skip to main content
10.1145/2245276.2232070acmconferencesArticle/Chapter ViewAbstractPublication PagessacConference Proceedingsconference-collections
research-article

Detecting malware signatures in a thin hypervisor

Published: 26 March 2012 Publication History

Abstract

Enhancement of security using hypervisors is an effective approach that has been extensively studied. This paper is concerned with hypervisors using the parapass-through architecture, in which most of the I/O accesses from the operating system are passed through the hypervisor, while the minimum accesses necessary to implement security functionality are mediated by the hypervisor. Parapass-through hypervisors can provide various security functionalities such as encryption of storage data and creation of virtual private networks. Although a previous study has detailed a method for protecting privacy with a parapass-through hypervisor, it has not yet clarified a method for detecting malware. In this paper, we propose a scheme for incorporating malware detection functionality into a parapass-through hypervisor. Using this scheme, we implemented BVMD, an extension of a parapass-through hypervisor BitVisor, for malware detection. BVMD detects malware by comparing the contents of the data I/O with the malware signatures. A major advantage of BVMD is that its detection depends only slightly on the guest operating system. We confirmed through experiments that BVMD could detect many in-the-wild malware.

References

[1]
A. V. Aho and M. J. Corasick. Efficient String Matching: An Aid to Bibliographic Search. Communications of the ACM, 18(6): 333--340, 1975.
[2]
BitLocker Drive Encryption. http://windows.microsoft.com/en-US/windows7/products/features/bitlocker.
[3]
Y. Chubachi, T. Shinagawa, and K. Kato. Hypervisor-Based Prevention of Persistent Rootkits. In Proceedings of the 25th Annual ACM Symposium on Applied Computing (SAC 2010), pages 214--220, 2010.
[4]
Clam AntiVirus. http://www.clamav.net/
[5]
T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the 10th Annual Network and Distributed System Security Symposium, 2003.
[6]
M. Hanaoka, M. Shimamura, and K. Kono. TCP Reassembler for Layer7-Aware Network Intrusion Detection/Prevention Systems. IEICE Transactions on Information and Systems, E90-D(12): 2019--2032, 2007.
[7]
X. Jiang, X. Wang, and D. Xu. Stealthy Malware Detection and Monitoring through VMM-Based "Out-of-the-Box" Semantic View Reconstruction. ACM Transactions on Information and System Security, 13(2): 12: 1--12: 28, 2010.
[8]
LMbench. http://www.bitmover.com/lmbench/.
[9]
J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB Reduction and Attestation. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, pages 143--158, 2010.
[10]
A. M. Nguyen, N. Schear, H. Jung, A. Godiyal, S. T. King, and H. D. Nguyen. MAVMM: Lightweight and Purpose Built VMM for Malware Analysis. In Proceedings of the 2009 Annual Computer Security Applications Conference, pages 441--450, 2009.
[11]
B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An Architecture for Secure Active Monitoring Using Virtualization. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 233--247, 2008.
[12]
A. G. Pennington, J. D. Strunk, J. L. Griffin, C. A. Soules, G. R. Goodson, and G. R. Ganger. Storage-based Intrusion Detection: Watching storage activity for suspicious behavior. In Proceedings of the 12th USENIX Security Symposium, pages 137--152, 2003.
[13]
R. Riley, X. Jiang, and D. Xu. Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID 2008), volume 5230 of Lecture Notes in Computer Science, pages 1--20, 2008.
[14]
A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In Proceedings of the 21st ACM Symposium on Operating Systems Principles, pages 335--350, 2007.
[15]
T. Shinagawa, H. Eiraku, K. Tanimoto, K. Omote, S. Hasegawa, T. Horie, M. Hirano, K. Kourai, Y. Oyama, E. Kawai, K. Kono, S. Chiba, Y. Shinjo, and K. Kato. BitVisor: A Thin Hypervisor for Enforcing I/O Device Security. In Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE 2009), pages 121--130, 2009.
[16]
Trend Micro. Deep Security. http://emea.trendmicro.com/emea/products/enterprise/deep-security/.
[17]
Trend Micro. Threat Encyclopedia: TROJ_SHADOW.AF. http://about-threats.trendmicro.com/Malware. aspx?name=TROJ_shadow.af.
[18]
VMware. VMsafe. http://www.vmware.com/.
[19]
Y. Zhang, Y. Gu, H. Wang, and D. Wang. Virtual-Machine-based Intrusion Detection on File-aware Block Level Storage. In Proceedings of the 18th International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD '06), pages 185--192, 2006.

