Process Implanting: A New Active Introspection Framework for Virtualization
Zhongshu Gu - Purdue University
Nov 09, 2011Size: 445.3MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractPrevious research on virtual machine introspection proposed "out-of-box" approach by moving out security tools from the guest operating system. However, compared to the traditional "in-the-box" approach, it remains a challenge to obtain a complete semantic view due to the semantic gap between the guest VM and the hypervisor.
In this paper, we present Process Implanting, a new active VM introspection framework, to narrow the semantic gap by implanting a process from the host into the guest VM and executing it under the cover of an existing running process. With the protection and coordination from the hypervisor, the implanted process can run with a degree of stealthiness and exit gracefully without leaving negative impact on the guest operating system. We have designed and implemented a proof-of-concept prototype on KVM which leverages hardware virtualization. We also propose and demonstrate application scenarios for Process Implanting in the area of VM security.
About the SpeakerZhongshu Gu is a Ph.D. student from department of computer science at
Purdue University. His research interests are on application/system
security, virtualization technology and malware analysis. His advisor
is Prof. Dongyan Xu.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.