Stealthy Malware Detection and Monitoring
`Stealthy Malware Detection and Monitoring
`through VMM-Based "Out-of-the-Box"
`through VMM-Based “Out-of-the-Box”
`Semantic View Reconstruction
`Semantic View Reconstruction
`
`12
`12
`
`XUXIAN JIANG
`XUXIAN JIANG
`North Carolina State University
`North Carolina State University
`XINYUAN WANG
`XINYUAN WANG
`George Mason University
`George Mason University
`and
`and
`DONGYAN XU
`DONGYAN XU
`Purdue University
`Purdue University
`
`An alarming trend in recent malware incidents is that they are armed with stealthy techniques
`An alarming trend in recent malware incidents is that they are armed with stealthy techniques
`to detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a
`to detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a
`fundamental limitation of traditional host-based antimalware systems is that they run inside the
`fundamental limitation of traditional host-based antimalware systems is that they run inside the
`very hosts they are protecting (“in-the-box”), making them vulnerable to counter detection and
`very hosts they are protecting ("in-the-box"), making them vulnerable to counter detection and
`subversion by malware. To address this limitation, recent solutions based on virtual machine (VM)
`subversion by malware. To address this limitation, recent solutions based on virtual machine (VM)
`technologies advocate placing the malware detection facilities outside of the protected VM (“out-of-
`technologies advocate placing the malware detection facilities outside of the protected VM ("out-of-
`the-box”). However, they gain tamper resistance at the cost of losing the internal semantic view of
`the-box"). However, they gain tamper resistance at the cost of losing the internal semantic view of
`the host, which is enjoyed by “in-the-box” approaches. This poses a technical challenge known as
`the host, which is enjoyed by "in-the-box" approaches. This poses a technical challenge known as
`the semantic gap.
`the semantic gap.
`In this article, we present the design, implementation, and evaluation of VMwatcher—an “out-
`In this article, we present the design, implementation, and evaluation of VMwatcher—an "out-
`of-the-box” approach that overcomes the semantic gap challenge. A new technique called guest
`of-the-box" approach that overcomes the semantic gap challenge. A new technique called guest
`view casting is developed to reconstruct internal semantic views (e.g., files, processes, and ker-
`view casting is developed to reconstruct internal semantic views (e.g., files, processes, and ker-
`nel modules) of a VM nonintrusively from the outside. More specifically, the new technique casts
`nel modules) of a VM nonintrusively from the outside. More specifically, the new technique casts
`semantic definitions of guest OS data structures and functions on virtual machine monitor (VMM)-
`semantic definitions of guest OS data structures and functions on virtual machine monitor (VMM)-
`level VM states, so that the semantic view can be reconstructed. Furthermore, we extend guest
`level VM states, so that the semantic view can be reconstructed. Furthermore, we extend guest
`view casting to reconstruct details of system call events (e.g., the process that makes the system
`view casting to reconstruct details of system call events (e.g., the process that makes the system
`
`This work was supported in part by the US National Science Foundation (NSF) under Grants
`This work was supported in part by the US National Science Foundation (NSF) under Grants
`CNS-0716376, CNS-0716444 and CNS-0546173. Any opinions, findings, and conclusions or recom-
`CNS-0716376, CNS-0716444 and CNS-0546173. Any opinions, findings, and conclusions or recom-
`mendations expressed in this material are those of the authors and do not necessarily reflect the
`mendations expressed in this material are those of the authors and do not necessarily reflect the
`views of the NSF.
`views of the NSF.
`Authors’ addresses: Xuxian Jiang, Department of Computer Science, North Carolina State Uni-
`Authors' addresses: Xuxian Jiang, Department of Computer Science, North Carolina State Uni-
`versity, 890 Oval Drive, Raleigh, NC 27695; email: jiang@cs.ncsu.edu. Xinyuan Wang, Depart-
`versity, 890 Oval Drive, Raleigh, NC 27695; email: jiang@cs.ncsu.edu. Xinyuan Wang, Depart-
`ment of Computer Science, George Mason University, 4400 University Drive, Fairfax, VA 22030;
`ment of Computer Science, George Mason University, 4400 University Drive, Fairfax, VA 22030;
`email: xwangc@gmu.edu. Dongyan Xu, Department of Computer Science and CERIAS, Purdue
`email: xwangc@gmu.edu. Dongyan Xu, Department of Computer Science and CERIAS, Purdue
`University, 305 N. University Street, West Lafayette, IN 47907; email: dxu@cs.purdue.edu.
