Virtualization and Digital Forensics: A Research and Education Agenda
Journal of Digital Forensic Practice
SymCall: symbiotic virtualization through VMM-to-guest upcalls
Proceedings of the 7th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Enforcing system-wide control flow integrity for exploit detection and diagnosis
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection
ACM Transactions on Information and System Security (TISSEC)
Hi-index | 0.00 |
Psyco-Virt is a high assurance intrusion detection tool that merges host and network intrusion detection technologies with virtual machine introspection. Psyco-Virt architecture includes a cluster of virtual machines, the monitored VMs, which run the OS and applications of interest, and a further VM, the introspection one. Several agents distributed across the monitored VMs execute network and host IDS tools to discover attempted intrusions/attacks on the monitored VMs. The introspection VM makes the detection tools trustworthy by running an introspector and a director to discover any attempt to maliciously modify the kernel, the agents and the IDSes hosted on a monitored VM. On each monitored VM a collector gathers the alerts generated by the agents and forwards them to the director through a control network dedicated to data exchange among the agents and the introspection VM. The director on the introspection VMfilters all the alerts and delegates the execution of a proper action to a notifier whenever an intrusion or an attempt to modify the IDSes is detected. In such cases, a monitored VM can either be stopped or frozen and its current state saved in a file for a later, deeper inspection. After describing Psyco-Virt, we discuss some examples of agents and functions using introspection and present preliminary results and performance figures of a first prototype.