Abstract
This paper presents EXTERIOR, a dual-VM architecture based external shell that can be used for trusted, timely out-of-VM management of guest-OS such as introspection, configuration, and recovery. Inspired by recent advances in virtual machine introspection (VMI), EXTERIOR leverages an isolated, secure virtual machine (SVM) to introspect the kernel state of a guest virtual machine (GVM). However, it goes far beyond the read-only capability of the traditional VMI, and can perform automatic, fine-grained guest-OS writable operations. The key idea of EXTERIOR is to use a dual-VM architecture in which a SVM runs a kernel identical to that of the GVM to create the necessary environment for a running process (e.g., rmmod, kill), and dynamically and transparently redirect and update the memory state at the VMM layer from SVM to GVM, thereby achieving the same effect in terms of kernel state updates of running the same trusted in-VM program inside the shell of GVM. A proof-of-concept EXTERIOR has been implemented. The experimental results show that EXTERIOR can be used for a timely administration of guest-OS, including introspection and (re)configuration of the guest-OS state and timely response of kernel malware intrusions, without any user account in the guest-OS.
- QEMU: an open source processor emulator. http://www.qemu.org/.Google Scholar
- Vprobe toolkit. https://github.com/vmware/vprobe-toolkit.Google Scholar
- S. Bahram, X. Jiang, Z. Wang, M. Grace, J. Li, D. Srinivasan, J. Rhee, and D. Xu. Dksm: Subverting virtual machine introspection for fun and profit. In The 29th IEEE Symposium on Reliable Distributed Systems, 2010. Google ScholarDigital Library
- E. Bhatkar, D. C. Duvarney, and R. Sekar. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In Proceedings of the 12th USENIX Security Symposium, pages 105--120, 2003. Google ScholarDigital Library
- A. B. Brown and D. A. Patterson. Undo for operators: building an undoable e-mail store. In Proceedings of the annual conference on USENIX Annual Technical Conference, San Antonio, Texas, 2003. Google ScholarDigital Library
- R. Chandra, T. Kim, M. Shah, N. Narula, and N. Zeldovich. Intrusion recovery for database-backed web applications. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP '11, pages 101--114, Cascais, Portugal, 2011. ACM. ISBN 978-1-4503-0977-6. Google ScholarDigital Library
- P. M. Chen and B. D. Noble. When virtual is better than real. In Proceedings of the Eighth Workshop on Hot Topics in Operating Systems (HOTOS'01), page 133, Washington, DC, USA, 2001. IEEE Computer Society. Google ScholarDigital Library
- X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In Proceedings of the 13th international conference on Architectural support for programming languages and operating systems, ASPLOS XIII, pages 2--13, Seattle, WA, USA, 2008. ACM. Google ScholarDigital Library
- J. Chow, B. Pfaff, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole-system simulation. In Proceedings of the 13th USENIX Security Symposium, 2004. Google ScholarDigital Library
- C. Clark, K. Fraser, S. Hand, J. G. Hansen, E. Jul, C. Limpach, I. Pratt, and A. Warfield. Live migration of virtual machines. In Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation - Volume 2, NSDI'05, pages 273--286. USENIX Association, 2005. Google ScholarDigital Library
- A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security (CCS'08), pages 51--62, Alexandria, Virginia, USA, 2008. ISBN 978-1-59593-810-7. Google ScholarDigital Library
- B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09), pages 566--577, Chicago, Illinois, USA, 2009. ACM. ISBN 978-1-60558-894-0. Google ScholarDigital Library
- B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 32nd IEEE Symposium on Security and Privacy, pages 297--312, Oakland, CA, USA, 2011. Google ScholarDigital Library
- Y. Fu and Z. Lin. Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Proceedings of 33rd IEEE Symposium on Security and Privacy, May 2012. Google ScholarDigital Library
- T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings Network and Distributed Systems Security Symposium (NDSS'03), February 2003.Google Scholar
- T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: a virtual machine-based platform for trusted computing. In Proceedings of the nineteenth ACM symposium on Operating systems principles, SOSP '03, pages 193--206, Bolton Landing, NY, USA, 2003. ACM. ISBN 1-58113-757-5. Google ScholarDigital Library
