SubVirt: implementing malware with virtual machines

@article{King2006SubVirtIM,
  title={SubVirt: implementing malware with virtual machines},
  author={Samuel T. King and Peter M. C. Chen and Yi-Min Wang and Chad Verbowski and H. Wang and Jacob R. Lorch},
  journal={2006 IEEE Symposium on Security and Privacy (S\&P'06)},
  year={2006},
  pages={14 pp.-327}
}
Attackers and defenders of computer systems both strive to gain complete control over the system. To maximize their control, both attackers and defenders have migrated to low-level, operating system code. In this paper, we assume the perspective of the attacker, who is trying to run malicious software and avoid detection. By assuming this perspective, we hope to help defenders understand and defend against the threat posed by a new class of rootkits. We evaluate a new type of malicious software… Expand
Virtual Machine Security Systems
Current operating systems provide the process abstraction to achieve resource sharing and isolation. From a security perspective, however, an attacker who has compromised one process can usually gainExpand
Cloaker: Hardware Supported Rootkit Concealment
TLDR
A framework for the Linux kernel is presented that incorporates integrity checks of hardware state performed by device drivers in order to counter the threat posed by rootkits such as Cloaker. Expand
Detecting System Emulators
TLDR
A number of possibilities to detect system emulators are analyzed and it is shown that emulation can be successfully detected, mainly because the task of perfectly emulating real hardware is complex. Expand
CloudSkulk: A Nested Virtual Machine Based Rootkit and Its Detection
TLDR
This paper is the first to reveal and demonstrate how nested virtualization can be used by attackers to develop rootkits, and presents a novel approach to detecting CloudSkulk rootKits at the host level. Expand
Using a Hypervisor to Migrate Running Operating Systems to Secure Virtual Machines
TLDR
HyperShield detects attacks by combining virtualization of memory management with a hardware-assisted execution-bit feature and has confirmed through experiments that HyperShield successfully prevented kernel-level buffer overflow attacks. Expand
SHARK: Architectural support for autonomic protection against stealth by rootkit exploits
TLDR
This paper proposes an autonomic architecture called SHARK, or secure hardware support against rootkit by employing hardware support to provide system-level security without trusting the software stack, including the OS kernel. Expand
Hardware-assisted protection and isolation
Software is prone to contain bugs and vulnerabilities. To protect it, researchers normally go to a lower layer, such as protecting the applications from the kernel or protecting the operating systemsExpand
SMM rootkit: a new breed of OS independent malware
TLDR
A proof of concept SMM rootkit is presented, exploring the potential of system management mode for malicious use by implementing a chipset level keylogger and a network backdoor capable of directly interacting with the network card to send logged keystrokes to a remote machine via UDP and receive remote command packets stealthily. Expand
Covert remote syscall communication at kernel level: A SPOOKY backdoor
TLDR
A proof-of-concept server backdoor which hides the in- and exfiltration of data in incoming and outgoing benign traffic of the victim server and allows the remote execution of arbitrary programs on the victimServer without being detectable by network intrusion detection systems. Expand
Rootkit Detection Using A Cross-View Clean Boot Method
Abstract : In cyberspace, attackers commonly infect computer systems with malware to gain capabilities such as remote access, keylogging, and stealth. Many malware samples include rootkitExpand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 59 REFERENCES
Detecting stealth software with Strider GhostBuster
TLDR
This paper describes the design and implementation of the Strider GhostBuster tool and demonstrates its efficiency and effectiveness in detecting resources hidden by real-world malware such as rootkits, Trojans, and key-loggers. Expand
A Virtual Machine Introspection Based Architecture for Intrusion Detection
TLDR
This paper presents an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance, achieved through the use of a virtual machine monitor. Expand
ReVirt: enabling intrusion analysis through virtual-machine logging and replay
TLDR
ReVirt removes the dependency on the target operating system by moving it into a virtual machine and logging below the virtual machine, and enables it to provide arbitrarily detailed observations about what transpired on the system, even in the presence of non-deterministic attacks and executions. Expand
Detecting past and present intrusions through vulnerability-specific predicates
TLDR
IntroVirt shows that vulnerability-specific predicates can be written easily for a wide variety of real vulnerabilities, can detect and respond to intrusions over both the past and present time intervals, and add little overhead for most vulnerabilities. Expand
Scalability, fidelity, and containment in the potemkin virtual honeyfarm
TLDR
This paper has built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve the goal of improving honeypot scalability while still closely emulating the execution behavior of individual Internet hosts. Expand
Detecting Targeted Attacks Using Shadow Honeypots
TLDR
It is shown that despite a considerable overhead in the instrumentation of the shadow honeypot (up to 20% for Apache), the overall impact on the system is diminished by the ability to minimize the rate of false-positives. Expand
Microkernels meet recursive virtual machines
TLDR
A software-based virtualizable architecture called Fluke that allows recursive virtual machines (virtual machines running on other virtual machines) to be implemented efficiently by a microkernel running on generic hardware. Expand
Terra: a virtual machine-based platform for trusted computing
We present a flexible architecture for trusted computing, called Terra, that allows applications with a wide range of security requirements to run simultaneously on commodity hardware. ApplicationsExpand
Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor
TLDR
Results indicate that with optimizations, VMware Workstation’s hosted virtualization architecture can match native I/O throughput on standard PCs. Expand
Collapsar: A VM-Based Architecture for Network Attack Detention Center
TLDR
Collapsar is presented, a virtual-machine-based architecture for network attack detention that provides a wide diverse view of network attacks, while the centralized operation enables dedicated administration and convenient event correlation, eliminating the need for honeypot experts in each production network domain. Expand
...
1
2
3
4
5
...