Skip to main content
SpringerLink
Log in

NOR: Towards Non-intrusive, Real-Time and OS-agnostic Introspection for Virtual Machines in Cloud Environment

  • Conference paper
  • First Online:
Book cover Information Security and Cryptology (Inscrypt 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10726))

Included in the following conference series:

Abstract

Cloud platforms of large enterprises are witnessing increasing adoption of the Virtual Machine Introspection (VMI) technology for building a wide range of VM monitoring applications including intrusion detection systems, virtual firewall, malware analysis, and live memory forensics. In our analysis and comparison of existing VMI systems, we found that most systems suffer one or more of the following problems: intrusiveness, time lag and OS-dependence, which are not well suited to clouds in practice. To address these problems, we present NOR, a non-intrusive, real-time and OS-agnostic introspection system for virtual machines in cloud environment. It employs event-driven monitoring and snapshot polling cooperatively to reconstruct the memory state of guest VMs. In our evaluation, we show NOR is capable of monitoring activities of guest VMs instantaneously with minor performance overhead. We also design some case studies to show that NOR is able to detect kernel rootkits and mitigate transient attacks for different Linux systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Malicious documents leveraging new anti vm anti sandbox techniques. https://www.zscaler.com/blogs/research/malicious-documents-leveraging-new-anti-vm-anti-sandbox-techniques

  2. Arulraj, L., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Improving virtualized storage performance with sky. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 112–128 (2017)

    Google Scholar 

  3. Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 38–49 (2010)

    Google Scholar 

  4. Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: Proceedings of IEEE Symposium on Reliable Distributed Systems (SRDS), pp. 82–91 (2010)

    Google Scholar 

  5. Bauman, E., Ayoade, G., Lin, Z.: A survey on hypervisor-based monitoring: approaches, applications, and evolutions. ACM Comput. Surv. 48(1), 10:1–10:33 (2015)

    Article  Google Scholar 

  6. Carbone, M., Conover, M., Montague, B., Lee, W.: Secure and robust monitoring of virtual machines through guest-assisted introspection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 22–41. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33338-5_2

    Chapter  Google Scholar 

  7. Intel Corporation. Intel 64 and ia-32 architectures software developer manuals

    Google Scholar 

  8. Deng, Z., Zhang, X., Xu, D.: Spider: stealthy binary program instrumentation and debugging via hardware virtualization. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 289–298 (2013)

    Google Scholar 

  9. Denz, R., Taylor, S.: A survey on securing the virtual cloud. J. Cloud Comput. Adv. Syst. Appl. 2(1), 17 (2013)

    Article  Google Scholar 

  10. Dinaburg, A., Paul, P.R., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 51–62 (2008)

    Google Scholar 

  11. Dolan-Gavitt, B., Payneand, B., Lee, W.: Leveraging forensic tools for virtual machine introspection. In: Technical report GT-CS-11-05. Georgia Institute of Technology (2011)

    Google Scholar 

  12. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 297–312 (2011)

    Google Scholar 

  13. Fu, Y., Lin, Z.: Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 586–600 (2012)

    Google Scholar 

  14. Fu, Y., Lin, Z.: Exterior: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 97–110 (2013)

    Google Scholar 

  15. Fu, Y., Zeng, J., Lin, Z.: Hypershell: a practical hypervisor layer guest OS shell for automated in-VM management. In: Proceedings of USENIX Annual Technical Conference (ATC), pp. 85–96 (2014)

    Google Scholar 

  16. Garfinkel, Z., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of Network and Distributed System Security Symposium (NDSS), pp. 191–206 (2003)

    Google Scholar 

  17. Gorobets, M., Bazhaniuk, M., Matrosov, A., Furtak, A., Bulygin, Y.: Attacking hypervisors via firmware and hardware. In: Black Hat USA (2015)

    Google Scholar 

  18. Gu, Z., Deng, Z., Xu, Z., Jiang, X.: Process implanting: a new active introspection framework for virtualization. In: Proceedings of IEEE Symposium on Reliable Distributed Systems (SRDS), pp. 147–156 (2011)

    Google Scholar 

  19. Hizver, X., Chiueh, T.: Real-time deep virtual machine introspection and its applications. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 3–14 (2014)

    Google Scholar 

  20. Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: Sok: introspections on trust and the semantic gap. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 605–620 (2014)

    Google Scholar 

  21. Jiang, X., Wang, X.: “Out-of-the-Box” monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74320-0_11

    Chapter  Google Scholar 

  22. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 128–138 (2007)

    Google Scholar 

  23. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of USENIX Annual Technical Conference (ATC), pp. 1–14 (2006)

    Google Scholar 

  24. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25

    Chapter  Google Scholar 

  25. Liu, Y., Xia, Y., Guan, H., Zang, B., Chen, H.: Concurrent and consistent virtual machine introspection with hardware transactional memory. In: Proceedings of IEEE International Symposium on High Performance Computer Architectur(HPCA), pp. 416–427 (2014)

