A Retrospective on the VAX VMM Security Kernel
IEEE Transactions on Software Engineering
Xen and the art of virtualization
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
ReVirt: enabling intrusion analysis through virtual-machine logging and replay
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Intel Virtualization Technology
Computer
Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
SubVirt: Implementing malware with virtual machines
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Framework for instruction-level tracing and analysis of program executions
Proceedings of the 2nd international conference on Virtual execution environments
Are virtual machine monitors microkernels done right?
HOTOS'05 Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10
Virtualization: Old Technology Offers Huge New Potential
IEEE Distributed Systems Online
Centralized security policy support for virtual machine
LISA '06 Proceedings of the 20th conference on Large Installation System Administration
Vis: virtualization enhanced live acquisition for native system
Proceedings of the Second Asia-Pacific Workshop on Systems
Hi-index | 0.00 |
VMM (virtual machine monitor) provides the useful inspection and interposition of the guest OS. With proper modification of the guest OS and VMM, we can obtain incident-driven memory snapshot for malicious code forensics. In this paper we propose an asynchronous memory snapshot and forensics using split kernel module. Our split kernel module works for the virtualized interruption handling, which notifies the security incident on the guest OS. On frontend, we insert virtualized interruption into source code of MAC (mandatory access control) module and other security modules. Then, backend kernel module receives interruption as the asynchronous incident notification. In experiment, we take RAM snapshot of LKM-rootkit installation using system call extension. Frequently appeared strings are extracted in order to find the evidence memory blocks which was assigned for LKM-rootkit. Also, it is showed that asynchronous snapshot enables us to find the evidence of malicious software in memory snapshot by simple string analysis in linear time.