`University, 305 N. University Street, West Lafayette, IN 47907; email: dxu@cs.purdue.edu.
`Permission to make digital or hard copies of part or all of this work for personal or classroom use
`Permission to make digital or hard copies of part or all of this work for personal or classroom use
`is granted without fee provided that copies are not made or distributed for profit or commercial
`is granted without fee provided that copies are not made or distributed for profit or commercial
`advantage and that copies show this notice on the first page or initial screen of a display along
`advantage and that copies show this notice on the first page or initial screen of a display along
`with the full citation. Copyrights for components of this work owned by others than ACM must be
`with the full citation. Copyrights for components of this work owned by others than ACM must be
`honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers,
`honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers,
`to redistribute to lists, or to use any component of this work in other works requires prior specific
`to redistribute to lists, or to use any component of this work in other works requires prior specific
`permission and/or a fee. Permissions may be requested from Publications Dept., ACM, Inc., 2 Penn
`permission and/or a fee. Permissions may be requested from Publications Dept., ACM, Inc., 2 Penn
`Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212) 869-0481, or permissions@acm.org.
`Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212) 869-0481, or permissions@acm.org.
`C(cid:2) 2010 ACM 1094-9224/2010/02-ART12 $10.00
`© 2010 ACM 1094-9224/2010/02-ART12 $10.00
`DOI 10.1145/1698750.1698752 http://doi.acm.org/10.1145/1698750.1698752
`DOI 10.1145/1698750.1698752 http://doi.acm.org/10.1145/1698750.1698752
`
`ACM Transactions on Information and System Security, Vol. 13, No. 2, Article 12, Publication date: February 2010.
`ACM Transactions on Information and System Security, Vol. 13, No. 2, Article 12, Publication date: February 2010.
`
`WIZ, Inc. EXHIBIT - 1043
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1043
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`12:2
`12:2
`
`•
`
`X. Jiang et al.
`X. Jiang et al.
`
`call as well as the system call number, parameters, and return value) in the VM, enriching the
`call as well as the system call number, parameters, and return value) in the VM, enriching the
`semantic view. With the semantic gap effectively narrowed, we identify three unique malware de-
`semantic view. With the semantic gap effectively narrowed, we identify three unique malware de-
`tection and monitoring capabilities: (i) view comparison-based malware detection and its demon-
`tection and monitoring capabilities: (i) view comparison-based malware detection and its demon-
`stration in rootkit detection; (ii) “out-of-the-box” deployment of off-the-shelf anti malware software
`stration in rootkit detection; (ii) "out-of-the-box" deployment of off-the-shelf anti malware software
`with improved detection accuracy and tamper-resistance; and (iii) nonintrusive system call mon-
`with improved detection accuracy and tamper-resistance; and (iii) nonintrusive system call mon-
`itoring for malware and intrusion behavior observation. We have implemented a proof-of-concept
`itoring for malware and intrusion behavior observation. We have implemented a proof-of-concept
`VMwatcher prototype on a number of VMM platforms. Our evaluation experiments with real-
`VMwatcher prototype on a number of VMM platforms. Our evaluation experiments with real-
`world malware, including elusive kernel-level rootkits, demonstrate VMwatcher’s practicality and
`world malware, including elusive kernel-level rootkits, demonstrate VMwatcher's practicality and
`effectiveness.
`effectiveness.
`Categories and Subject Descriptors: D.4.6 [Operating System]: Security and protection—Inva-
`Categories and Subject Descriptors: D.4.6 [Operating System]: Security and protection—Inva-
`sive software; K.6.5 [Management of Computing and Information Systems]: Security and
`sive software; K.6.5 [Management of Computing and Information Systems]: Security and
`protection
`protection
`General Terms: Security
`General Terms: Security
`Additional Key Words and Phrases: Malware detection, rootkits, virtual machines
`Additional Key Words and Phrases: Malware detection, rootkits, virtual machines
`ACM Reference Format:
`ACM Reference Format:
`Jiang, X., Wang, X., and XU, D. 2010. Stealthy malware detection and monitoring through VMM-
`Jiang, X., Wang, X., and XU, D. 2010. Stealthy malware detection and monitoring through VMM-
`based “out-of-the-box” semantic view reconstruction. ACM Trans. Info. Syst. Sec. 13, 2, Article 12
`based "out-of-the-box" semantic view reconstruction. ACM Trans. Info. Syst. Sec. 13, 2, Article 12
`(February 2010), 28 pages.
