![]() The 3638323 to 1605548 a 1450464 of 14434154 in 1270284 on 508384 that 503295 is 492114 said 487849 with 423779 at 408185. Build a Custom Amazon EC2 Machine Image - (CentOS 6.2) by Jeff Hunter, Sr. Database Administrator Contents. Introduction; Requirements; Build the AMI. РАБОТНО ВРЕМЕ на магазина офиса и склада : ПОНЕДЕЛНИК, ВТОРНИК и СРЯДА от 09:00 до 18:00 tелефон. Virtual machine introspection: towards bridging the semantic gap | Journal of Cloud Computing. Memory introspection. Memory introspection deals with live memory analysis. When the OS is running, all the important data structures are in the main memory. ![]() The main memory contains process control blocks (PCBs), registry entries, loadable kernel modules, kernel data structures and page tables, etc. The main memory also contains pages related to data segments and code segments of the process being executed. Information related to the OS can be retrieved by examining the content of the main memory. The majority of malware analysis tools inspect program behaviour by examining main memory contents of the given program. A variety of VMI techniques are available to access the main memory of a guest VM from a secure VM. ![]() These can be used for tasks such as intrusion detection or process analysis of the guest VM. A range of memory- based VMI techniques are summarised in the remainder of this section. Introspection using Xen libraries. A guest VM can be introspected from a privileged domain (Dom 0) associated with a Xen hypervisor [7]. Dom 0 is a control domain of Xen, and it provides access to every data structure, driver and library implemented by Xen. Xen. The memory of the guest VM can be monitored using the function xc_map_foreign_range(), which belongs to the same library. A special high- performance disk driver named blktap made for Xen's paravirtualised guest VMs monitors disk access and data transfer. In the case of a guest VM, memory access needs to address translation from the virtual to the physical address and then again from the physical to the machine address. Xen has implemented shadow page tables for the same purpose. The introspection of a paravirtualised guest VM is possible using libxc, a blktap driver and the xen store library. Xen_Access [1. 3] is a good demonstration of memory and disk introspection with the Xen hypervisor. The introspection code remains safe, as it resides in a secure VM (Dom 0). However, there is a possibility that malware could change the kernel data structure, causing Xen_Access to produce irrelevant results. Xen_Access has achieved performance improvement in memory access by caching Xen Store mapping on a least recently used (LRU) basis, which is analogous to translation look- aside buffers (TLB). Xen Access provides very limited traces of file access, with only the creation and the deletion of a file traceable. Xen_Access also provides very limited support for hardware virtualisation machine (HVM) domains. This restricts its widespread application to OSs. I/O Introspection. I/O introspection deals with device drivers and other utility hardware communications. Anubis [1. 4] is the technique suggested for VM introspection from outside of it. This method is the successor of Anubis and exclusively monitors Windows device drivers and kernel behaviour. It generates a detailed report of malware activities on machines running Windows. It is claimed that it detects kernel patching, call hooking and direct kernel object manipulation (DKOM). For kernel- side malicious code, the analysis needs to be performed at a higher privileged level than the privilege level of the kernel itself. It is only possible via out of the VM analysis as a hypervisor is available at the higher privileged level than a kernel of the guest OS. The focus of d. Anubis is on monitoring all communication channels between the rootkit (device driver affected by a rootkit) and the rest of the system. All necessary information, such as exported symbols, data structure and layouts are extracted from the Windows OS. To reconstruct the necessary information, kernel symbols and data structures are extracted from the Windows OS by using a technique mentioned by [1. Anubis has been proposed for detailed analysis of rootkits. This tool is capable of conducting memory analysis and detecting attacks, such as call table hooking, DKOM, runtime patching and hardware access. Stimulator: Malware is activated by some triggering event. Anubis has a stimulator engine that generates such events. Anubis works only on Windows OS. It is a malware analysis engine and not a malware detection engine. System call introspection. The system call is a request by program for service from the kernel. The service is generally something that only the kernel has the privilege to perform, such as doing I/O. Hence, system calls play a very important role in events such as context switching, memory access, page table access and interrupt handling. In case of the virtualisation technology (VT) support [1. VM to the hypervisor and vice versa is managed by special system calls. To maintain the integrity of the system, specific system calls are banned from execution by a guest VM. Introspection using virtualization support. It has already been shown [1. VT microprocessor support features can be used for introspection activities. Useful information related to guest VM implementation can be retrieved by monitoring the VM control structure (VMCS) of the processor. This region is dedicated to handling virtualisation support. Intel's VT- supported microprocessors have two modes of operation: VMX root operation and VMX non- root operation. The VMX root operation is intended for hypervisor use. The VMX non- root operation provides an alternative IA- 3. There are two transitions associated with these two operation modes: 1) a transition from the VMX root operation to the VMX non- root operation (i. VM) called hypervisor entry and 2) a transition from the VMX non- root operation to the VMX root operation (i. The CR3 register is responsible for holding the page table address for currently running processes. Access to the CR3 register by the guest VM causes hypervisor exit. The hypervisor- based VMI module handles the hypervisor exit. A communication channel is opened between the VMI module in a secure VM and the VMI module in the hypervisor by setting a covert channel for communication. The channel is set through the VMCS region using an I/O bitmap. On receiving the CR3 change signal, the VMI module obtains access to the page tables. This enables tracking of current processes that are being executed. Aquarius demonstrates the application of Intel VT and AMD technologies for effective out of VM introspection. Bit Visor [1. 8] hypervisor was used for introspection purposes. Some modifications were made to the Bit Visor to inspect the guest's system call activities. Introspection by hardware rooting. An introspection approach that relies only on guest OS knowledge might face attacks that change the architecture of the guest OS. Hardware rooting offers a solution to this type of attack, preventing malware from ever changing the structures of virtual hardware. Any trace which begins from hardware assistance has very less probability of such attacks. The hardware rooting mechanism thwarts possible kernel data structure attacks mentioned in Section `Kernel structure manipulation'. Hardware rooting exploits system call trapping using an interrupt descriptor table register (IDTR) and an interrupt descriptor table. The IDTR value is set by the processor. Genuine interrupt descriptor table gets accessed using system call trapping. Every time the value of the CR3 register needs to be changed, an interrupt needs to be generated. The VMI method traces this interrupt to detect process switching. In this way, the value of the CR3 register, along with the value of the first valid entry in the corresponding top- level page directory, is accessed. The value of CR3 register is unique for every process. It helps to identify the required process executing inside the VM. Nitro [3] is another tool based on the hardware rooting technique. Nitro claims to work on any operating system and have defined rules for OS portability. The unique feature of Nitro is its rule set. Simple changes in a rule set enable it to work with almost any available OS. These rules have provision for determining locations of system call arguments, variables, etc. The locations of these arguments is variable according to the implementation of the OS. Generally, they reside in stack or CPU registers. Nitro has modified QEMU [1. KVM VMM [1. 0]. All administrative commands to Nitro are given through the same monitor that is used by the KVM hypervisor. It is stealthier to direct kernel structure manipulation (DKSM) [1. CPU data structures. Importantly, its performance is dramatically improved compared to its predecessor, Ether [2.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |