A Retrospective on the VAX VMM Security Kernel
IEEE Transactions on Software Engineering
Xen and the art of virtualization
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Telling humans and computers apart automatically
Communications of the ACM - Information cities
Intrusion Detection in Virtual Machine Environments
EUROMICRO '04 Proceedings of the 30th EUROMICRO Conference
Memory resource management in VMware ESX server
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Intel Virtualization Technology
Computer
Detecting past and present intrusions through vulnerability-specific predicates
Proceedings of the twentieth ACM symposium on Operating systems principles
Scalability, fidelity, and containment in the potemkin virtual honeyfarm
Proceedings of the twentieth ACM symposium on Operating systems principles
Using VMM-based sensors to monitor honeypots
Proceedings of the 2nd international conference on Virtual execution environments
A comparison of software and hardware techniques for x86 virtualization
Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
Protecting host-based intrusion detectors through virtual machines
Computer Networks: The International Journal of Computer and Telecommunications Networking
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Collapsar: a VM-based architecture for network attack detention center
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Hiding Virtualization from Attackers and Malware
IEEE Security and Privacy
Compatibility is not transparency: VMM detection myths and realities
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
An email worm vaccine architecture
ISPEC'05 Proceedings of the First international conference on Information Security Practice and Experience
Hi-index | 0.00 |
With security researchers relying on the virtual machine (VM) in their analysis work, malware has a significant stake in detecting the presence of a VM to avoid executing its vicious behavior. But hiding a VM from malware by building a transparent virtual machine monitor (VMM) is fundamentally infeasible, as well as impractical from a performance and engineering standpoint. This paper proposes a new idea from another perspective: hiding the "real" machine from the VMM-aware malware. We propose a minimal VMM called MiniVMM which can migrate a booted OS, our protecting concern, to this VMM on demand. In our protection model, all the untrusted code, although having been verified by VMM-based malware detectors, should be executed in this migrated OS. Instead of building a transparent VMM, MiniVMM advisedly exposes the VMM fingerprints to prevent the computer against VMM-aware malicious programs by deceiving them into deactivating their destructive behavior by themselves. MiniVMM has two key features: dynamic OS migration and commodity VMM fingerprints emulation. Unlike existing VMM solutions, MiniVMM can make the protected OS transfer between VMM mode and native mode dynamically. MiniVMM can also emulate the fingerprints of prevalent VMMs to make the protected computer more like a "real" VM. MiniVMM might be deployed as a considerable complement of the existing VMM-based security approaches to make the native OSes immune to the VMM-aware malware.