OS-Sommelier: memory-only operating system fingerprinting in the cloud
Proceedings of the Third ACM Symposium on Cloud Computing
Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Information Sciences: an International Journal
Enforcing system-wide control flow integrity for exploit detection and diagnosis
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM
Proceedings of the 40th Annual International Symposium on Computer Architecture
Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection
ACM Transactions on Information and System Security (TISSEC)
Obfuscation resilient binary code reuse through trace-oriented programming
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Tappan Zee (north) bridge: mining memory accesses for introspection
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Subverting system authentication with context-aware, reactive virtual machine introspection
Proceedings of the 29th Annual Computer Security Applications Conference
Hi-index | 0.00 |
It is generally believed to be a tedious, time consuming, and error-prone process to develop a virtual machine introspection (VMI) tool manually because of the semantic gap. Recent advances in Virtuoso show that we can largely narrow the semantic gap. But it still cannot completely automate the VMI tool generation. In this paper, we present VMST, an entirely new technique that can automatically bridge the semantic gap and generate the VMI tools. The key idea is that, through system wide instruction monitoring, we can automatically identify the introspection related data and redirect these data accesses to the in-guest kernel memory. VMST offers a number of new features and capabilities. Particularly, it automatically enables an in-guest inspection program to become an introspection program. We have tested VMST over 15 commonly used utilities on top of 20 different Linux kernels. The experimental results show that our technique is general (largely OS-agnostic), and it introduces 9.3X overhead on average for the introspected program compared to the native non-redirected one.