Intrusion Detection via System Call Traces
IEEE Software
When Virtual Is Better Than Real
HOTOS '01 Proceedings of the Eighth Workshop on Hot Topics in Operating Systems
Toward Automated Dynamic Malware Analysis Using CWSandbox
IEEE Security and Privacy
Intrusion detection using sequences of system calls
Journal of Computer Security
VMM-based hidden process detection and identification using Lycosid
Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Lares: An Architecture for Secure Active Monitoring Using Virtualization
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Ether: malware analysis via hardware virtualization extensions
Proceedings of the 15th ACM conference on Computer and communications security
A formal model for virtual machine introspection
Proceedings of the 1st ACM workshop on Virtual machine security
Live and trustworthy forensic analysis of commodity production systems
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Exploiting the x86 Architecture to Derive Virtual Machine State Information
SECURWARE '10 Proceedings of the 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies
DKSM: Subverting Virtual Machine Introspection for Fun and Profit
SRDS '10 Proceedings of the 2010 29th IEEE Symposium on Reliable Distributed Systems
Shifting GEARS to enable guest-context virtual services
Proceedings of the 9th international conference on Autonomic computing
NumChecker: detecting kernel control-flow modifying rootkits by using hardware performance counters
Proceedings of the 50th Annual Design Automation Conference
Subverting system authentication with context-aware, reactive virtual machine introspection
Proceedings of the 29th Annual Computer Security Applications Conference
| Hi-index | 0.00 |
Virtual machine introspection (VMI) describes the method of monitoring and analyzing the state of a virtual machine from the hypervisor level. This lends itself well to security applications, though the hardware virtualization support from Intel and AMD was not designed with VMI in mind. This results in many challenges for developers of hardware-supported VMI systems. This paper describes the design and implementation of our prototype framework, Nitro, for system call tracing and monitoring. Since Nitro is a purely VMI-based system, it remains isolated from attacks originating within the guest operating system and is not directly visible from within the guest. Nitro is extremely flexible as it supports all three system call mechanisms provided by the Intel ×86 architecture and has been proven to work in Windows, Linux, 32-bit, and 64-bit environments. The high performance of our system allows for real-time capturing and dissemination of data without hindering usability. This is supported by extensive testing with various guest operating systems. In addition, Nitro is resistant to circumvention attempts due to a construction called hardware rooting. Finally, Nitro surpasses similar systems in both performance and functionality.