Skip to main content
SpringerLink
Log in

U-HIPE: hypervisor-based protection of user-mode processes in Windows

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

We propose a method to protect user-processes against malicious software attacks running an introspection and protection tool (U-HIPE) inside a hypervisor. Our solution is based on hardware virtualization support, imposing “no-write” and/or “no-execution” restrictions on different guest virtual machine’s (VM) memory pages. Protected components include process’ thread stacks, heaps and loadable modules. This way most attempts to execute malicious code in a process are detected and blocked. We propose a method to deal with swappable pages. We inject page-fault exceptions in the guest VM when trying to read swapped-out pages for introspection. We also intercept all swap-in and swap-out events to correctly maintain protection on needed memory pages. We implemented a testing prototype for protecting user-processes in several Microsoft Windows operating systems. Tests we performed proved the effectiveness of our solution against attacks like polymorphic/packed viruses, hook injection and injected code execution. The introduced overhead is acceptable for most applications.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. Bitdefender: Qhost Virus Description. http://www.bitdefender.com/free-virus-removal/#Trojan.Qhost.WU. Accessed 28 Jan 2015

  2. Bitdefender: Sality Virus Description. http://www.bitdefender.com/free-virus-removal/#Win32.Sality.OG. Accessed 28 Jan 2015

  3. Bitdefender: Virtob Virus Description. http://www.bitdefender.com/free-virus-removal/#Win32.Virtob.Gen. Accessed 28 Jan 2015

  4. Bitdefender: Zbot Virus Description. http://www.bitdefender.com/free-virus-removal/#Trojan.Spy.ZBot.EHE. Accessed 28 Jan 2015

  5. Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, HOTOS ’01. IEEE Computer Society, Washington, DC (2001)

  6. Chen, X., Garfinkel, T., Lewis, E.C., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., Dwoskin, J., Ports, D.R.K.: Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. SIGOPS Oper. Syst. Rev. 42(2), 2–13 (2008)

    Article  Google Scholar 

  7. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS ’08, pp. 51–62. ACM, New York (2008)

  8. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: IEEE Symposium on Security and Privacy (SP), pp. 297–312. IEEE, New York (2011)

  9. Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev. 36(SI), 211–224 (2002)

  10. Fu, Y., Lin, Z.: Space traveling across VM: automatically bridging the semantic gap in virtual machine introspection via online Kernel data redirection. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP ’12, pp. 586–600. IEEE Computer Society, Washington, DC (2012)

  11. Fu, Y., Lin, Z.: Bridging the semantic gap in virtual machine introspection via online Kernel data redirection. ACM Trans. Inf. Syst. Secur. 16(2) (2013)

  12. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of Network and Distributed Systems Security Symposium, pp. 191–206 (2003)

  13. Gavitt, B.D., Leek, T., Hodosh, J., Lee, W.: Tappan zee (north) bridge: mining memory accesses for introspection. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communication Security, CCS ’13, pp. 839–850. ACM, New York (2013)

  14. Hizver, J., Chiueh, T.c.: Real-time deep virtual machine introspection and its applications. In: Proceedings of the 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE ’14, pp. 3–14. ACM, New York (2014)

  15. Hofmann, O.S., Kim, S., Dunn, A.M., Lee, M.Z., Witchel, E.: InkTag: secure applications on an untrusted operating system. SIGPLAN Not. 48(4), 265–278 (2013). doi:10.1145/2499368.2451146

  16. Intel Corporation: \(\text{ Intel }^{\textregistered }\) 64 and IA-32 Architectures Software Developer’s Manual. 325462–050US (2014). http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf. Accessed 02 Feb 2015

  17. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction. ACM Trans. Inf. Syst. Secur. 13(2) (2010)

  18. Jones, S.T., Arpaci Dusseau, A.C., Arpaci Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of the Annual Conference on USENIX ’06 Annual Technical Conference, ATEC ’06, pp. 1–14. USENIX Association, Berkeley (2006)

  19. Jones, S.T., Arpaci Dusseau, A.C., Arpaci Dusseau, R.H.: Geiger: Monitoring the buffer cache in a virtual machine environment. SIGARCH Comput. Archit. News 34(5), 14–24 (2006)

