X-TIER: Kernel Module Injection
详细信息 查看全文
- 作者:Sebastian Vogl (19)
Fatih Kilic (19)
Christian Schneider (19)
Claudia Eckert (19) - 关键词:Security ; Virtual Machine Introspection ; Semantic Gap
- 刊名:Lecture Notes in Computer Science
- 出版年:2013
- 出版时间:2013
- 年:2013
- 卷:7873
- 期:1
- 页码:206-219
- 全文大小:654KB
- 参考文献:1. Carbone, M., Conover, M., Montague, B., Lee, W.: Secure and robust monitoring of virtual machines through guest-assisted introspection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol.聽7462, pp. 22鈥?1. Springer, Heidelberg (2012) CrossRef
2. Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Proc. of 16th ACM Conf. on Computer and Communications Security, pp. 555鈥?65. ACM (2009)
3. Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proc. of the 8th Workshop on Hot Topics in Operating Systems. IEEE (2001)
4. Chiueh, T., Conover, M., Lu, M., Montague, B.: Stealthy deployment and execution of in-guest kernel agents. In: BlackHat USA (2009)
5. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: Narrowing the semantic gap in virtual machine introspection. In: Proc. of Symp. on Sec. & Priv. IEEE (2011)
6. Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.: Robust signatures for kernel data structures. In: Proc. of Conf. on Comp. and Comm. Sec. ACM (2009)
7. Fu, Y., Lin, Z.: Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: Proc. of Symp. on Sec. & Priv. IEEE (2012)
8. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. of NDSS Symposium (2003)
9. Gu, Z., Deng, Z., Xu, D., Jiang, X.: Process implanting: A new active introspection framework for virtualization. In: Proc. of 30th SRDS. IEEE (2011)
10. Intel, Inc., Intel 64 and IA-32 Architectures Software Developer鈥檚 Manual (2011)
11. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection and monitoring through VMM-based 鈥渙ut-of-the-box鈥?semantic view reconstruction. ACM Trans. Inf. Syst. Secur.聽13(2), 12:1鈥?2:28 (2010) CrossRef
12. Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: Proc. of Sec. & Priv. IEEE (2008)
13. Pfoh, J., Schneider, C., Eckert, C.: A formal model for virtual machine introspection. In: Proc. of 2nd Workshop on Virtual Machine Security. ACM (2009)
14. Pfoh, J., Schneider, C., Eckert, C.: Nitro: Hardware-based system call tracing for virtual machines. In: Iwata, T., Nishigaki, M. (eds.) IWSEC 2011. LNCS, vol.聽7038, pp. 96鈥?12. Springer, Heidelberg (2011) CrossRef
15. Schneider, C., Pfoh, J., Eckert, C.: Bridging the semantic gap through static code analysis. In: Proceedings of EuroSec 2012 Workshop. ACM (2012)
16. Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proc. of Conf. on Comp. and Comm. Sec. ACM (2009) - 作者单位:Sebastian Vogl (19)
Fatih Kilic (19)
Christian Schneider (19)
Claudia Eckert (19)
19. Technische Universit盲t M眉nchen, M眉nchen, Germany - ISSN:1611-3349
文摘
In spite of the fact that security applications can greatly benefit from virtualization, hypervisor-based security solutions remain sparse. The main cause for this is the semantic gap, which makes the development of hypervisor-based security applications cumbersome, error-prone, and time-consuming. In this paper, we present X-TIER, a framework that enables hypervisor-based security applications to bridge the semantic gap by injecting kernel modules from the outside into a running virtual machine (VM). While previous approaches bridge the semantic gap by reading kernel objects from memory, X-TIER goes beyond such work and allows the injected code to manipulate the guest operating system (OS) state and even call kernel functions without sacrificing the overall security. We have implemented a prototype of X-TIER on the x86 architecture that supports module injection for Windows and Linux guests. The evaluation of our system shows that kernel module injection only incurs a very small performance overhead, leaves no traces within the guest system, and provides access to all exported guest OS data structures and functions. Consequently, the mechanism is well-suited for creating hypervisor-based security applications.