TY - GEN
T1 - Virtuoso
T2 - Narrowing the semantic gap in virtual machine introspection
AU - Dolan-Gavitt, Brendan
AU - Leek, Tim
AU - Zhivich, Michael
AU - Giffin, Jonathon
AU - Lee, Wenke
PY - 2011
Y1 - 2011
N2 - Introspection has featured prominently in many recent security solutions, such as virtual machine-based intrusion detection, forensic memory analysis, and low-artifact malware analysis. Widespread adoption of these approaches, however, has been hampered by the semantic gap: in order to extract meaningful information about the current state of a virtual machine, detailed knowledge of the guest operating system's inner workings is required. In this paper, we present a novel approach for automatically creating introspection tools for security applications with minimal human effort. By analyzing dynamic traces of small, in-guest programs that compute the desired introspection information, we can produce new programs that retrieve the same information from outside the guest virtual machine. We demonstrate the efficacy of our techniques by automatically generating 17 programs that retrieve security information across 3 different operating systems, and show that their functionality is unaffected by the compromise of the guest system. Our technique allows introspection tools to be effortlessly generated for multiple platforms, and enables the development of rich introspection-based security applications.
AB - Introspection has featured prominently in many recent security solutions, such as virtual machine-based intrusion detection, forensic memory analysis, and low-artifact malware analysis. Widespread adoption of these approaches, however, has been hampered by the semantic gap: in order to extract meaningful information about the current state of a virtual machine, detailed knowledge of the guest operating system's inner workings is required. In this paper, we present a novel approach for automatically creating introspection tools for security applications with minimal human effort. By analyzing dynamic traces of small, in-guest programs that compute the desired introspection information, we can produce new programs that retrieve the same information from outside the guest virtual machine. We demonstrate the efficacy of our techniques by automatically generating 17 programs that retrieve security information across 3 different operating systems, and show that their functionality is unaffected by the compromise of the guest system. Our technique allows introspection tools to be effortlessly generated for multiple platforms, and enables the development of rich introspection-based security applications.
UR - http://www.scopus.com/inward/record.url?scp=80051981742&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=80051981742&partnerID=8YFLogxK
U2 - 10.1109/SP.2011.11
DO - 10.1109/SP.2011.11
M3 - Conference contribution
AN - SCOPUS:80051981742
SN - 9780769544021
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 297
EP - 312
BT - Proceedings - 2011 IEEE Symposium on Security and Privacy, SP 2011
PB - Institute of Electrical and Electronics Engineers Inc.
ER -