Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection
Open Access
- 1 May 2012
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE) in 2012 IEEE Symposium on Security and Privacy
- p. 586-600
- https://doi.org/10.1109/sp.2012.40
Abstract
It is generally believed to be a tedious, time consuming, and error-prone process to develop a virtual machine introspection (VMI) tool manually because of the semantic gap. Recent advances in Virtuoso show that we can largely narrow the semantic gap. But it still cannot completely automate the VMI tool generation. In this paper, we present VMST, an entirely new technique that can automatically bridge the semantic gap and generate the VMI tools. The key idea is that, through system wide instruction monitoring, we can automatically identify the introspection related data and redirect these data accesses to the in-guest kernel memory. VMST offers a number of new features and capabilities. Particularly, it automatically enables an in-guest inspection program to become an introspection program. We have tested VMST over 15 commonly used utilities on top of 20 different Linux kernels. The experimental results show that our technique is general (largely OS-agnostic), and it introduces 9.3X overhead on average for the introspected program compared to the native non-redirected one.Keywords
This publication has 17 references indexed in Scilit:
- Virtuoso: Narrowing the Semantic Gap in Virtual Machine IntrospectionPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2011
- DKSM: Subverting Virtual Machine Introspection for Fun and ProfitPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2010
- Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware BinariesPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2010
- Mapping kernel objects to enable systematic integrity checkingPublished by Association for Computing Machinery (ACM) ,2009
- TupniPublished by Association for Computing Machinery (ACM) ,2008
- Secure and Flexible Monitoring of Virtual MachinesPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2007
- Building Trustworthy Intrusion Detection through VM IntrospectionPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2007
- EXEPublished by Association for Computing Machinery (ACM) ,2006
- PinPublished by Association for Computing Machinery (ACM) ,2005
- A sense of self for Unix processesPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002