyr S, Somayaji A. The Evolution of System-Call Monitoring ［C］//Proc of the 24th Annual Computer Security Applications Conference. Anaheim: IEEE, 2008: 418-430.

Secure virtualization-based fine-grained process execution monitoring

PDF (PC)

Like

Knowledge

Cited

Abstract

Cite this article

share this article

References

Related Articles 0

Metrics

Comments

Recommended 10