Ph.D. Defense of Dissertation Announcement

Title: Semantic View Re-creation for the Secure Monitoring of Virtual Machines

Martim Carbone
School of Computer Science
College of Computing
Georgia Institute of Technology

Date: Wednesday, June 13th, 2012
Time: 2:00 PM - 4:00 PM
Location: Klaus 3126 (GTISC War Room)

Committee:

• Prof. Wenke Lee, School of Computer Science (Advisor)
• Prof. Mustaque Ahamad, School of Computer Science
• Prof. Jonathon Giffin, School of Computer Science
• Prof. Karsten Schwan, School of Computer Science
• Dr. Weidong Cui, Microsoft Research

Abstract:
Virtual Machine Introspection (VMI) leverages the isolation provided by virtualization to separate security monitoring applications from untrusted monitored OS, placing each inside a distinct virtual machine. Despite its security benefits, significant challenges are associated with this type monitoring. The most significant relates to the level of access to the GVM state provided by the hypervisor to the monitoring application. As a low-level resource manager, the hypervisor knows nothing of the internal semantics of the guest OS state. All it sees are memory pages, CPU registers, instruction executions, interrupts and memory exceptions: data at a level too low to be useful to a security application, like an anti-virus tool. This problem is known as the semantic gap.
This thesis proposes and investigates novel techniques to overcome the semantic gap, advancing the state-of-the-art on the syntactic and semantic guest view re-creation for security applications that conduct passive and active out-of-VM monitoring of operating systems. It makes three contributions.
First, we present a passive out-of-VM memory analysis technique for reconstructing a syntactic view of the guest OS’s heap state. By applying a combination of offline static source code analysis and dynamic memory matching techniques, our KOP system is able to reconstruct a map of the guest OS’s dynamic kernel objects with near complete coverage and accuracy. The completeness of our analysis translates into stronger monitoring capabilities for security applications.
Second, we present a novel passive monitoring technique that combines the security of out-of-VM monitoring with the robustness of in-VM monitoring. Our infrastructure, SYRINGE,  securely leverages the guest OS’s own code to collect guest information at a high abstraction level, effectively bypassing the semantic gap. It allows the application to extract high-level semantic information from the guest without having to worry about the low-level structure of the monitored OS.
Our third contribution is in the context of active monitoring. To overcome the semantic gap, traditional virtualization-based active monitoring techniques compromise by relying on code execution hooks, which are easily circumvented by malware. We propose DARP, an active monitoring infrastructure based on a new event interception primitive: data access hooks. The key idea behind this primitive is to intercept and infer high-level OS events by monitoring activity at the level of dynamic kernel objects. It makes the task of hook circumvention considerably harder while still providing the foundation necessary for high-level event inference.