Implicit Detection of Hidden Processes with a Feather-Weight Hardware-Assisted Virtual Machine Monitor

Authors:
Yan Wen;Jinjing Zhao;Huaimin Wang;Jiannong Cao
Affiliations:
School of Computer, National University of Defense Technology, Changsha, China;Beijing Institute of System Engineering, Beijing, China;School of Computer, National University of Defense Technology, Changsha, China;Department of Computing, Hong Kong Polytechnic University, Kowloon, Hong Kong, China
Venue:
ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
Year:
2008

Citing 9
Cited 1

Xen and the art of virtualization

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
ReVirt: enabling intrusion analysis through virtual-machine logging and replay

OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Intel Virtualization Technology

Computer
Detecting Stealth Software with Strider GhostBuster

DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Detecting past and present intrusions through vulnerability-specific predicates

Proceedings of the twentieth ACM symposium on Operating systems principles
A comparison of software and hardware techniques for x86 virtualization

Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
Copilot - a coprocessor-based kernel runtime integrity monitor

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Implicit Detection of Hidden Processes with a Local-Booted Virtual Machine

ISA '08 Proceedings of the 2008 International Conference on Information Security and Assurance (isa 2008)
A secure virtual execution environment for untrusted code

ICISC'07 Proceedings of the 10th international conference on Information security and cryptology

The performance analysis for virtualisation cluster and cloud platforms

International Journal of Computational Science and Engineering

Quantified Score

Hi-index	0.00

Visualization

Abstract

Process hiding is a commonly used stealth technique which facilitates the evasion from the detection by anti-malware programs. In this paper, we propose a new approach called Ariesto implicitly detect the hidden processes. Aries introduces a novel feather-weight hardware-assisted virtual machine monitor (VMM) to obtain the True Process List (TPL). Compared to existing VMM-based approaches, Aries offers three distinct advantages: dynamic OS migration, implicit introspection of TPLand non-bypassable interfacesfor exposing TPL. Unlike typical VMMs, Aries can dynamically migrate a booted OS on it. By tracking the low-level interactions between the OS and the memory management structures, Aries is decoupled with the explicit OS implementation information which is subvertable for the privileged malware. Our functionality evaluation shows Aries can detect more process-hiding malware than existing detectors while the performance evaluation shows desktop-oriented workloads achieve 95.2% of native speed on average.