The packer filter: an efficient mechanism for user-level network code
SOSP '87 Proceedings of the eleventh ACM Symposium on Operating systems principles
Implementing a distributed firewall
Proceedings of the 7th ACM conference on Computer and communications security
Xen and the art of virtualization
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Terra: a virtual machine-based platform for trusted computing
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Siren: Catching Evasive Malware (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Flexible OS support and applications for trusted computing
HOTOS'03 Proceedings of the 9th conference on Hot Topics in Operating Systems - Volume 9
Constructing services with interposable virtual hardware
NSDI'04 Proceedings of the 1st conference on Symposium on Networked Systems Design and Implementation - Volume 1
Lurking in the Shadows: Identifying Systemic Threats to Kernel Data
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Towards a VMM-based usage control framework for OS kernel integrity protection
Proceedings of the 12th ACM symposium on Access control models and technologies
Splitting interfaces: making trust between applications and operating systems configurable
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Linux kernel integrity measurement using contextual inspection
Proceedings of the 2007 ACM workshop on Scalable trusted computing
Automated detection of persistent kernel control-flow attacks
Proceedings of the 14th ACM conference on Computer and communications security
Panorama: capturing system-wide information flow for malware detection and analysis
Proceedings of the 14th ACM conference on Computer and communications security
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction
Proceedings of the 14th ACM conference on Computer and communications security
"Out-of-the-Box" monitoring of VM-based high-interaction honeypots
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Automatic discovery of parasitic malware
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Attribution of malicious behavior
ICISS'10 Proceedings of the 6th international conference on Information systems security
Proceedings of the 18th ACM conference on Computer and communications security
Automated remote repair for mobile malware
Proceedings of the 27th Annual Computer Security Applications Conference
Evolution of traditional digital forensics in virtualization
Proceedings of the 50th Annual Southeast Regional Conference
Virtual machine introspection in a hybrid honeypot architecture
CSET'12 Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test
Towards a richer model of cloud app markets
Proceedings of the 2012 ACM Workshop on Cloud computing security workshop
Proceedings of the 2012 ACM conference on Computer and communications security
Efficient protection of kernel data structures via object partitioning
Proceedings of the 28th Annual Computer Security Applications Conference
NumChecker: detecting kernel control-flow modifying rootkits by using hardware performance counters
Proceedings of the 50th Annual Design Automation Conference
Evolution of digital forensics in virtualization by using virtual machine introspection
Proceedings of the 51st ACM Southeast Conference
Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection
ACM Transactions on Information and System Security (TISSEC)
Real-time deep virtual machine introspection and its applications
Proceedings of the 10th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Hi-index | 0.00 |
Application-level firewalls block traffic based on the process that is sending or receiving the network flow. They help detect bots, worms, and backdoors that send or receive malicious packets without the knowledge of users. Recent attacks show that these firewalls can be disabled by knowledgeable attackers. To counter this threat, we develop VMwall, a fine-grained tamper-resistant process-oriented firewall. VMwall's design blends the process knowledge of application-level firewalls with the isolation of traditional stand-alone firewalls. VMwall uses the Xen hypervisor to provide protection from malware, and it correlates TCP or UDP traffic with process information using virtual machine introspection. Experiments show that VMwall successfully blocks numerous real attacks--bots, worms, and backdoors--against a Linux system while allowing all legitimate network flows. VMwall is performant, imposing only a 0---1 millisecond delay on TCP connection establishment, less than a millisecond delay on UDP connections, and a 1---7% slowdown on network-bound applications. Our attack analysis argues that with the use of appropriate external protection of guest kernels, VMwall's introspection remains robust and helps identify malicious traffic.