ReVirt: enabling intrusion analysis through virtual-machine logging and replay
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Manitou: a layer-below approach to fighting malware
Proceedings of the 1st workshop on Architectural and system support for improving software dependability
Copilot - a coprocessor-based kernel runtime integrity monitor
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Antfarm: tracking processes in a virtual machine environment
ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction
Proceedings of the 14th ACM conference on Computer and communications security
VMM-based hidden process detection and identification using Lycosid
Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Forensics examination of volatile system data using virtual introspection
ACM SIGOPS Operating Systems Review
Lares: An Architecture for Secure Active Monitoring Using Virtualization
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Automatic Inference and Enforcement of Kernel Data Structure Invariants
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Hypervisor support for identifying covertly executing binaries
SS'08 Proceedings of the 17th conference on Security symposium
Robust signatures for kernel data structures
Proceedings of the 16th ACM conference on Computer and communications security
DKSM: Subverting Virtual Machine Introspection for Fun and Profit
SRDS '10 Proceedings of the 2010 29th IEEE Symposium on Reliable Distributed Systems
Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Tracking payment card data flow using virtual machine state introspection
Proceedings of the 27th Annual Computer Security Applications Conference
Process Implanting: A New Active Introspection Framework for Virtualization
SRDS '11 Proceedings of the 2011 IEEE 30th International Symposium on Reliable Distributed Systems
POSTER: Introducing pathogen: a real-time virtualmachine introspection framework
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Cloud-Based Application Whitelisting
CLOUD '13 Proceedings of the 2013 IEEE Sixth International Conference on Cloud Computing
| Hi-index | 0.00 |
Virtual Machine Introspection (VMI) provides the ability to monitor virtual machines (VM) in an agentless fashion by gathering VM execution states from the hypervisor and analyzing those states to extract information about a running operating system (OS) without installing an agent inside the VM. VMI's main challenge lies in the difficulty in converting low-level byte string values into high-level semantic states of the monitored VM's OS. In this work, we tackle this challenge by developing a real-time kernel data structure monitoring (RTKDSM) system that leverages the rich OS analysis capabilities of Volatility, an open source computer forensics framework, to significantly simplify and automate analysis of VM execution states. The RTKDSM system is designed as an extensible software framework that is meant to be extended to perform application-specific VM state analysis. In addition, the RTKDSM system is able to perform real-time monitoring of any changes made to the extracted OS states of guest VMs. This real-time monitoring capability is especially important for VMI-based security applications. To minimize the performance overhead associated with real-time kernel data structure monitoring, the RTKDSM system has incorporated several optimizations whose effectiveness is reported in this paper.