survey

A Survey on Hypervisor-Based Monitoring: Approaches, Applications, and Evolutions

Authors:

Gbadebo Ayoade,

Zhiqiang LinAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 48, Issue 1

Article No.: 10, Pages 1 - 33

https://doi.org/10.1145/2775111

Published: 10 August 2015 Publication History

Abstract

When designing computer monitoring systems, one goal has always been to have a complete view of the monitored target and at the same time stealthily protect the monitor itself. One way to achieve this is to use hypervisor-based, or more generally out of virtual machine (VM)-based, monitoring. There are, however, challenges that limit the use of this mechanism; the most significant of these is the semantic gap problem. Over the past decade, a considerable amount of research has been carried out to bridge the semantic gap and develop all kinds of out-of-VM monitoring techniques and applications. By tracing the evolution of out-of-VM security solutions, this article examines and classifies different approaches that have been proposed to overcome the semantic gap—the fundamental challenge in hypervisor-based monitoring—and how they have been used to develop various security applications. In particular, we review how the past approaches address different constraints, such as practicality, flexibility, coverage, and automation, while bridging the semantic gap; how they have developed different monitoring systems; and how the monitoring systems have been applied and deployed. In addition to systematizing all of the proposed techniques, we also discuss the remaining research problems and shed light on the future directions of hypervisor-based monitoring.

References

[1]

Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS’05). ACM, New York, NY, 340--353.

Digital Library

[2]

Keith Adams and Ole Agesen. 2006. A comparison of software and hardware techniques for x86 virtualization. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XII). 2--13.

Digital Library

[3]

David Anderson. 2003. White Paper: Red Hat Crash Utility. Retrieved July 1, 2015, from http://people.redhat.com/anderson/crash_whitepaper/.

[4]

Ahmed M. Azab, Peng Ning, Emre C. Sezer, and Xiaolan Zhang. 2009. HIMA: A hypervisor-based integrity measurement agent. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’09). 461--470.

Digital Library

[5]

Ahmed M. Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. 2014. Hypervision across worlds: Real-time kernel protection from the ARM TrustZone secure world. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14). ACM, New York, NY, 90--102.

Digital Library

[6]

Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang, Xiaolan Zhang, and Nathan C. Skalsky. 2010. HyperSentry: Enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS’10). 38--49.

Digital Library

[7]

Arati Baliga, Vinod Ganapathy, and Liviu Iftode. 2008. Automatic inference and enforcement of kernel data structure invariants. In Proceedings of the 2008 Annual Computer Security Applications Conference (ACSAC’08). IEEE, Los Alamitos, CA, 77--86.

Digital Library

[8]

Davide Balzarotti, Marco Cova, Christoph Karlberger, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2010. Efficient detection of split personalities in malware. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10). http://www.isoc.org/isoc/conferences/ndss/10/pdf/24.pdf.

[9]

Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. 2003. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP’03). 164--177.

Digital Library

[10]

Ulrich Bayer, Paolo Milani Comparetti, Clemens Hlauschek, Christopher Krügel, and Engin Kirda. 2009. Scalable, behavior-based malware clustering. In Proceedings of the 2009 Annual Network and Distributed System Security Symposium (NDSS’09). http://www.isoc.org/isoc/conferences/ndss/09/pdf/11.pdf.

[11]

Antonio Bianchi, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2012. Blacksheep: Detecting compromised hosts in homogeneous crowds. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 341--352.

Digital Library

[12]

Matt Bishop. 2002. Computer Security: Art and Science. Addison-Wesley Professional.

Digital Library

[13]

Martim Carbone, Matthew Conover, Bruce Montague, and Wenke Lee. 2012. Secure and robust monitoring of virtual machines through guest-assisted introspection. In Proceedings of the 15th International Conference on Research in Attacks, Intrusions, and Defenses (RAID’12). 22--41.

Digital Library

[14]

Martim Carbone, Weidong Cui, Long Lu, Wenke Lee, Marcus Peinado, and Xuxian Jiang. 2009. Mapping kernel objects to enable systematic integrity checking. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). 555--565.

Digital Library

[15]

Peter M. Chen and Brian D. Noble. 2001. When virtual is better than real. In Proceedings of the 8th Workshop on Hot Topics in Operating Systems (HOTOS’01). 133. http://dl.acm.org/citation.cfm?id=874075.876409

Digital Library

[16]

Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis, Pratap Subrahmanyam, Carl A. Waldspurger, Dan Boneh, Jeffrey Dwoskin, and Dan R. K. Ports. 2008. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XIII). ACM, New York, NY, 2--13.

