Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection
作者: Sergej Proskurin , Julian Kirsch , Apostolis Zarras
DOI: 10.1007/978-3-319-99828-2_19
关键词:
摘要: The growing complexity of modern malware drives security applications to leverage Virtual Machine Introspection (VMI), which provides a complete and untainted view over the state. To benefit from this ability, VMI-aware Monitor (VMM) must be set up in advance underneath target system; constraint for massive application VMI. In paper, we present WhiteRabbit, VMI framework comprising microkernel-based VMM that transparently virtualizes running Operating System, on-the-fly, purpose forensic analysis. As result, systems analyzed do not have explicitly priori. After its deployment, our exposes services remote applications: WhiteRabbit implements LibVMI interface enables it engaged by popular remotely. Our prototype employs Intel as well ARM virtualization extensions take control Linux system. WhiteRabbit’s on-the-fly capability limited overhead constitute an effective solution detection
springer.com
sci-hub.se 参考文章(24)
Jonas Pfoh, Christian Schneider, Claudia Eckert, Nitro: Hardware-Based System Call Tracing for Virtual Machines Advances in Information and Computer Security. pp. 96- 112 ,(2011) , 10.1007/978-3-642-25141-2_7
Sebastian Vogl, Fatih Kilic, Christian Schneider, Claudia Eckert, X-TIER: Kernel Module Injection Network and System Security. pp. 192- 205 ,(2013) , 10.1007/978-3-642-38631-2_15
Tal Garfinkel, Keith Adams, Jason Franklin, Andrew Warfield, Compatibility is not transparency: VMM detection myths and realities HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems. pp. 6- ,(2007)
Lorenzo Martignoni, Aristide Fattori, Roberto Paleari, Lorenzo Cavallaro, Live and trustworthy forensic analysis of commodity production systems recent advances in intrusion detection. pp. 297- 316 ,(2010) , 10.1007/978-3-642-15512-3_16
David Lie, Lionel Litty, H. Andrés Lagar-Cavilla, Hypervisor support for identifying covertly executing binaries usenix security symposium. pp. 243- 258 ,(2008)
Tal Garfinkel, Mendel Rosenblum, A Virtual Machine Introspection Based Architecture for Intrusion Detection. network and distributed system security symposium. ,(2003)
P.M. Chen, B.D. Noble, When virtual is better than real [operating system relocation to virtual machines] Proceedings Eighth Workshop on Hot Topics in Operating Systems. pp. 133- 138 ,(2001) , 10.1109/HOTOS.2001.990073
Bhushan Jain, Mirza Basim Baig, Dongli Zhang, Donald E. Porter, Radu Sion, SoK: Introspections on Trust and the Semantic Gap ieee symposium on security and privacy. pp. 605- 620 ,(2014) , 10.1109/SP.2014.45
Christoffer Dall, Jason Nieh, KVM/ARM: the design and implementation of the linux ARM hypervisor architectural support for programming languages and operating systems. ,vol. 42, pp. 333- 348 ,(2014) , 10.1145/2541940.2541946
Zhui Deng, Xiangyu Zhang, Dongyan Xu, SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization annual computer security applications conference. pp. 289- 298 ,(2013) , 10.1145/2523649.2523675