`(February 2010), 28 pages.
`DOI = 10.1145/1698750.1698752 http://doi.acm.org/10.1145/1698750.1698752
`DOI = 10.1145/1698750.1698752 http://doi.acm.org/10.1145/1698750.1698752
`
`1. INTRODUCTION
`1. INTRODUCTION
`Internet malware (e.g., rootkits, worms, and bots) is getting increasingly
`Internet malware (e.g., rootkits, worms, and hots) is getting increasingly
`stealthy and elusive: They try to hide their presence from detection facilities
`stealthy and elusive: They try to hide their presence from detection facilities
`and even detect and subvert any existing anti malware software in the compro-
`and even detect and subvert any existing anti malware software in the compro-
`mised system. For example, a detailed analysis of an Agobot variant [Agobot
`mised system. For example, a detailed analysis of an Agobot variant [Agobot
`2004] has revealed that the malware contains malicious logic to detect and
`2004] has revealed that the malware contains malicious logic to detect and
`remove more than 105 antivirus processes in the victim machine.
`remove more than 105 antivirus processes in the victim machine.
`The threat described earlier in the text is partly attributed to a fundamental
`The threat described earlier in the text is partly attributed to a fundamental
`limitation on the defensive side: Most host-based antimalware systems are in-
`limitation on the defensive side: Most host-based antimalware systems are in-
`stalled and executed inside the very hosts that they are monitoring and protect-
`stalled and executed inside the very hosts that they are monitoring and protect-
`ing (Figure 1(a)). Although such “in-the-box” deployment provides an antimal-
`ing (Figure 1(a)). Although such "in-the-box" deployment provides an antimal-
`ware system with a native, semantic-rich view of the host, it in the meantime
`ware system with a native, semantic-rich view of the host, it in the meantime
`makes the antimalware system visible, tangible, and potentially subvertable to
`makes the antimalware system visible, tangible, and potentially subvertable to
`advanced malware residing in the host.
`advanced malware residing in the host.
`To address this problem, there have recently been a number of solutions
`To address this problem, there have recently been a number of solutions
`[Dunlap et al. 2002; Garfinkel and Rosenblum 2003; Joshi et al. 2005] that ad-
`[Dunlap et al. 2002; Garfinkel and Rosenblum 2003; Joshi et al. 2005] that ad-
`vocate placing the intrusion detection facilities outside of the (virtual) machine
`vocate placing the intrusion detection facilities outside of the (virtual) machine
`being monitored. Based on virtual machine technologies [Barham et al. 2003;
`being monitored. Based on virtual machine technologies [Barham et al. 2003;
`Dike 2002], such an “out-of-the-box” approach significantly improves the tam-
`Dike 2002], such an "out-of-the-box" approach significantly improves the tam-
`per resistance of intrusion detection facilities. A virtual machine (VM) achieves
`per resistance of intrusion detection facilities. A virtual machine (VM) achieves
`strong isolation and confines processes running inside the VM such that, even
`strong isolation and confines processes running inside the VM such that, even
`if they are compromised by malware, it will be hard, if not impossible, to com-
`if they are compromised by malware, it will be hard, if not impossible, to com-
`promise systems outside of the VM.
`promise systems outside of the VM.
`However, a dilemma exists in switching from the in-the-box approach to
`However, a dilemma exists in switching from the in-the-box approach to
`the out-of-the-box approach: It is well known that there exists a “semantic
`the out-of-the-box approach: It is well known that there exists a "semantic
`gap” [Chen and Noble 2001] between the view of the VM from the outside and
`gap" [Chen and Noble 2001] between the view of the VM from the outside and
`the view from the inside—the latter being seen by the traditional, in-the-box
`the view from the inside—the latter being seen by the traditional, in-the-box
`
`ACM Transactions on Information and System Security, Vol. 13, No. 2, Article 12, Publication date: February 2010.
`ACM Transactions on Information and System Security, Vol. 13, No. 2, Article 12, Publication date: February 2010.
