虚拟机自省中一种消除语义鸿沟的方法

doi:10.11959/j.issn.1000-436x.2015103

Journal on Communications ›› 2015, Vol. 36 ›› Issue (8): 31-37.doi: 10.11959/j.issn.1000-436x.2015103

• Academic paper • Previous Articles Next Articles

Narrowing the semantic gap in virtual machine introspection

Chao-yuan CUI¹,Yun WU²,Ping LI^1,³,Xiao-ming ZHANG¹

¹ Institute of Intelligent Machines,CAS,Hefei 230031,China
² Anhui Technology and Engineering Institute for Recycling Economy,CAS,Hefei 230088,China
³ Department of Automation,University of Science and Technology of China,Hefei 230027，China

Online:2015-08-25 Published:2015-08-25
Supported by:
Foundation of President of Hefei Institutes of Physical Science,Chinese Academy of Sciences;The National Natural Science Foundation of China;The National Natural Science Foundation of China

Abstract

Abstract:

Virtual machine introspection(VMI)has been widely used in areas such as intrusion detection and malware analysis.However,due to the existence of semantic gap,the generality and the efficiency of VMI were partly influenced while getting internal information of a virtual machine.By analyzing the deficiencies of existing technology of semantic gap restoration,a method called ModSG was proposed to bridge the semantic gap.ModSG was a modularity system,it divided semantic restoration into two parts.One was online phase that interact directly with user to construct semantic views,the other was offline phase that only interact with operating system to parse high-level semantic knowledge.Both were implemented via independent module,and the latter provided the former with necessary kernel information during semantic view construction.Experiments on different virtual machine states and different kernel versions show that the ModSG is accurate and efficient in narrowing semantic gap.The modular design and deployment also make ModSG easily to be extended to other operating systems and virtualization platforms.

Key words: semantic gap, virtual machine introspection, modularity system, portability

Chao-yuan CUI,Yun WU,Ping LI,Xiao-ming ZHANG. Narrowing the semantic gap in virtual machine introspection[J]. Journal on Communications, 2015, 36(8): 31-37.

Figures/Tables 11

References 19

[1]	GARFINKEL T , ROSENBLUM M . A virtual machine introspection based architecture for intrusion detection[A]. Network and Distributed System Security Symposium[C]. 2003.
[2]	JIANG X , WANG X , XU D . Stealthy malware detection through VMM-based “out-of-the-box” semantic view reconstruction[A]. Computer and Communication Security[C]. New York,USA, 2007. 128-138.
[3]	JIANG X , WANG X . Out-of-the-box monitoring of VM-based high-interaction honeypots[A]. Recent Advances in Intrusion Detection[C]. Australia, 2007. 198-218.
[4]	HAY B , NANCE K . Forensics examination of volatile system data using virtual introspection[J]. ACM Sigops OS Review, 2008,42(3): 74-82.
[5]	DOLAN-G B , PAYNE B , LEE W . Leveraging forensic tools for virtual machine introspection[R]. GT-CS-11-05, 2011.
[6]	CHEN P M , NOBLE B . When virtual is better than real[J]. Hot Topics in Operating Systems(HOTOS '01), 2001,8: 133-138.
[7]	JONES S T,A C , ARPACI D , A C , ARPACI D , R H . Antfarm:tracking processes in a virtual machine environment[A]. Proc of the 2006 USENIX Annual Technical Conference[C]. 2006.
[8]	LKCD. Linux Kernel Crash Dump[EB/OL]. .
[9]	康华 .从 VMM 中识别 GUEST OS 中的用户进程[EB/OL]. . KANG H .Identify the user process in GUEST OS from VMM[EB/OL]. .
[10]	PFOH J , SCHNEIDER C , ECKERT C . A formal model for virtual machine introspection[A]. Proceedings of the 2nd Workshop on Virtual Machine Security(VMSec’09)[C]. Chicago,Illinois,USA, 2009. 1-10.
[11]	DOLAN G B , LEEK T , ZHIVICH M . Virtuoso:narrowing the semantic gap in virtual machine introspection[A]. Proceedings of the 33rd IEEE Symposium on Security and Privacy[C]. 2011,32: 297-312.
[12]	FU Y , LIN Z . Space traveling across VM:automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection[A]. Proceedings of the 33rd IEEE Symposium on Security and Privacy[C]. 2012. 586-600.
[13]	The Xen project power[EB/OL]. .
[14]	KVM[EB/OL]. .
[15]	QEMU[EB/OL]. .
[16]	石磊, 邹德清, 金海 . Xen 虚拟化技术[M]. 武汉: 华中科技大学出版社, 2009. SHI L , ZOU D Q , JIN H . Xen Virtualization Technology[M]. Wuhan: Huazhong University of Science and Technology Press, 2009.
[17]	英特尔开源软件技术中心, 复旦大学并行技术处理研究所. 系统虚拟化:原理与实现[M]. 北京: 清华大学出版社, 2009.Intel Open Source Software Technology Center, Parallel Processing Institute,Fudan University. System Virtualization:Principle and Implementation[M]. Beijing: Tsinghua University Press, 2009.
[18]	ROBERT L . Linux Kernel Development[M]. New York: MacMillan Computer PublicationPress, 2005.
[19]	Suterusu[EB/OL]. .

Metrics

Recommended 0

No Suggested Reading articles found!

虚拟域	CPU	内存	OS	内核
Dom0	4核	4 GB	Ubuntu12.04	3.2.0
Dom1	1核	1 GB	Ubuntu12.04	3.2.0
Dom2	1核	1 GB	CentOS6.4	2.6.32
Dom3	1核	1 GB	Debian7.3.0	3.2.0
Dom4	1核	1 GB	Fedora18	3.6.10

Narrowing the semantic gap in virtual machine introspection

RichHTML

PDF

Knowledge

Cited

Abstract

Cite this article

share this article

Figures/Tables 11

References 19

Related Articles 1

Metrics

Recommended 0