Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction

Q Engineering

ACM Transactions on Information and System Security Pub Date : 2010-02-01 DOI:10.1145/1698750.1698752

Xuxian Jiang, Xinyuan Wang, Dongyan Xu

{"title":"Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction","authors":"Xuxian Jiang, Xinyuan Wang, Dongyan Xu","doi":"10.1145/1698750.1698752","DOIUrl":null,"url":null,"abstract":"An alarming trend in recent malware incidents is that they are armed with stealthy techniques to detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a fundamental limitation of traditional host-based antimalware systems is that they run inside the very hosts they are protecting (“in-the-box”), making them vulnerable to counter detection and subversion by malware. To address this limitation, recent solutions based on virtual machine (VM) technologies advocate placing the malware detection facilities outside of the protected VM (“out-of-the-box”). However, they gain tamper resistance at the cost of losing the internal semantic view of the host, which is enjoyed by “in-the-box” approaches. This poses a technical challenge known as the semantic gap.\n In this article, we present the design, implementation, and evaluation of VMwatcher—an “out-of-the-box” approach that overcomes the semantic gap challenge. A new technique called guest view casting is developed to reconstruct internal semantic views (e.g., files, processes, and kernel modules) of a VM nonintrusively from the outside. More specifically, the new technique casts semantic definitions of guest OS data structures and functions on virtual machine monitor (VMM)-level VM states, so that the semantic view can be reconstructed. Furthermore, we extend guest view casting to reconstruct details of system call events (e.g., the process that makes the system call as well as the system call number, parameters, and return value) in the VM, enriching the semantic view. With the semantic gap effectively narrowed, we identify three unique malware detection and monitoring capabilities: (i) view comparison-based malware detection and its demonstration in rootkit detection; (ii) “out-of-the-box” deployment of off-the-shelf anti malware software with improved detection accuracy and tamper-resistance; and (iii) nonintrusive system call monitoring for malware and intrusion behavior observation. We have implemented a proof-of-concept VMwatcher prototype on a number of VMM platforms. Our evaluation experiments with real-world malware, including elusive kernel-level rootkits, demonstrate VMwatcher's practicality and effectiveness.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2010-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"110","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Information and System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1698750.1698752","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q","JCRName":"Engineering","Score":null,"Total":0}

引用次数: 110

Abstract

An alarming trend in recent malware incidents is that they are armed with stealthy techniques to detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a fundamental limitation of traditional host-based antimalware systems is that they run inside the very hosts they are protecting (“in-the-box”), making them vulnerable to counter detection and subversion by malware. To address this limitation, recent solutions based on virtual machine (VM) technologies advocate placing the malware detection facilities outside of the protected VM (“out-of-the-box”). However, they gain tamper resistance at the cost of losing the internal semantic view of the host, which is enjoyed by “in-the-box” approaches. This poses a technical challenge known as the semantic gap. In this article, we present the design, implementation, and evaluation of VMwatcher—an “out-of-the-box” approach that overcomes the semantic gap challenge. A new technique called guest view casting is developed to reconstruct internal semantic views (e.g., files, processes, and kernel modules) of a VM nonintrusively from the outside. More specifically, the new technique casts semantic definitions of guest OS data structures and functions on virtual machine monitor (VMM)-level VM states, so that the semantic view can be reconstructed. Furthermore, we extend guest view casting to reconstruct details of system call events (e.g., the process that makes the system call as well as the system call number, parameters, and return value) in the VM, enriching the semantic view. With the semantic gap effectively narrowed, we identify three unique malware detection and monitoring capabilities: (i) view comparison-based malware detection and its demonstration in rootkit detection; (ii) “out-of-the-box” deployment of off-the-shelf anti malware software with improved detection accuracy and tamper-resistance; and (iii) nonintrusive system call monitoring for malware and intrusion behavior observation. We have implemented a proof-of-concept VMwatcher prototype on a number of VMM platforms. Our evaluation experiments with real-world malware, including elusive kernel-level rootkits, demonstrate VMwatcher's practicality and effectiveness.

查看原文本刊更多论文

通过基于虚拟机的“开箱即用”语义视图重构实现恶意软件的隐形检测和监控

在最近的恶意软件事件中，一个令人担忧的趋势是，他们配备了隐形技术来检测、逃避和破坏受害者的恶意软件检测设施。在防御方面，传统的基于主机的反恶意软件系统的一个基本限制是它们在它们所保护的主机内运行(“在盒子里”)，使它们容易受到恶意软件的反检测和颠覆。为了解决这一限制，最近基于虚拟机(VM)技术的解决方案主张将恶意软件检测设施置于受保护的VM之外(“开箱即用”)。然而，它们以失去主机的内部语义视图为代价获得了抗篡改性，而“盒内”方法享有这种特性。这带来了一个被称为语义差距的技术挑战。在本文中，我们介绍了vmwatch的设计、实现和评估——这是一种克服语义差距挑战的“开箱即用”方法。开发了一种称为访客视图转换的新技术，用于从外部非侵入性地重建VM的内部语义视图(例如，文件，进程和内核模块)。更具体地说，新技术将客户机操作系统数据结构和功能的语义定义投射到虚拟机监视器(VMM)级别的VM状态上，从而可以重构语义视图。此外，我们扩展了来宾视图转换，以在VM中重构系统调用事件的细节(例如，进行系统调用的进程以及系统调用号、参数和返回值)，从而丰富了语义视图。随着语义差距的有效缩小，我们确定了三种独特的恶意软件检测和监控功能:(i)查看基于比较的恶意软件检测及其在rootkit检测中的演示;(ii)“开箱即用”部署现成的反恶意软件，提高检测准确性和防篡改能力;(三)针对恶意软件和入侵行为观察的非侵入性系统调用监控。我们已经在许多VMM平台上实现了一个概念验证的VMwatcher原型。我们对真实世界的恶意软件(包括难以捉摸的内核级rootkit)进行了评估实验，证明了VMwatcher的实用性和有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Information and System Security 工程技术-计算机：信息系统

CiteScore

4.50

自引率

0.00%

发文量

审稿时长

3.3 months

期刊介绍： ISSEC is a scholarly, scientific journal that publishes original research papers in all areas of information and system security, including technologies, systems, applications, and policies.