Xen and the art of virtualization
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Intrusion Detection in Virtual Machine Environments
EUROMICRO '04 Proceedings of the 30th EUROMICRO Conference
Secure coprocessor-based intrusion detection
EW 10 Proceedings of the 10th workshop on ACM SIGOPS European workshop
Copilot - a coprocessor-based kernel runtime integrity monitor
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Forensics examination of volatile system data using virtual introspection
ACM SIGOPS Operating Systems Review
KvmSec: a security extension for Linux kernel virtual machines
Proceedings of the 2009 ACM symposium on Applied Computing
Cloud security is not (just) virtualization security: a short paper
Proceedings of the 2009 ACM workshop on Cloud computing security
TimeCapsule: secure recording of accesses to a protected datastore
Proceedings of the 1st ACM workshop on Virtual machine security
Hypervisor-based prevention of persistent rootkits
Proceedings of the 2010 ACM Symposium on Applied Computing
dAnubis: dynamic device driver analysis based on virtual machine introspection
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
SymCall: symbiotic virtualization through VMM-to-guest upcalls
Proceedings of the 7th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
| Hi-index | 0.00 |
A variety of tools and architectures have been developed to detect security violations to Operating System kernels. However, they all have fundamental flaw in the design so that they fail to discover kernel-level attack. Few hardware solutions have been proposed to address the outstanding problem, but unfortunately they are not widely accepted. This paper presents a software-based method to detect intrusion to kernel. The proposed tool named XenKIMONO, which is based on Xen Virtual Machine, is able to detect many kernel rootkits in virtual machines with small penalty to the system's performance. In contrast with the traditional approaches, XenKIMONO is isolated with the kernel being monitored, thus it can still function correctly even if the observed kernel is compromised. Moreover, XenKIMONO is flexible and easy to deploy as it absolutely does not require any modification to the monitored systems.