- T. Garfinkel, K. Adams, A. Warfield, and J. Franklin. Compatibility is Not Transparency: VMM Detection Myths and Realities. In Proceedings of the 11th Workshop on Hot Topics in Operating Systems (HotOS-XI), May 2007. Google ScholarDigital Library
- R. P. Goldberg. Architectural principles of virtual machines. PhD thesis, Harvard University. 1972.Google Scholar
- R. P. Goldberg. Survey of Virtual Machine Research. IEEE Computer Magazine, pages 34--45, June 1974. Google ScholarDigital Library
- Y. Gu, Y. Fu, A. Prakash, Z. Lin, and H. Yin. Os-sommelier: Memoryonly operating system fingerprinting in the cloud. In Proceedings of the 3rd ACM Symposium on Cloud Computing (SOCC'12), San Jose, CA, October 2012. Google ScholarDigital Library
- Z. Gu, Z. Deng, D. Xu, and X. Jiang. Process implanting: A new active introspection framework for virtualization. In Proceedings of the 30th IEEE Symposium on Reliable Distributed Systems (SRDS 2011), pages 147--156, Madrid, Spain, October 4-7, 2011. Google ScholarDigital Library
- O. S. Hofmann, A. M. Dunn, S. Kim, I. Roy, and E. Witchel. Ensuring operating system kernel integrity with osck. In Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems, ASPLOS '11, pages 279--290, Newport Beach, California, USA, 2011. ISBN 978-1-4503-0266-1. Google ScholarDigital Library
- F. Hsu, H. Chen, T. Ristenpart, J. Li, and Z. Su. Back to the future: A framework for automatic malware removal and system repair. In Proceedings of the 22nd Annual Computer Security Applications Conference, pages 257--268, 2006. ISBN 0-7695-2716-7. Google ScholarDigital Library
- X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07), pages 128--138, Alexandria, Virginia, USA, 2007. ACM. ISBN 978-1-59593-703-2. Google ScholarDigital Library
- S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Antfarm: tracking processes in a virtual machine environment. In Proceedings of the annual conference on USENIX '06 Annual Technical Conference, Boston, MA, 2006. USENIX Association. Google ScholarDigital Library
- S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Vmmbased hidden process detection and identification using lycosid. In Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, VEE '08, pages 91--100, Seattle, WA, USA, 2008. ACM. ISBN 978-1-59593-796-4. Google ScholarDigital Library
- A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the twentieth ACM symposium on Operating systems principles (SOSP'05), pages 91--104, Brighton, United Kingdom, 2005. ISBN 1-59593-079-5.{28} T. Kim, X.Wang, N. Zeldovich, and M. F. Kaashoek. Intrusion recovery using selective re-execution. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI'10, Vancouver, BC, Canada, 2010. USENIX Association. Google ScholarDigital Library
- S. T. King, P. M. Chen, Y.-M. Wang, C. Verbowski, H. J. Wang, and J. R. Lorch. Subvirt: Implementing malware with virtual machines. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 314--327, 2006. ISBN 0-7695-2574-1. Google ScholarDigital Library
- C. Kruegel,W. Robertson, and G. Vigna. Detecting kernel-level rootkits through binary analysis. In Proceedings of the 20th Annual Computer Security Applications Conference(ACSAC'04), pages 91--100, 2004. ISBN 0-7695-2252-1. Google ScholarDigital Library
- A. Lanzi, M. I. Sharif, and W. Lee. K-tracer: A system for extracting kernel malware behavior. In Proceedings of the 2009 Network and Distributed System Security Symposium, San Diego, California, USA,, 2009.Google Scholar
- Z. Lin, X. Jiang, D. Xu, and X. Zhang. Automatic protocol format reverse engineering through context-aware monitored execution. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), San Diego, CA, February 2008.Google Scholar
- Z. Lin, R. D. Riley, and D. Xu. Polymorphing software by randomizing data structure layout. In Proceedings of the 6th SIG SIDAR Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA'09), Milan, Italy, July 2009. Google ScholarDigital Library
- Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS'11), San Diego, CA, February 2011.Google Scholar
- L. Litty and D. Lie. Manitou: a layer-below approach to fighting malware. In Proceedings of the 1st workshop on Architectural and system support for improving software dependability, ASID '06, pages 6--11, San Jose, California, 2006. ISBN 1-59593-576-2. Google ScholarDigital Library
- M. E. Locasto, S. Sidiroglou, and A. D. Keromytis. Software selfhealing using collaborative application communities. In In Proceedings of Network and Distributed Systems Security Symposium, pages 95--106, 2006.Google Scholar
