Hypervisor based Memory Introspection: Challenges, Problems and Limitations

Andrei Lutas, Daniel Ticle, Octavian Cret

Abstract

Hypervisor-based memory introspection is a well-known topic, in both academia and the industry. It is accepted that this technique brings great advantages from a security perspective, but it is known, as well, that this comes at greater implementation complexity and performance penalty. While the most obvious challenges, such as the semantic gap, have been greatly discussed in the literature, we aim to elaborate on the engineering and implementation challenges encountered while developing a hypervisor-based memory introspection solution and to offer theoretical and practical solutions for them.

References

  1. AMD Corporation (2005). AMD64 Virtualization Codenamed Pacifica Technology. Secure Virtual Machine Architecture Reference Manual.
  2. Baliga, A., Ganapathy, V., and Iftode, L. (2008). Automatic Inference and Enforcement of Kernel Data Structure Invariants. In In Proc. Annual Computer Security Applications Conference, pages 77-86.
  3. Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., and Jiang, X. (2009). Mapping kernelobjects to enable systematic integrity checking. In In Proc. The 16th ACM conference on Computer and communications security Pages, pages 555-565.
  4. Cozzie, A., Stratton, F., Xue, H., and King, S. T. (2008). Digging for data structures. In In Proc. 8th USENIX conference on Operating systems design and implementation, pages 255-266.
  5. D. Durham (2014). Mitigating Exploits, Rootkits and Advanced Persistent Threats.
  6. Dolan-Gavitt, B., Srivastava, A., Traynor, P., and Giffin, J. (2009). Robust signatures for kernel data structures. In In Proc. 16th ACM conference on Computer and communications security, pages 566-577.
  7. G. Hoglund and J. Butler (2005). Rootkits: Subverting the Windows Kernel.
  8. Garfinkel, T. and Rosenblum, M. (2003). A virtual machine introspection based architecture for intrusion detection. In In Proc. Network and Distributed Systems Security Symposium, pages 191-206.
  9. Intel Corporation (2016a). Control-flow Enforcement Technology Preview.
  10. Intel Corporation (2016b). Intel R 64 and IA-32 Architectures Software Developer's Manual. Number 325462- 060US.
  11. Lin, Z., Rhee, J., Zhang, X., Xu, D., and Jiang, X. (2011). Graph-based signatures for kernel data structures. In In Proc. 12th Annual Information Security Symposium, page Article no. 21.
  12. Lutas, A., Colesa, A., Lukacs, S., and Lutas, D. (2015a). UHIPE: hypervisor-based protection of user-mode processes in Windows.
  13. Lutas, A., Lukacs, S., Colesa, A., and Lutas, D. (2015b). Proposed Processor Extensions for Signicant Speedup of Hypervisor Memory Introspection. In Trust and Trustworthy Computing, pages 249-267.
  14. M. Rusinovich and D. Solomon and A. Ionescu (2012). Windows Internals 6th edition.
  15. Sahita, R., Shanbhogue, V., Neiger, G., Edwards, J., Ouziel, I., Huntley, B., Shwartsman, S., Durham, D. M., Anderson, A., and LeMay, M. (2014). Method and apparatus for fine grain memory protection. US20150378633.
  16. Serebrin, B. and Haertel, M. (2008). Alternate address space to permit virtual machine monitor access to guest virtual address space. US20090187726.
Download


Paper Citation


in Harvard Style

Lutas A., Ticle D. and Cret O. (2017). Hypervisor based Memory Introspection: Challenges, Problems and Limitations . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 285-294. DOI: 10.5220/0006125802850294


in Bibtex Style

@conference{icissp17,
author={Andrei Lutas and Daniel Ticle and Octavian Cret},
title={Hypervisor based Memory Introspection: Challenges, Problems and Limitations},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={285-294},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006125802850294},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Hypervisor based Memory Introspection: Challenges, Problems and Limitations
SN - 978-989-758-209-7
AU - Lutas A.
AU - Ticle D.
AU - Cret O.
PY - 2017
SP - 285
EP - 294
DO - 10.5220/0006125802850294