Hypervisor support for identifying covertly executing binaries

  title={Hypervisor support for identifying covertly executing binaries},
  author={Lionel Litty and H. Andr{\'e}s Lagar-Cavilla and David Lie},
  booktitle={USENIX Security Symposium},
Hypervisors have been proposed as a security tool to defend against malware that subverts the OS kernel. However, hypervisors must deal with the semantic gap between the low-level information available to them and the high-level OS abstractions they need for analysis. To bridge this gap, systems have proposed making assumptions derived from the kernel source code or symbol information. Unfortunately, this information is nonbinding – rootkits are not bound to uphold these assumptions and can… CONTINUE READING
Highly Influential
This paper has highly influenced 22 other papers. REVIEW HIGHLY INFLUENTIAL CITATIONS
Highly Cited
This paper has 224 citations. REVIEW CITATIONS


Publications citing this paper.
Showing 1-10 of 143 extracted citations

225 Citations

Citations per Year
Semantic Scholar estimates that this publication has 225 citations based on the available data.

See our FAQ for additional information.


Publications referenced by this paper.
Showing 1-10 of 33 references

Automated detection of persistent kernel control-flow attacks

  • N. L. Petroni, Jr., M. Hicks
  • In Proceedings of the 14th ACM Conference on…
  • 2007
Highly Influential
5 Excerpts

Visual Studio , Microsoft Portable Executable and Common Object File Format specification , May 2006

  • L. Molnár M. Oberhumer, J. Reiser
  • 2008

and J

  • M. Oberhumer, L. Molnár
  • Reiser
  • 2008
1 Excerpt

Similar Papers

Loading similar papers…