Asynchronous pseudo physical memory snapshot and forensics on paravirtualized VMM using split kernel module

Authors:
Ruo Ando;Youki Kadobayashi;Youichi Shinoda
Affiliations:
National Institute of Information and Communication Technology, Koganei, Tokyo, Japan;National Institute of Information and Communication Technology, Koganei, Tokyo, Japan;National Institute of Information and Communication Technology, Koganei, Tokyo, Japan
Venue:
ICISC'07 Proceedings of the 10th international conference on Information security and cryptology
Year:
2007

Citing 10
Cited 1

A Retrospective on the VAX VMM Security Kernel

IEEE Transactions on Software Engineering
Xen and the art of virtualization

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
ReVirt: enabling intrusion analysis through virtual-machine logging and replay

OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Intel Virtualization Technology

Computer
Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor

ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
SubVirt: Implementing malware with virtual machines

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Framework for instruction-level tracing and analysis of program executions

Proceedings of the 2nd international conference on Virtual execution environments
Are virtual machine monitors microkernels done right?

HOTOS'05 Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10
Virtualization: Old Technology Offers Huge New Potential

IEEE Distributed Systems Online
Centralized security policy support for virtual machine

LISA '06 Proceedings of the 20th conference on Large Installation System Administration

Vis: virtualization enhanced live acquisition for native system

Proceedings of the Second Asia-Pacific Workshop on Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

VMM (virtual machine monitor) provides the useful inspection and interposition of the guest OS. With proper modification of the guest OS and VMM, we can obtain incident-driven memory snapshot for malicious code forensics. In this paper we propose an asynchronous memory snapshot and forensics using split kernel module. Our split kernel module works for the virtualized interruption handling, which notifies the security incident on the guest OS. On frontend, we insert virtualized interruption into source code of MAC (mandatory access control) module and other security modules. Then, backend kernel module receives interruption as the asynchronous incident notification. In experiment, we take RAM snapshot of LKM-rootkit installation using system call extension. Frequently appeared strings are extracted in order to find the evidence memory blocks which was assigned for LKM-rootkit. Also, it is showed that asynchronous snapshot enables us to find the evidence of malicious software in memory snapshot by simple string analysis in linear time.