`
`

`

`Stealthy Malware Detection and Monitoring
`Stealthy Malware Detection and Monitoring
`
`•
`
`12:3
`12:3
`
`T Files
`
`A Virtual Machine (VM)
`
`Anti Malware Systems
`
`Files
`
`t9
`
`M
`
`‘Iv
`
`‘ly
`
`Guest Operating System
`
`-131
`
`Operating System
`
`Virtual Machine Monitor
`
`Host Operating System
`
`(a) Traditional "in the box" approach
`
`(b) VMwatcher approach
`
`Fig. 1. Malware detection in traditional “in-the-box” approach and in VMwatcher approach.
`Fig. 1. Malware detection in traditional "in-the-box" approach and in VMwatcher approach.
`
`antimalware systems. For example, instead of seeing semantic-level objects,
`antimalware systems. For example, instead of seeing semantic-level objects,
`such as processes, files, and kernel modules, we only see memory pages, reg-
`such as processes, files, and kernel modules, we only see memory pages, reg-
`isters, and disk blocks from outside the VM, making out-of-the-box malware
`isters, and disk blocks from outside the VM, making out-of-the-box malware
`detection difficult. In other words, the out-of-the-box approach gains tamper
`detection difficult. In other words, the out-of-the-box approach gains tamper
`resistance at the cost of losing the internal semantic view of the host enjoyed
`resistance at the cost of losing the internal semantic view of the host enjoyed
`by the in-the-box approaches.
`by the in-the-box approaches.
`The previously described dilemma motivates us to explore the possibility
`The previously described dilemma motivates us to explore the possibility
`of gaining the advantages of both camps, namely enabling tamper-resistant
`of gaining the advantages of both camps, namely enabling tamper-resistant
`malware detection without losing the semantic view. In this article, we present
`malware detection without losing the semantic view. In this article, we present
`the design, implementation, and evaluation of VMwatcher—a VMM-based, out-
`the design, implementation, and evaluation of VMwatcher—a VMM-based, out-
`of-the-box approach that overcomes the semantic gap challenge. More specifi-
`of-the-box approach that overcomes the semantic gap challenge. More specifi-
`cally, VMwatcher instantiates the general virtual machine introspection (VMI)
`cally, VMwatcher instantiates the general virtual machine introspection (VMI)
`[Garfinkel and Rosenblum 2003] methodology in a nonintrusive manner, so
`[Garfinkel and Rosenblum 2003] methodology in a nonintrusive manner, so
`that it can inspect the low-level VM states and events without perturbing the
`that it can inspect the low-level VM states and events without perturbing the
`VM’s execution. A new technique called guest view casting is developed to sys-
`VM's execution. A new technique called guest view casting is developed to sys-
`tematically reconstruct the VM’s internal semantic view (e.g., files, directories,
`tematically reconstruct the VM's internal semantic view (e.g., files, directories,
`processes, and kernel-level modules) for out-of-the-box malware detection. Fur-
`processes, and kernel-level modules) for out-of-the-box malware detection. Fur-
`thermore, we extend guest view casting to reconstruct details of system call
`thermore, we extend guest view casting to reconstruct details of system call
`events in the VM (e.g., the calling process as well as the system call num-
`events in the VM (e.g., the calling process as well as the system call num-
`ber, parameters, and return value). The new technique is based on the key
`ber, parameters, and return value). The new technique is based on the key
`observation that the guest OS of a VM provides all necessary semantic defi-
`observation that the guest OS of a VM provides all necessary semantic defi-
`nitions of guess OS data structures, functions, and system calls to construct
`nitions of guess OS data structures, functions, and system calls to construct
`the VM’s semantic view. As such, we can cast these definitions on the VMM-
`the VM's semantic view. As such, we can cast these definitions on the VMM-
`level observations and externally derive the semantic view of the target VM
`level observations and externally derive the semantic view of the target VM
`(Figure 1(b)).
`(Figure 1(b)).
