nach oben

Journal of Computer Virology and Hacking Techniques

Erschienen in:

01.02.2016 | Original Paper

U-HIPE: hypervisor-based protection of user-mode processes in Windows

verfasst von: Andrei Luțaș, Adrian Coleșa, Sándor Lukács, Dan Luțaș

Erschienen in: Journal of Computer Virology and Hacking Techniques | Ausgabe 1/2016

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

We propose a method to protect user-processes against malicious software attacks running an introspection and protection tool (U-HIPE) inside a hypervisor. Our solution is based on hardware virtualization support, imposing “no-write” and/or “no-execution” restrictions on different guest virtual machine’s (VM) memory pages. Protected components include process’ thread stacks, heaps and loadable modules. This way most attempts to execute malicious code in a process are detected and blocked. We propose a method to deal with swappable pages. We inject page-fault exceptions in the guest VM when trying to read swapped-out pages for introspection. We also intercept all swap-in and swap-out events to correctly maintain protection on needed memory pages. We implemented a testing prototype for protecting user-processes in several Microsoft Windows operating systems. Tests we performed proved the effectiveness of our solution against attacks like polymorphic/packed viruses, hook injection and injected code execution. The introduced overhead is acceptable for most applications.

Vorheriger Artikel Longitudinal analysis of a large corpus of cyber threat descriptions

Nächster Artikel A practical approach for clustering large data flows of malicious URLs

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Bitdefender: Qhost Virus Description. http://www.bitdefender.com/free-virus-removal/#Trojan.Qhost.WU. Accessed 28 Jan 2015

Bitdefender: Sality Virus Description. http://www.bitdefender.com/free-virus-removal/#Win32.Sality.OG. Accessed 28 Jan 2015

Bitdefender: Virtob Virus Description. http://www.bitdefender.com/free-virus-removal/#Win32.Virtob.Gen. Accessed 28 Jan 2015

Bitdefender: Zbot Virus Description. http://www.bitdefender.com/free-virus-removal/#Trojan.Spy.ZBot.EHE. Accessed 28 Jan 2015

Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, HOTOS ’01. IEEE Computer Society, Washington, DC (2001)

Chen, X., Garfinkel, T., Lewis, E.C., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., Dwoskin, J., Ports, D.R.K.: Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. SIGOPS Oper. Syst. Rev. 42(2), 2–13 (2008)CrossRef

Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS ’08, pp. 51–62. ACM, New York (2008)

Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: IEEE Symposium on Security and Privacy (SP), pp. 297–312. IEEE, New York (2011)

Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev. 36(SI), 211–224 (2002)

10.

Fu, Y., Lin, Z.: Space traveling across VM: automatically bridging the semantic gap in virtual machine introspection via online Kernel data redirection. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP ’12, pp. 586–600. IEEE Computer Society, Washington, DC (2012)

11.

Fu, Y., Lin, Z.: Bridging the semantic gap in virtual machine introspection via online Kernel data redirection. ACM Trans. Inf. Syst. Secur. 16(2) (2013)

12.

Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of Network and Distributed Systems Security Symposium, pp. 191–206 (2003)

13.

Gavitt, B.D., Leek, T., Hodosh, J., Lee, W.: Tappan zee (north) bridge: mining memory accesses for introspection. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communication Security, CCS ’13, pp. 839–850. ACM, New York (2013)

14.

Hizver, J., Chiueh, T.c.: Real-time deep virtual machine introspection and its applications. In: Proceedings of the 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE ’14, pp. 3–14. ACM, New York (2014)

15.

Hofmann, O.S., Kim, S., Dunn, A.M., Lee, M.Z., Witchel, E.: InkTag: secure applications on an untrusted operating system. SIGPLAN Not. 48(4), 265–278 (2013). doi:10.1145/2499368.2451146

16.

Intel Corporation: \(\text{ Intel }^{\textregistered }\) 64 and IA-32 Architectures Software Developer’s Manual. 325462–050US (2014). http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf. Accessed 02 Feb 2015

17.

Jiang, X., Wang, X., Xu, D.: Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction. ACM Trans. Inf. Syst. Secur. 13(2) (2010)

18.

