Loading...
| Friend's email | |
| Your name | |
| Your email | |
| enter code | |
This page was sent successfuly
Blue-Pill oxpecker: a VMI platform for transactional modification
Aghamirmohammadali, S. M ; Sharif University of Technology | 2021
208
Viewed
- Type of Document: Article
- DOI: 10.1109/TCC.2021.3067829
- Publisher: Institute of Electrical and Electronics Engineers Inc , 2021
- Abstract:
- Although multiple techniques have been proposed with the goal of minimizing the semantic gap in virtual machine introspection, most concentrate on passive observation of the internal state, while there are also a number of proposals with which active modification of the VM's internal state is made possible. However there are issues when modifications are applied, such as keeping a consistent kernel state and avoiding a crash. In this paper we propose Oxpecker, a VMI platform for transactional modification. The out-of-VM read access allows an introspector to detect malware in the guest OS (e.g., rootkit) and the transactional write access allows Oxpecker to reliably neutralize the detected threats. To begin a transaction, Oxpecker monitors VM state changes waiting for an idle moment which is free of possible race-conditions in the guest kernel memory. Thereafter, it invokes a VMI client's callback to proceed with reading/writing in its memory. Upon user request or possible exceptions, transaction is rolled back while the transaction ACID properties are maintained at all times. Oxpecker is implemented and evaluated under different real-world workloads. Additionally and as a practical example, a tool is developed, and open sourced, based on Oxpecker with which guest VM processes could be killed. IEEE
- Keywords:
- Malware ; Semantics ; ACID properties ; Internal state ; Kernel memory ; Real-world ; Semantic gap ; Virtual machine introspection ; Virtual machine
- Source: IEEE Transactions on Cloud Computing ; 2021 ; 21687161 (ISSN)
- URL: https://ieeexplore.ieee.org/document/9382893