`VMwatcher enables new malware detection and monitoring capabilities that
`VMwatcher enables new malware detection and monitoring capabilities that
`are previously difficult or impossible to achieve. In this article, we identify and
`are previously difficult or impossible to achieve. In this article, we identify and
`demonstrate three such capabilities: (i) view comparison-based stealthy mal-
`demonstrate three such capabilities: (i) view comparison-based stealthy mal-
`ware detection, which involves comparing a VM’s semantic views obtained from
`ware detection, which involves comparing a VM's semantic views obtained from
`both inside and outside for possible discrepancy detection; (ii) out-of-the-box ex-
`both inside and outside for possible discrepancy detection; (ii) out-of-the-box ex-
`ecution of unmodified, off-the-shelf antimalware software with improved detec-
`ecution of unmodified, off-the-shelf antimalware software with improved detec-
`tion accuracy. This is an extreme test to VMwatcher’s semantic gap-narrowing
`tion accuracy. This is an extreme test to VMwatcher's semantic gap-narrowing
`technique and, interestingly, it further enables cross-platform malware scan-
`technique and, interestingly, it further enables cross-platform malware scan-
`ning where antimalware software developed for one platform can be readily
`ning where antimalware software developed for one platform can be readily
`used for another platform; (iii) nonintrusive system call monitoring in a produc-
`used for another platform; (iii) nonintrusive system call monitoring in a produc-
`tion or honeypot VM, which elevates the tamper resistance of malware behavior
`tion or honeypot VM, which elevates the tamper resistance of malware behavior
`observation and experimentation.
`observation and experimentation.
`
`ACM Transactions on Information and System Security, Vol. 13, No. 2, Article 12, Publication date: February 2010.
`ACM Transactions on Information and System Security, Vol. 13, No. 2, Article 12, Publication date: February 2010.
`
`

`

`12:4
`12:4
`
`•
`
`X. Jiang et al.
`X. Jiang et al.
`
`We have implemented a VMwatcher prototype on a number of VMM plat-
`We have implemented a VMwatcher prototype on a number of VMM plat-
`forms and evaluated it with a collection of real-world malware instances (e.g.,
`forms and evaluated it with a collection of real-world malware instances (e.g.,
`kernel and user level rootkits). Experiments with these elusive rootkits demon-
`kernel and user level rootkits). Experiments with these elusive rootkits demon-
`strate VMwatcher’s unique capability of view comparison-based malware de-
`strate VMwatcher's unique capability of view comparison-based malware de-
`tection. The VMwatcher prototype also supports out-of-the-box deployment of a
`tection. The VMwatcher prototype also supports out-of-the-box deployment of a
`variety of off-the-shelf antimalware software such as Symantec AntiVirus and
`variety of off-the-shelf antimalware software such as Symantec AntiVirus and
`Microsoft Windows Defender.
`Microsoft Windows Defender.
`The rest of this article is organized as follows: Section 2 presents the design
`The rest of this article is organized as follows: Section 2 presents the design
`of VMwatcher, followed by the implementation details in Section 3. We present
`of VMwatcher, followed by the implementation details in Section 3. We present
`evaluation results in Section 4 and discuss possible limitations in Section 5.
`evaluation results in Section 4 and discuss possible limitations in Section 5.
`Section 6 discusses related work, and Section 7 concludes this article.
`Section 6 discusses related work, and Section 7 concludes this article.
`
`2. VMWATCHER OVERVIEW
`2. VMWATCHER OVERVIEW
`
`2.1 Design Goals and Assumption
`2.1 Design Goals and Assumption
`Figure 1 illustrates the key difference between the traditional in-the-box
`Figure 1 illustrates the key difference between the traditional in-the-box
`approach and the VMwatcher approach for malware detection. VMwatcher
`approach and the VMwatcher approach for malware detection. VMwatcher
`achieves stronger tamper resistance by moving malware monitoring facili-
`achieves stronger tamper resistance by moving malware monitoring facili-
`ties out of the VM being monitored. VMwatcher is based on two key enabling
`ties out of the VM being monitored. VMwatcher is based on two key enabling
`techniques: (i) nonintrusive VM introspection for the procurement of low-level
`techniques: (i) nonintrusive VM introspection for the procurement of low-level
`(VMM-level) VM states and system call events, without deploying any facility
`(VMM-level) VM states and system call events, without deploying any facility
`inside the VM (Section 2.2.1) and (ii) guest view casting for external reconstruc-
`inside the VM (Section 2.2.1) and (ii) guest view casting for external reconstruc-
`tion of VM internal semantic view (Section 2.2.2). VMwatcher has the following
`tion of VM internal semantic view (Section 2.2.2). VMwatcher has the following
`three design goals:
`three design goals:
`—First, VMwatcher should not perturb the system state of the target VM. This
`—First, VMwatcher should not perturb the system state of the target VM. This
`will prevent VMwatcher from affecting the normal execution of the VM and
`will prevent VMwatcher from affecting the normal execution of the VM and
`causing adverse side effects (e.g., system inconsistency [Joshi et al. 2005]) in
`causing adverse side effects (e.g., system inconsistency [Joshi et al. 2005]) in
`the VM. This goal is realized by our technique for nonintrusive inspection and
`the VM. This goal is realized by our technique for nonintrusive inspection and
`analysis of low-level VM observations. Nonintrusiveness also makes it hard
`analysis of low-level VM observations. Nonintrusiveness also makes it hard
`for internal malicious processes to infer (external) VMwatcher activities.
