Catch You With Cache: Out-of-VM Introspection to Trace Malicious Executions

2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) Pub Date : 2021-06-01 DOI:10.1109/DSN48987.2021.00045

Chao Su, Xuhua Ding, Qingkai Zeng

{"title":"Catch You With Cache: Out-of-VM Introspection to Trace Malicious Executions","authors":"Chao Su, Xuhua Ding, Qingkai Zeng","doi":"10.1109/DSN48987.2021.00045","DOIUrl":null,"url":null,"abstract":"Out-of-VM introspection is an imperative part of security analysis. The legacy methods either modify the system, introducing enormous overhead, or rely heavily on hardware features, which are neither available nor practical in most cloud environments. In this paper, we propose a novel analysis method, named as Catcher, that utilizes CPU cache to perform out-of-VM introspection. Catcher does not make any modifications to the target program and its running environment, nor demands special hardware support. Implemented upon Linux KVM, it natively introspects the target’s virtual memory. More importantly, it uses the cache-based side channel to infer the target control flow. To deal with the inherent limitations of the side channel, we propose several heuristics to improve the accuracy and stability of Catcher. Our experiments against various malware armored with packing techniques show that Catcher can recover the control flow in real time with around 67% to 97% accuracy scores. Catcher incurs a negligible overhead to the system and can be launched at anytime to monitor an ongoing attack inside a virtual machine.","PeriodicalId":222512,"journal":{"name":"2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","volume":"3 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN48987.2021.00045","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Out-of-VM introspection is an imperative part of security analysis. The legacy methods either modify the system, introducing enormous overhead, or rely heavily on hardware features, which are neither available nor practical in most cloud environments. In this paper, we propose a novel analysis method, named as Catcher, that utilizes CPU cache to perform out-of-VM introspection. Catcher does not make any modifications to the target program and its running environment, nor demands special hardware support. Implemented upon Linux KVM, it natively introspects the target’s virtual memory. More importantly, it uses the cache-based side channel to infer the target control flow. To deal with the inherent limitations of the side channel, we propose several heuristics to improve the accuracy and stability of Catcher. Our experiments against various malware armored with packing techniques show that Catcher can recover the control flow in real time with around 67% to 97% accuracy scores. Catcher incurs a negligible overhead to the system and can be launched at anytime to monitor an ongoing attack inside a virtual machine.

查看原文本刊更多论文

抓住你的缓存:虚拟机外自省跟踪恶意执行

虚拟机外自省是安全分析的重要组成部分。遗留方法要么修改系统，带来巨大的开销，要么严重依赖硬件特性，而这些特性在大多数云环境中既不可用也不实用。在本文中，我们提出了一种新的分析方法，称为Catcher，它利用CPU缓存执行虚拟机外自省。Catcher不会对目标程序及其运行环境进行任何修改，也不需要特殊的硬件支持。它在Linux KVM上实现，本机内省目标的虚拟内存。更重要的是，它使用基于缓存的侧通道来推断目标控制流。为了解决侧信道固有的局限性，我们提出了几种启发式方法来提高Catcher的准确性和稳定性。我们针对各种恶意软件的封装技术的实验表明，Catcher可以实时恢复控制流，准确率约为67%至97%。Catcher对系统的开销可以忽略不计，并且可以随时启动以监视虚拟机内正在进行的攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

自引率

0.00%

发文量