Process out-grafting: an efficient "out-of-VM" approach for fine-grained process execution monitoring

Recent rapid malware growth has exposed the limitations of traditional in-host malware-defense systems and motivated the development of secure virtualization-based out-of-VM solutions. By running vulnerable systems as virtual machines (VMs) and moving security software from inside the VMs to outside, the out-of-VM solutions securely isolate the anti-malware software from the vulnerable system. However, the presence of semantic gap also leads to the compatibility problem in not supporting existing defense software. In this paper, we present process out-grafting, an architectural approach to address both isolation and compatibility challenges in out-of-VM approaches for fine-grained process-level execution monitoring. Specifically, by relocating a suspect process from inside a VM to run side-by-side with the out-of-VM security tool, our technique effectively removes the semantic gap and supports existing user-mode process monitoring tools without any modification. Moreover, by forwarding the system calls back to the VM, we can smoothly continue the execution of the out-grafted process without weakening the isolation of the monitoring tool. We have developed a KVM-based prototype and used it to natively support a number of existing tools without any modification. The evaluation results including measurement with benchmark programs show it is effective and practical with a small performance overhead.

[1]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[2]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[3]  Gil Neiger,et al.  IntelŴVirtualization Technology: Hardware Support for Efficient Processor Virtualization , 2006 .

[4]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[5]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[6]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[7]  Tzi-cker Chiueh,et al.  A Study of the Packer Problem and Its Solutions , 2008, RAID.

[8]  Jason Duell,et al.  The design and implementation of Berkeley Lab's linuxcheckpoint/restart , 2005 .

[9]  J. Duell The design and implementation of Berkeley Lab's linux checkpoint/restart , 2005 .

[10]  Mark Nuttall,et al.  A brief survey of systems providing process or object migration facilities , 1994, OPSR.

[11]  Jonathan M. Smith,et al.  A survey of process migration mechanisms , 1988, OPSR.

[12]  Ole Agesen,et al.  A comparison of software and hardware techniques for x86 virtualization , 2006, ASPLOS XII.

[13]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[14]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[15]  Wenke Lee,et al.  PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[16]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[17]  Tal Garfinkel,et al.  Ostia: A Delegating Architecture for Secure System Call Interposition , 2004, NDSS.

[18]  Peng Ning,et al.  HIMA: A Hypervisor-Based Integrity Measurement Agent , 2009, 2009 Annual Computer Security Applications Conference.

[19]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[20]  Stephanie Forrest,et al.  The Evolution of System-Call Monitoring , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[21]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[22]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[23]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[24]  Abhinav Srivastava,et al.  Efficient Monitoring of Untrusted Kernel-Mode Execution , 2011, NDSS.

[25]  Lorenzo Martignoni,et al.  A Framework for Behavior-Based Malware Analysis in the Cloud , 2009, ICISS.

[26]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[27]  Xuxian Jiang,et al.  "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots , 2007, RAID.

[28]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[29]  Somesh Jha,et al.  OmniUnpack: Fast, Generic, and Safe Unpacking of Malware , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[30]  Xuxian Jiang,et al.  Process Implanting: A New Active Introspection Framework for Virtualization , 2011, 2011 IEEE 30th International Symposium on Reliable Distributed Systems.

[31]  Abhinav Srivastava,et al.  Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections , 2008, RAID.

[32]  Jason Nieh,et al.  Proceedings of the 5th Symposium on Operating Systems Design and Implementation , 2022 .