`for internal malicious processes to infer (external) VMwatcher activities.
`—Second, VMwatcher should significantly narrow the semantic gap such that
`—Second, VMwatcher should significantly narrow the semantic gap such that
`the same malware detection system that runs inside the VM can also run
`the same malware detection system that runs inside the VM can also run
`outside of the VM. As to be shown, this goal is critical to the new malware
`outside of the VM. As to be shown, this goal is critical to the new malware
`detection capabilities. The goal is realized by our guest view casting technique
`detection capabilities. The goal is realized by our guest view casting technique
`for external reconstruction of VM semantic view. Based on the reconstructed
`for external reconstruction of VM semantic view. Based on the reconstructed
`view, antimalware systems can perform file or memory scanning operations
`view, antimalware systems can perform file or memory scanning operations
`as if they were inside the VM.1
`as if they were inside the VM.1
`—Third, VMwatcher should be generic and applicable to a number of exist-
`—Third, VMwatcher should be generic and applicable to a number of exist-
`ing VMMs. Currently there exist two mainstream virtualization approaches:
`ing VMMs. Currently there exist two mainstream virtualization approaches:
`full virtualization and paravirtualization. Full virtualization (as in VMware
`full virtualization and paravirtualization. Full virtualization (as in VMware
`[VMware 2008] and QEMU [Bellard 2005]) transparently supports legacy
`[VMware 2008] and QEMU [Bellard 20051) transparently supports legacy
`OSs without modifying the guest OS code; while paravirtualization (as in
`OSs without modifying the guest OS code; while paravirtualization (as in
`
`1We need to point out that some hooking-based features of antimalware systems are hard to support
`1We need to point out that some hooking-based features of antimalware systems are hard to support
`by VM introspection. Certain high-level events (e.g., Windows API calls or hooks), which are of
`by VM introspection. Certain high-level events (e.g., Windows API calls or hooks), which are of
`interest to some antivirus software, may not be captured from low-level VMM observations.
`interest to some antivirus software, may not be captured from low-level VMM observations.
`
`ACM Transactions on Information and System Security, Vol. 13, No. 2, Article 12, Publication date: February 2010.
`ACM Transactions on Information and System Security, Vol. 13, No. 2, Article 12, Publication date: February 2010.
`
`

`

`Stealthy Malware Detection and Monitoring
`Stealthy Malware Detection and Monitoring
`
`•
`
`12:5
`12:5
`
`Xen [Barham et al. 2003] and User-Mode Linux [Dike 2002]) is less trans-
`Xen [Barham et al. 2003] and User-Mode Linux [Dike 2002]) is less trans-
`parent as it needs to modify the guest OS source code. VMwatcher aims at
`parent as it needs to modify the guest OS source code. VMwatcher aims at
`supporting VMMs in both categories.
`supporting VMMs in both categories.
`We also note that different VMMs choose to implement VMs at different lev-
`We also note that different VMMs choose to implement VMs at different lev-
`els, imposing varying complexity on VMwatcher. More specifically, the lower
`els, imposing varying complexity on VMwatcher. More specifically, the lower
`the virtualization level, the wider the semantic gap it will create and, conse-
`the virtualization level, the wider the semantic gap it will create and, conse-
`quently, the greater the challenge for VMwatcher to bridge the semantic gap.
`quently, the greater the challenge for VMwatcher to bridge the semantic gap.
`For example, because of its system call level virtualization, user-mode linux
`For example, because of its system call level virtualization, user-mode linux
`(UML) preserves much of the semantic information (e.g., processes) and thus
`(UML) preserves much of the semantic information (e.g., processes) and thus
`leads to a much narrower semantic gap than VMware, Xen, and QEMU.