Jones, S.T., Arpaci Dusseau, A.C., Arpaci Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of the Annual Conference on USENIX ’06 Annual Technical Conference, ATEC ’06, pp. 1–14. USENIX Association, Berkeley (2006)

19.

Jones, S.T., Arpaci Dusseau, A.C., Arpaci Dusseau, R.H.: Geiger: Monitoring the buffer cache in a virtual machine environment. SIGARCH Comput. Archit. News 34(5), 14–24 (2006)

20.

Jones, S.T., Arpaci Dusseau, A.C., Arpaci Dusseau, R.H.: VMM-based hidden process detection and identification using Lycosid. In: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, VEE ’08, pp. 91–100. ACM, New York (2008)

21.

Joshi, A., King, S.T., Dunlap, G.W., Chen, P.M.: Detecting past and present intrusions through vulnerability-specific predicates. In: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, SOSP ’05, pp. 91–104. ACM, New York (2005)

22.

Lange, J.R., Dinda, P.: SymCall: Symbiotic virtualization through VMM-to-guest upcalls. In: Proceedings of the 7th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE ’11, vol. 46, pp. 193–204. ACM, New York (2011)

23.

Laureano, M., Maziero, C., Jamhour, E.: Intrusion detection in virtual machine environments. In: Proceedings of the 30th EUROMICRO Conference, EUROMICRO ’04, pp. 520–525. IEEE Computer Society, Washington, DC (2004)

24.

Litty, L., Cavilla, A.L., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: Proceedings of the 17th Conference on Security Symposium, SS’08, pp. 243–258. USENIX Association, Berkeley (2008)

25.

Martignoni, L., Fattori, A., Paleari, R., Cavallaro, L.: Live and trustworthy forensic analysis of commodity production systems. In: Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection, RAID’10, pp. 297–316. Springer, Berlin (2010)

26.

Microsoft: Win32/Bagle. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Win32%2fBagle. Accessed 19 Nov 2014

27.

Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP ’08, pp. 233–247. IEEE Computer Society, Washington, DC (2008)

28.

Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, RAID ’08, vol. 5230, pp. 1–20. Springer, Berlin (2008)

29.

Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1) (2012)

30.

Russinovich, M.E., Solomon, D.A., Ionescu, A.: Windows Internals, 6th edn. Microsoft Press, USA (2012)

31.

Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, SOSP ’07, vol. 41, pp. 335–350. ACM, New York (2007)

32.

Software, P.: AppTimer. Application Startup Timer. http://www.passmark.com/products/apptimer.htm. Accessed 28 Mar 2014

33.

Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley, Boston (2005)

34.

Vogl, S., Eckert, C.: Using hardware performance events for instruction-level monitoring on the x86 architecture. In: Proceedings of the 2012 European Workshop on System Security (EuroSec’12) (2012)

35.

Vulnerabilities, C., Exposures: CVE-2010-3333. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333. Accessed 07 Apr 2014

36.

Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS ’09, pp. 545–554. ACM, New York (2009)

37.

Wojtczuk, R., Rutkowska, J.: Following the White Rabbit: Software Attacks Against Intel VT-d Technology (2011). http://invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf. Accessed 02 Feb 2015

38.

Yan, L.K., Jayachandra, M., Zhang, M., Yin, H.: V2E: combining hardware virtualization and software emulation for transparent and extensible malware analysis. SIGPLAN Not. 47(7), 227–238 (2012)CrossRef

39.

Yang, J., Shin, K.G.: Using hypervisor to provide data secrecy for user applications on a per-page basis. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE ’08, pp. 71–80. ACM, New York (2008)

Titel: U-HIPE: hypervisor-based protection of user-mode processes in Windows
verfasst von: Andrei Luțaș
Adrian Coleșa
Sándor Lukács
Dan Luțaș
Publikationsdatum: 01.02.2016
Verlag: Springer Paris
Erschienen in: Journal of Computer Virology and Hacking Techniques / Ausgabe 1/2016
Elektronische ISSN: 2263-8733
DOI: https://doi.org/10.1007/s11416-015-0237-z

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"