    Google Scholar 

  26. Michael, P., Sherali, Z., Ray, H.: Virtualization: issues, security threats, and solutions. ACM Comput. Survey. 45(2), 17:1–17:39 (2013)

    Google Scholar 

  27. Payne, B.D.: Simplifying virtual machine introspection using LibVMI. In: Technical report SAND 2012-7818, Sandia National Laboratories (2012)

    Google Scholar 

  28. Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: an architecture for secure active monitoring using virtualization. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 233–247 (2008)

    Google Scholar 

  29. Pfoh, J., Schneider, C., Eckert, C.: Nitro: hardware-based system call tracing for virtual machines. In: Iwata, T., Nishigaki, M. (eds.) IWSEC 2011. LNCS, vol. 7038, pp. 96–112. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25141-2_7

    Chapter  Google Scholar 

  30. Rhee, J., Riley, R., Xu, D., Jiang, X.: Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 178–197. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_10

    Chapter  Google Scholar 

  31. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-87403-4_1

    Chapter  Google Scholar 

  32. Sharif, M.I., Lee, M.I., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 477–487 (2009)

    Google Scholar 

  33. Shi, L., Wu, Y., Xia, Y., Dautenhahn, N., Chen, H., Zang, B., Guan, H., Li, J.L.: Deconstructing Xen (2017)

    Google Scholar 

  34. Srinivasan, D., Wang, Z., Jiang, X., Xu, D.: Process out-grafting: An efficient “out-of-VM” approach for fine-grained process execution monitoring. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 363–374 (2011)

    Google Scholar 

  35. Srivastava, A., Giffin, J.: Efficient monitoring of untrusted kernel-mode execution. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2011)

    Google Scholar 

  36. Suneja, S., Isci, C., Lara, E., Bala, V.: Exploring Vm introspection: techniques and trade-offs. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 133–146 (2015)

    Google Scholar 

  37. Wang, C., Yun, X., Hao, Z., Cui, L., Han, Y., Zou, Q.: Exploring efficient and robust virtual machine introspection techniques. In: Wang, G., Zomaya, A., Perez, G.M., Li, K. (eds.) ICA3PP 2015, Part III. LNCS, vol. 9530, pp. 429–448. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27137-8_32

    Chapter  Google Scholar 

  38. Wang, G., Estrada, Z.J., Pham, C., Kalbarczyk, C., Iyer, R.K.: Hypervisor introspection: a technique for evading passive virtual machine monitoring. In: Proceedings of USENIX WOOT, pp. 12–19 (2015)

    Google Scholar 

  39. Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 380–395 (2010)

    Google Scholar 

  40. Weng, C., Liu, Q., Li, K., Zou, D.: Cloudmon: monitoring virtual machines in clouds. IEEE Trans. Comput. 65(12), 3787–3793 (2016)

    MathSciNet  MATH  Google Scholar 

  41. Wu, R., Chen, P., Liu, P., Mao, B.: System call redirection: a practical approach to meeting real-world virtual machine introspection needs. In: Proceedings of Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 574–585 (2014)

    Google Scholar 

  42. Yan, K.L., Yin, H.: Droidscope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: Proceedings of USENIX Security, p. 29 (2012)

    Google Scholar 

  43. Yan, L., Jayachandra, M., Zhang, M., Yin, H.: V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 227–238 (2012)

    Google Scholar 

  44. Yin, H., Song, D., Egele, D., Kruegel, D., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 116–127 (2007)

    Google Scholar 

  45. Zhang, Q., Reiter, M.K.: Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In: Proceedings of the 20th ACM SIGSAC Conference on Computer and Communications Security, pp. 827–838 (2013)

    Google Scholar 

  46. Zhao, S., Ding, X., Xu, W., Gu, D.: Seeing through the same lens: Introspecting guest address space at native speed. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 799–813 (2017)

    Google Scholar 

Download references

Acknowledgement

We would like to thank the anonymous reviewers for their insightful comments that greatly helped to improve this paper. This work is is a part of the project supported by Beijing Natural Science Foundation (Y720011101). Any opinions, findings, and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of these agencies.

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Chonghua Wang, Zhiyu Hao & Xiaochun Yun

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Chonghua Wang

  3. National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing, China

    Xiaochun Yun

Authors
  1. Chonghua Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zhiyu Hao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiaochun Yun
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhiyu Hao .

Editor information

Editors and Affiliations

  1. Xidian University, Xi’an, China

    Xiaofeng Chen

  2. SKLOIS, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Dongdai Lin

  3. Columbia University, New York, New York, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wang, C., Hao, Z., Yun, X. (2018). NOR: Towards Non-intrusive, Real-Time and OS-agnostic Introspection for Virtual Machines in Cloud Environment. In: Chen, X., Lin, D., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2017. Lecture Notes in Computer Science(), vol 10726. Springer, Cham. https://doi.org/10.1007/978-3-319-75160-3_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-75160-3_29

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-75159-7

  • Online ISBN: 978-3-319-75160-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation