Abstract
Cloud platforms of large enterprises are witnessing increasing adoption of the Virtual Machine Introspection (VMI) technology for building a wide range of VM monitoring applications including intrusion detection systems, virtual firewall, malware analysis, and live memory forensics. In our analysis and comparison of existing VMI systems, we found that most systems suffer one or more of the following problems: intrusiveness, time lag and OS-dependence, which are not well suited to clouds in practice. To address these problems, we present NOR, a non-intrusive, real-time and OS-agnostic introspection system for virtual machines in cloud environment. It employs event-driven monitoring and snapshot polling cooperatively to reconstruct the memory state of guest VMs. In our evaluation, we show NOR is capable of monitoring activities of guest VMs instantaneously with minor performance overhead. We also design some case studies to show that NOR is able to detect kernel rootkits and mitigate transient attacks for different Linux systems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Malicious documents leveraging new anti vm anti sandbox techniques. https://www.zscaler.com/blogs/research/malicious-documents-leveraging-new-anti-vm-anti-sandbox-techniques
Arulraj, L., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Improving virtualized storage performance with sky. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 112–128 (2017)
Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 38–49 (2010)
Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: Proceedings of IEEE Symposium on Reliable Distributed Systems (SRDS), pp. 82–91 (2010)
Bauman, E., Ayoade, G., Lin, Z.: A survey on hypervisor-based monitoring: approaches, applications, and evolutions. ACM Comput. Surv. 48(1), 10:1–10:33 (2015)
Carbone, M., Conover, M., Montague, B., Lee, W.: Secure and robust monitoring of virtual machines through guest-assisted introspection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 22–41. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33338-5_2
Intel Corporation. Intel 64 and ia-32 architectures software developer manuals
Deng, Z., Zhang, X., Xu, D.: Spider: stealthy binary program instrumentation and debugging via hardware virtualization. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 289–298 (2013)
Denz, R., Taylor, S.: A survey on securing the virtual cloud. J. Cloud Comput. Adv. Syst. Appl. 2(1), 17 (2013)
Dinaburg, A., Paul, P.R., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 51–62 (2008)
Dolan-Gavitt, B., Payneand, B., Lee, W.: Leveraging forensic tools for virtual machine introspection. In: Technical report GT-CS-11-05. Georgia Institute of Technology (2011)
Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 297–312 (2011)
Fu, Y., Lin, Z.: Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 586–600 (2012)
Fu, Y., Lin, Z.: Exterior: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 97–110 (2013)
Fu, Y., Zeng, J., Lin, Z.: Hypershell: a practical hypervisor layer guest OS shell for automated in-VM management. In: Proceedings of USENIX Annual Technical Conference (ATC), pp. 85–96 (2014)
Garfinkel, Z., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of Network and Distributed System Security Symposium (NDSS), pp. 191–206 (2003)
Gorobets, M., Bazhaniuk, M., Matrosov, A., Furtak, A., Bulygin, Y.: Attacking hypervisors via firmware and hardware. In: Black Hat USA (2015)
Gu, Z., Deng, Z., Xu, Z., Jiang, X.: Process implanting: a new active introspection framework for virtualization. In: Proceedings of IEEE Symposium on Reliable Distributed Systems (SRDS), pp. 147–156 (2011)
Hizver, X., Chiueh, T.: Real-time deep virtual machine introspection and its applications. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 3–14 (2014)
Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: Sok: introspections on trust and the semantic gap. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 605–620 (2014)
Jiang, X., Wang, X.: “Out-of-the-Box” monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74320-0_11
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 128–138 (2007)
Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of USENIX Annual Technical Conference (ATC), pp. 1–14 (2006)
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Liu, Y., Xia, Y., Guan, H., Zang, B., Chen, H.: Concurrent and consistent virtual machine introspection with hardware transactional memory. In: Proceedings of IEEE International Symposium on High Performance Computer Architectur(HPCA), pp. 416–427 (2014)
Michael, P., Sherali, Z., Ray, H.: Virtualization: issues, security threats, and solutions. ACM Comput. Survey. 45(2), 17:1–17:39 (2013)
Payne, B.D.: Simplifying virtual machine introspection using LibVMI. In: Technical report SAND 2012-7818, Sandia National Laboratories (2012)
Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: an architecture for secure active monitoring using virtualization. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 233–247 (2008)
Pfoh, J., Schneider, C., Eckert, C.: Nitro: hardware-based system call tracing for virtual machines. In: Iwata, T., Nishigaki, M. (eds.) IWSEC 2011. LNCS, vol. 7038, pp. 96–112. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25141-2_7
Rhee, J., Riley, R., Xu, D., Jiang, X.: Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 178–197. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_10
Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-87403-4_1
Sharif, M.I., Lee, M.I., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 477–487 (2009)
Shi, L., Wu, Y., Xia, Y., Dautenhahn, N., Chen, H., Zang, B., Guan, H., Li, J.L.: Deconstructing Xen (2017)
Srinivasan, D., Wang, Z., Jiang, X., Xu, D.: Process out-grafting: An efficient “out-of-VM” approach for fine-grained process execution monitoring. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 363–374 (2011)
Srivastava, A., Giffin, J.: Efficient monitoring of untrusted kernel-mode execution. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2011)
Suneja, S., Isci, C., Lara, E., Bala, V.: Exploring Vm introspection: techniques and trade-offs. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 133–146 (2015)
Wang, C., Yun, X., Hao, Z., Cui, L., Han, Y., Zou, Q.: Exploring efficient and robust virtual machine introspection techniques. In: Wang, G., Zomaya, A., Perez, G.M., Li, K. (eds.) ICA3PP 2015, Part III. LNCS, vol. 9530, pp. 429–448. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27137-8_32
Wang, G., Estrada, Z.J., Pham, C., Kalbarczyk, C., Iyer, R.K.: Hypervisor introspection: a technique for evading passive virtual machine monitoring. In: Proceedings of USENIX WOOT, pp. 12–19 (2015)
Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 380–395 (2010)
Weng, C., Liu, Q., Li, K., Zou, D.: Cloudmon: monitoring virtual machines in clouds. IEEE Trans. Comput. 65(12), 3787–3793 (2016)
Wu, R., Chen, P., Liu, P., Mao, B.: System call redirection: a practical approach to meeting real-world virtual machine introspection needs. In: Proceedings of Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 574–585 (2014)
Yan, K.L., Yin, H.: Droidscope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: Proceedings of USENIX Security, p. 29 (2012)
Yan, L., Jayachandra, M., Zhang, M., Yin, H.: V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis. In: Proceedings of ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pp. 227–238 (2012)
Yin, H., Song, D., Egele, D., Kruegel, D., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 116–127 (2007)
Zhang, Q., Reiter, M.K.: Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In: Proceedings of the 20th ACM SIGSAC Conference on Computer and Communications Security, pp. 827–838 (2013)
Zhao, S., Ding, X., Xu, W., Gu, D.: Seeing through the same lens: Introspecting guest address space at native speed. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 799–813 (2017)
Acknowledgement
We would like to thank the anonymous reviewers for their insightful comments that greatly helped to improve this paper. This work is is a part of the project supported by Beijing Natural Science Foundation (Y720011101). Any opinions, findings, and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of these agencies.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Wang, C., Hao, Z., Yun, X. (2018). NOR: Towards Non-intrusive, Real-Time and OS-agnostic Introspection for Virtual Machines in Cloud Environment. In: Chen, X., Lin, D., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2017. Lecture Notes in Computer Science(), vol 10726. Springer, Cham. https://doi.org/10.1007/978-3-319-75160-3_29
Download citation
DOI: https://doi.org/10.1007/978-3-319-75160-3_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-75159-7
Online ISBN: 978-3-319-75160-3
eBook Packages: Computer ScienceComputer Science (R0)