Nitro: hardware-based system call tracing for virtual machines
IWSEC'11 Proceedings of the 6th International conference on Advances in information and computer security
Evolution of traditional digital forensics in virtualization
Proceedings of the 50th Annual Southeast Regional Conference
Virtual machine introspection in a hybrid honeypot architecture
CSET'12 Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test
Review: A survey of intrusion detection techniques in Cloud
Journal of Network and Computer Applications
A survey on security issues and solutions at different layers of Cloud computing
The Journal of Supercomputing
Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Information Sciences: an International Journal
Enforcing system-wide control flow integrity for exploit detection and diagnosis
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
NumChecker: detecting kernel control-flow modifying rootkits by using hardware performance counters
Proceedings of the 50th Annual Design Automation Conference
Evolution of digital forensics in virtualization by using virtual machine introspection
Proceedings of the 51st ACM Southeast Conference
Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection
ACM Transactions on Information and System Security (TISSEC)
Subverting system authentication with context-aware, reactive virtual machine introspection
Proceedings of the 29th Annual Computer Security Applications Conference
KI-Mon: a hardware-assisted event-triggered monitoring platform for mutable kernel object
SEC'13 Proceedings of the 22nd USENIX conference on Security
Real-time deep virtual machine introspection and its applications
Proceedings of the 10th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Hi-index | 0.00 |
Virtual machine (VM) introspection is a powerful technique for determining the specific aspects of guest VM execution from outside the VM. Unfortunately, existing introspection solutions share a common questionable assumption. This assumption is embodied in the expectation that original kernel data structures are respected by the untrusted guest and thus can be directly used to bridge the well-known semantic gap. In this paper, we assume the perspective of the attacker, and exploit this questionable assumption to subvert VM introspection. In particular, we present an attack called DKSM (Direct Kernel Structure Manipulation), and show that it can effectively foil existing VM introspection solutions into providing false information. By assuming this perspective, we hope to better understand the challenges and opportunities for the development of future reliable VM introspection solutions that are not vulnerable to the proposed attack.