`leads to a much narrower semantic gap than VMware, Xen, and QEMU.
`—Assumption on trusted VMM In this article, we assume a trusted VMM that
`—Assumption on trusted VMM In this article, we assume a trusted VMM that
`achieves VM isolation: A malware instance may compromise arbitrary entity
`achieves VM isolation: A malware instance may compromise arbitrary entity
`and facility inside the VM—including the guest OS kernel itself. However, it
`and facility inside the VM—including the guest OS kernel itself. However, it
`cannot break out of the VM and corrupt the underlying VMM. This assump-
`cannot break out of the VM and corrupt the underlying VMM. This assump-
`tion is based on the observation that the code base of a VMM is much smaller
`tion is based on the observation that the code base of a VMM is much smaller
`and more stable than the legacy OS code. Furthermore, the VMM provides
`and more stable than the legacy OS code. Furthermore, the VMM provides
`a more limited interface (which can be further hardened and validated) to
`a more limited interface (which can be further hardened and validated) to
`untrusted VMs in the form of virtualized underlying physical resources. We
`untrusted VMs in the form of virtualized underlying physical resources. We
`note that this assumption is consistent with that of many other VM-based
`note that this assumption is consistent with that of many other VM-based
`security research efforts [Dunlap et al. 2002; Garfinkel et al. 2003; Garfinkel
`security research efforts [Dunlap et al. 2002; Garfinkel et al. 2003; Garfinkel
`and Rosenblum 2003; Joshi et al. 2005; Koju et al. 2005]. We will discuss
`and Rosenblum 2003; Joshi et al. 2005; Koju et al. 2005]. We will discuss
`possible attacks (e.g., VM fingerprinting) in Section 5.
`possible attacks (e.g., VM fingerprinting) in Section 5.
`
`2.2 Enabling Techniques
`2.2 Enabling Techniques
`2.2.1 Nonintrusive Virtual Machine Introspection. VMwatcher follows the
`2.2.1 Nonintrusive Virtual Machine Introspection. VMwatcher follows the
`VM introspection methodology to capture low-level VM states and events exter-
`VM introspection methodology to capture low-level VM states and events exter-
`nally. For open-source VMMs such as Xen, QEMU, and UML, we develop VM
`nally. For open-source VMMs such as Xen, QEMU, and UML, we develop VM
`introspection extensions to obtain full VM state, which includes the VM’s reg-
`introspection extensions to obtain full VM state, which includes the VM's reg-
`isters, memory, and disk and to capture system calls made by processes in the
`isters, memory, and disk and to capture system calls made by processes in the
`VM. To achieve nonintrusiveness, we follow the principle of passive, read-only
`VM. To achieve nonintrusiveness, we follow the principle of passive, read-only
`observation without inflicting any influence on the VM—this is important, as
`observation without inflicting any influence on the VM—this is important, as
`such an influence would lead to undesirable consequences such as inconsistency
`such an influence would lead to undesirable consequences such as inconsistency
`in the VM’s system state or perturbation in the VM’s execution.
`in the VM's system state or perturbation in the VM's execution.
`For close-source VMMs, we only have limited access to VMM-level obser-
`For close-source VMMs, we only have limited access to VMM-level obser-
`vations. For example, with Microsoft Virtual PC, we are not able to read VM
`vations. For example, with Microsoft Virtual PC, we are not able to read VM
`registers (e.g., the control register CR3) or monitor virtual interrupts. Without
`registers (e.g., the control register CR3) or monitor virtual interrupts. Without
`a VMM’s source code, VMwatcher has to rely on whatever low-level VM state
`a VMM's source code, VMwatcher has to rely on whatever low-level VM state
`abstraction exposed by the VMM. Details of our nonintrusive VM introspection
`abstraction exposed by the VMM. Details of our nonintrusive VM introspection
`technique will be presented in Section 3.1.
`technique will be presented in Section 3.1.
`
`2.2.2 Guest View Casting. Given the VMM-level observations of a running
`2.2.2 Guest View Casting. Given the VMM-level observations of a running
`VM, our second technique, guest view casting, will externally reconstruct the
`VM, our second technique, guest view casting, will externally reconstruct the
`internal semantic view of the VM. We observe that the guest OS data structure
`internal semantic view of the VM. We observe that the guest OS data structure
`definitions (e.g., files and directories) and function s