Aquarius: A Tiny Hypervisor to Introspect Commodity OSes in a Non-bypassable Way

In this paper, we propose a novel tiny hardware assisted hypervisor, called Aquarius, to introspect the commodity OSes in a non-bypassable way. Compared to previous hypervisor-based approaches, Aquarius offers three distinct advantages: preinstalled commodity OS compatibility, implicit introspection of OS resources (e.g., memory, I/O device accesses, processes, files, network connections) and non-bypassable information exposing interface. Unlike typical hypervisors, Aquarius can migrate a preinstalled OS onto it. By tracking the low-level interactions between the OS and the hardware, Aquarius is decoupled with the explicit OS implementation information which it is subvertable for the privileged malware. Our functionality evaluation shows Aquarius can accurately reconstruct the OS resources at hypervisor layer while the performance evaluation shows desktop-oriented workloads achieve 92.68% of native speed on average.

[1]  Jinjing Zhao,et al.  Implicit detection of stealth software with a local-booted virtual machine , 2010, The 3rd International Conference on Information Sciences and Interaction Sciences.

[2]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[3]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[4]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[5]  Tal Garfinkel,et al.  When Virtual Is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments , 2005, HotOS.

[6]  Robert P. Goldberg,et al.  Architectural Principles for Virtual Computer Systems , 1973 .

[7]  Gil Neiger,et al.  Intel ® Virtualization Technology for Directed I/O , 2006 .

[8]  Gil Neiger,et al.  IntelŴVirtualization Technology: Hardware Support for Efficient Processor Virtualization , 2006 .

[9]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.

[10]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[11]  Dean Neumann,et al.  IntelŴVirtualization Technology in Embedded and Communications Infrastructure Applications , 2006 .

[12]  Ole Agesen,et al.  A comparison of software and hardware techniques for x86 virtualization , 2006, ASPLOS XII.

[13]  Thorsten von Eicken,et al.  技術解説 IEEE Computer , 1999 .

[14]  Yi-Min Wang,et al.  Detecting stealth software with Strider GhostBuster , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[15]  Shigeru Chiba,et al.  BitVisor: a thin hypervisor for enforcing i/o device security , 2009, VEE '09.

[16]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.