Detecting malware signatures in a thin hypervisor

Authors:
Yoshihiro Oyama;Tran Truong Duc Giang;Yosuke Chubachi;Takahiro Shinagawa;Kazuhiko Kato
Affiliations:
The University of Electro-Communications, Chofugaoka, Chofu-shi, Tokyo, Japan;The University of Electro-Communications, Chofugaoka, Chofu-shi, Tokyo, Japan;University of Tsukuba, Tennodai, Tsukuba, Ibaraki, Japan;The University of Tokyo, Yayoi, Bunkyo-ku, Tokyo, Japan;University of Tsukuba, Tennodai, Tsukuba, Ibaraki, Japan
Venue:
Proceedings of the 27th Annual ACM Symposium on Applied Computing
Year:
2012

Citing 12
Cited 0

Efficient string matching: an aid to bibliographic search

Communications of the ACM
Virtual-Machine-based Intrusion Detection on File-aware Block Level Storage

SBAC-PAD '06 Proceedings of the 18th International Symposium on Computer Architecture and High Performance Computing
Storage-based intrusion detection: watching storage activity for suspicious behavior

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes

Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Lares: An Architecture for Secure Active Monitoring Using Virtualization

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
BitVisor: a thin hypervisor for enforcing i/o device security

Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
TCP Reassembler for Layer7-Aware Network Intrusion Detection/Prevention Systems

IEICE - Transactions on Information and Systems
Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction

ACM Transactions on Information and System Security (TISSEC)
MAVMM: Lightweight and Purpose Built VMM for Malware Analysis

ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Hypervisor-based prevention of persistent rootkits

Proceedings of the 2010 ACM Symposium on Applied Computing
TrustVisor: Efficient TCB Reduction and Attestation

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

Enhancement of security using hypervisors is an effective approach that has been extensively studied. This paper is concerned with hypervisors using the parapass-through architecture, in which most of the I/O accesses from the operating system are passed through the hypervisor, while the minimum accesses necessary to implement security functionality are mediated by the hypervisor. Parapass-through hypervisors can provide various security functionalities such as encryption of storage data and creation of virtual private networks. Although a previous study has detailed a method for protecting privacy with a parapass-through hypervisor, it has not yet clarified a method for detecting malware. In this paper, we propose a scheme for incorporating malware detection functionality into a parapass-through hypervisor. Using this scheme, we implemented BVMD, an extension of a parapass-through hypervisor BitVisor, for malware detection. BVMD detects malware by comparing the contents of the data I/O with the malware signatures. A major advantage of BVMD is that its detection depends only slightly on the guest operating system. We confirmed through experiments that BVMD could detect many in-the-wild malware.