  20. Jones, S.T., Arpaci Dusseau, A.C., Arpaci Dusseau, R.H.: VMM-based hidden process detection and identification using Lycosid. In: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, VEE ’08, pp. 91–100. ACM, New York (2008)

  21. Joshi, A., King, S.T., Dunlap, G.W., Chen, P.M.: Detecting past and present intrusions through vulnerability-specific predicates. In: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, SOSP ’05, pp. 91–104. ACM, New York (2005)

  22. Lange, J.R., Dinda, P.: SymCall: Symbiotic virtualization through VMM-to-guest upcalls. In: Proceedings of the 7th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE ’11, vol. 46, pp. 193–204. ACM, New York (2011)

  23. Laureano, M., Maziero, C., Jamhour, E.: Intrusion detection in virtual machine environments. In: Proceedings of the 30th EUROMICRO Conference, EUROMICRO ’04, pp. 520–525. IEEE Computer Society, Washington, DC (2004)

  24. Litty, L., Cavilla, A.L., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: Proceedings of the 17th Conference on Security Symposium, SS’08, pp. 243–258. USENIX Association, Berkeley (2008)

  25. Martignoni, L., Fattori, A., Paleari, R., Cavallaro, L.: Live and trustworthy forensic analysis of commodity production systems. In: Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection, RAID’10, pp. 297–316. Springer, Berlin (2010)

  26. Microsoft: Win32/Bagle. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Win32%2fBagle. Accessed 19 Nov 2014

  27. Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP ’08, pp. 233–247. IEEE Computer Society, Washington, DC (2008)

  28. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, RAID ’08, vol. 5230, pp. 1–20. Springer, Berlin (2008)

  29. Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1) (2012)

  30. Russinovich, M.E., Solomon, D.A., Ionescu, A.: Windows Internals, 6th edn. Microsoft Press, USA (2012)

    Google Scholar 

  31. Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, SOSP ’07, vol. 41, pp. 335–350. ACM, New York (2007)

  32. Software, P.: AppTimer. Application Startup Timer. http://www.passmark.com/products/apptimer.htm. Accessed 28 Mar 2014

  33. Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley, Boston (2005)

  34. Vogl, S., Eckert, C.: Using hardware performance events for instruction-level monitoring on the x86 architecture. In: Proceedings of the 2012 European Workshop on System Security (EuroSec’12) (2012)

  35. Vulnerabilities, C., Exposures: CVE-2010-3333. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333. Accessed 07 Apr 2014

  36. Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS ’09, pp. 545–554. ACM, New York (2009)

  37. Wojtczuk, R., Rutkowska, J.: Following the White Rabbit: Software Attacks Against Intel VT-d Technology (2011). http://invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf. Accessed 02 Feb 2015

  38. Yan, L.K., Jayachandra, M., Zhang, M., Yin, H.: V2E: combining hardware virtualization and software emulation for transparent and extensible malware analysis. SIGPLAN Not. 47(7), 227–238 (2012)

    Article  Google Scholar 

  39. Yang, J., Shin, K.G.: Using hypervisor to provide data secrecy for user applications on a per-page basis. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE ’08, pp. 71–80. ACM, New York (2008)

Download references

Acknowledgments

A. Coleșa’s work on this paper was supported by the Post-Doctoral Programme POSDRU/159/1.5/S/137516, project co-funded from European Social Fund through the Human Resources Sectorial Operational Program 2007–2013.

Author information

Authors and Affiliations

  1. Bitdefender, Cuza Voda str., no. 1, 400107, Cluj-Napoca, Romania

    Andrei Luțaș, Sándor Lukács & Dan Luțaș

  2. Technical University of Cluj-Napoca, Baritiu str., no. 26–28, 400027, Cluj-Napoca, Romania

    Adrian Coleșa

Authors
  1. Andrei Luțaș
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Adrian Coleșa
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sándor Lukács
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dan Luțaș
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Adrian Coleșa.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Luțaș, A., Coleșa, A., Lukács, S. et al. U-HIPE: hypervisor-based protection of user-mode processes in Windows. J Comput Virol Hack Tech 12, 23–36 (2016). https://doi.org/10.1007/s11416-015-0237-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-015-0237-z

Keywords

Search

Navigation