Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Hypervisor support for identifying covertly executing binaries
SS'08 Proceedings of the 17th conference on Security symposium
Countering kernel rootkits with lightweight hook protection
Proceedings of the 16th ACM conference on Computer and communications security
A formal model for virtual machine introspection
Proceedings of the 1st ACM workshop on Virtual machine security
Live and trustworthy forensic analysis of commodity production systems
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Hi-index | 0.00 |
All systems that utilize virtual machine introspection (VMI) need to overcome the disconnect between the low-level state that the hypervisor sees and its semantics within the guest. This problem has become well-known as the semanticgap. In this work, we introduce our tool, InSight, that establishes a semantic connection between the guest and the hypervisor independent of the application at hand. InSight goes above and beyond previous approaches in that it strives to expose all kernel objects to an application with as little human effort as possible. It features a shell interface for interactive inspection as well as a scripting engine for comfortable and safe development of new VMI-based methods. Due to this flexibility, InSight supports a wide variety of VMI applications, such as intrusion detection, forensic analysis, malware analysis, and kernel debugging.