- J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS'05), San Diego, CA, February 2005.Google Scholar
- R. Paleari, L. Martignoni, E. Passerini, D. Davidson, M. Fredrikson, J. Giffin, and S. Jha. Automatic generation of remediation procedures for malware infections. In Proceedings of the 19th USENIX conference on Security, USENIX Security'10, Washington, DC, 2010. ISBN 888-7-6666-5555-4. Google ScholarDigital Library
- B. D. Payne, M. Carbone, and W. Lee. Secure and flexible monitoring of virtual machines. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007), December 2007.Google ScholarCross Ref
- B. D. Payne, M. Carbone, M. I. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of 2008 IEEE Symposium on Security and Privacy, pages 233--247, Oakland, CA, May 2008. Google ScholarDigital Library
- N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - A coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium, pages 179--194, San Diego, CA, August 2004. Google ScholarDigital Library
- N. L. Petroni, Jr., T. Fraser, A. Walters, and W. A. Arbaugh. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In Proceedings of the 15th USENIX Security Symposium, Vancouver, B.C., Canada, August 2006. USENIX Association. Google ScholarDigital Library
- N. L. Petroni, Jr. and M. Hicks. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07), pages 103--115, Alexandria, Virginia, USA, October 2007. ACM. ISBN 978-1-59593-703-2. Google ScholarDigital Library
- N. A. Quynh. Operating system fingerprinting for virtual machines, 2010. In DEFCON 18.Google Scholar
- J. Rutkowska. Introducing blue pill, June 2006. http://theinvisiblethings.blogspot.com/2006/06/introducing-bluepill.html.Google Scholar
- S. Sidiroglou, O. Laadan, C. Perez, N. Viennot, J. Nieh, and A. D. Keromytis. Assure: automatic software self-healing using rescue points. In Proceedings of the 14th international conference on Architectural support for programming languages and operating systems, ASPLOS '09, pages 37--48, Washington, DC, USA, 2009. ISBN 978-1-60558-406-5. Google ScholarDigital Library
- Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In Proceedings of the 16th ACM conference on Computer and communications security, CCS '09, pages 545--554, Chicago, Illinois, USA, 2009. ISBN 978-1-60558-894-0. Google ScholarDigital Library
- A. Whitaker, M. Shaw, and S. D. Gribble. Scale and performance in the denali isolation kernel. In Proceedings of the 5th symposium on Operating systems design and implementation, OSDI '02, pages 195--209, Boston, Massachusetts, 2002. ACM. ISBN 978-1-4503-0111-4. Google ScholarDigital Library
- J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. In Proceedings of the 22nd International Symposium on Reliable Distributed Systems (SRDS'03), pages 260--269. IEEE Computer Society, 2003.Google Scholar
- H. Yin, Z. Liang, and D. Song. Hookfinder: Identifying and understanding malware hooking behaviors. In Proceedings of the Network and Distributed System Security Symposium, 2008.Google Scholar
- F. Zhang, J. Chen, H. Chen, and B. Zang. Cloudvisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP '11, pages 203--216, Cascais, Portugal, 2011. ACM. ISBN 978-1-4503-0977-6. Google ScholarDigital Library
Index Terms
- EXTERIOR: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery
Recommendations
EXTERIOR: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery
VEE '13: Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsThis paper presents EXTERIOR, a dual-VM architecture based external shell that can be used for trusted, timely out-of-VM management of guest-OS such as introspection, configuration, and recovery. Inspired by recent advances in virtual machine ...
Virtual Machine Introspection
SIN '14: Proceedings of the 7th International Conference on Security of Information and NetworksDue to exposure to the Internet, virtual machines (VMs) as forms of delivering virtualized infrastructures and resources represent a first point-of-target for security attackers who want to gain access into the virtualization environment. In-VM ...
CryptVMI: a flexible and encrypted virtual machine introspection system in the cloud
SCC '14: Proceedings of the 2nd international workshop on Security in cloud computingVirtualization has demonstrated its importance in both public and private cloud computing solutions. In such environments, multiple virtual instances run on the same physical machine concurrently. Thus, the isolation in the system is not guaranteed by ...
Comments