Cited By

View all
  • (2023)Android malware category detection using a novel feature vector-based machine learning modelCybersecurity10.1186/s42400-023-00139-y6:1Online publication date: 9-Mar-2023
  • (2022)Secure Offloading of User-level IDS with VM-compatible OS Emulation Layers for Intel SGX2022 IEEE 15th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD55607.2022.00035(157-166)Online publication date: Jul-2022
  • (2021)Domain Isolation in FPGA-Accelerated Cloud and Data Center ApplicationsProceedings of the 2021 Great Lakes Symposium on VLSI10.1145/3453688.3461527(283-288)Online publication date: 22-Jun-2021
  • Show More Cited By

Index Terms

  1. Detecting malware signatures in a thin hypervisor

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SAC '12: Proceedings of the 27th Annual ACM Symposium on Applied Computing
    March 2012
    2179 pages
    ISBN:9781450308571
    DOI:10.1145/2245276
    • Conference Chairs:
    • Sascha Ossowski,
    • Paola Lecca
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 26 March 2012

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. hypervisors
    2. malware
    3. virtual machine monitors

    Qualifiers

    • Research-article

    Conference

    SAC 2012
    Sponsor:
    SAC 2012: ACM Symposium on Applied Computing
    March 26 - 30, 2012
    Trento, Italy

    Acceptance Rates

    SAC '12 Paper Acceptance Rate 270 of 1,056 submissions, 26%;
    Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

    Upcoming Conference

    SAC '25
    The 40th ACM/SIGAPP Symposium on Applied Computing
    March 31 - April 4, 2025
    Catania , Italy

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)5
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 17 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2023)Android malware category detection using a novel feature vector-based machine learning modelCybersecurity10.1186/s42400-023-00139-y6:1Online publication date: 9-Mar-2023
    • (2022)Secure Offloading of User-level IDS with VM-compatible OS Emulation Layers for Intel SGX2022 IEEE 15th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD55607.2022.00035(157-166)Online publication date: Jul-2022
    • (2021)Domain Isolation in FPGA-Accelerated Cloud and Data Center ApplicationsProceedings of the 2021 Great Lakes Symposium on VLSI10.1145/3453688.3461527(283-288)Online publication date: 22-Jun-2021
    • (2021)Secure Offloading of Intrusion Detection Systems from VMs with Intel SGX2021 IEEE 14th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD53861.2021.00043(297-303)Online publication date: Sep-2021
    • (2021)Efficient DLP-visor: An efficient hypervisor-based DLP2021 IEEE/ACM 21st International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid51090.2021.00044(344-355)Online publication date: May-2021
    • (2017)Cloud security issues and challengesJournal of Network and Computer Applications10.1016/j.jnca.2016.11.02779:C(88-115)Online publication date: 1-Feb-2017
    • (2017)Secure IDS Offloading with Nested Virtualization and Deep VM IntrospectionComputer Security – ESORICS 201710.1007/978-3-319-66399-9_17(305-323)Online publication date: 12-Aug-2017
    • (2016)Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted Clouds2016 IEEE 9th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD.2016.0016(43-50)Online publication date: Jun-2016
    • (2016)Security Challenges of Small Cell as a Service in Virtualized Mobile Edge Computing EnvironmentsInformation Security Theory and Practice10.1007/978-3-319-45931-8_5(70-84)Online publication date: 17-Sep-2016
    • (2014)ADvisorProceedings of the 2014 Second International Symposium on Computing and Networking10.1109/CANDAR.2014.43(412-418)Online publication date: 10-Dec-2014
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media