Digital Library

[17]

Weidong Cui, Marcus Peinado, Zhilei Xu, and Ellick Chan. 2012. Tracking rootkit footprints with a practical memory analysis system. In Proceedings of the 21st USENIX Conference on Security Symposium (Security’12). 42--42. http://dl.acm.org/citation.cfm?id=2362793.2362835

Digital Library

[18]

Robert Denz and Stephen Taylor. 2013. A survey on securing the virtual cloud. Journal of Cloud Computing 2, 1, 1--9.

[19]

Edsger W. Dijkstra. 1968. The structure of the THE-multiprogramming system. Communications of the ACM 11, 5, 341--346.

Digital Library

[20]

Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). 51--62.

Digital Library

[21]

Brendan Dolan-Gavitt, Tim Leek, Josh Hodosh, and Wenke Lee. 2013. Tappan Zee (north) bridge: Mining memory accesses for introspection. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’13). ACM, New York, NY. 839--850.

Digital Library

[22]

Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. 2011a. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 2011 IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 297--312.

Digital Library

[23]

Brendan Dolan-Gavitt, Bryan Payne, and Wenke Lee. 2011b. Leveraging Forensic Tools for Virtual Machine Introspection. Technical Report GT-CS-11-05. Georgia Institute of Technology.

[24]

Brendan Dolan-Gavitt, Abhinav Srivastava, Patrick Traynor, and Jonathon Giffin. 2009. Robust signatures for kernel data structures. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’09). ACM, New York, NY. 566--577.

Digital Library

[25]

Manuel Egele, Christopher Kruegel, Engin Kirda, Heng Yin, and Dawn Song. 2007. Dynamic spyware analysis. In Proceedings of the 2007 USENIX Annual Technical Conference (ATC’07). Article No. 18. http://dl.acm.org/citation.cfm?id=1364385.1364403

Digital Library

[26]

Shawn Embleton, Sherri Sparks, and Cliff Zou. 2008. SMM rootkits: A new breed of OS independent malware. In Proceedings of the 4th International Conference on Security and Privacy in Communication Networks (SecureComm’08). Article No. 11.

Digital Library

[27]

Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. 1996. A sense of self for Unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy (SP’96). 120--128.

Digital Library

[28]

Timothy Fraser, Matthew R. Evenson, and William A. Arbaugh. 2008. VICI virtual machine introspection for cognitive immunity. In Proceedings of the 2008 Annual Computer Security Applications Conference (ACSAC’08). 87--96.

Digital Library

[29]

Yangchun Fu and Zhiqiang Lin. 2012. Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Proceedings of the 2012 IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 586--600.

Digital Library

[30]

Yangchun Fu and Zhiqiang Lin. 2013a. Bridging the semantic gap in virtual machine introspection via online kernel data redirection. ACM Transactions on Information and System Security 16, 2, Article No. 7.

Digital Library

[31]

Yangchun Fu and Zhiqiang Lin. 2013b. EXTERIOR: Using a dual-VM based external shell for guest-OS introspection, configuration, and recovery. In Proceedings of the 9th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’13). 97--110.

Digital Library

[32]

Yangchun Fu, Zhiqiang Lin, and Kevin Hamlen. 2013. Subverting systems authentication with context-aware, reactive virtual machine introspection. In Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC’13). 229--238.

Digital Library

[33]

Yangchun Fu, Junyuan Zeng, and Zhiqiang Lin. 2014. HYPERSHELL: A practical hypervisor layer guest OS shell for automated in-VM management. In Proceedings of the 2014 USENIX Conference (USENIX ATC’14). 85--96. http://dl.acm.org/citation.cfm?id=2643634.2643644

Digital Library

[34]

Tal Garfinkel and Mendel Rosenblum. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS’03). http://www.isoc.org/isoc/conferences/ndss/03/proceedings/papers/13.pdf.

[35]

Zhongshu Gu, Zhui Deng, Dongyan Xu, and Xuxian Jiang. 2011. Process implanting: A new active introspection framework for virtualization. In Proceedings of the 2011 IEEE 30th International Symposium on Reliable Distributed Systems (SRDS’11). 147--156.

Digital Library

[36]

Brian Hay and Kara Nance. 2008. Forensics examination of volatile system data using virtual introspection. SIGOPS Operating System Review 42, 3, 74--82.

Digital Library

[37]

John Heasman. 2006. Implementing and Detecting a PCI Rootkit. Retrieved July 1, 2015, from http://www.blackhat.com/presentations/bh-dc-07/Heasman/Paper/bh-dc-07-Heasman-WP.pdf.

[38]

Jennia Hizver and Tzi-Cker Chiueh. 2014. Real-time deep virtual machine introspection and its applications. In Proceedings of the 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’14). ACM, New York, NY, 3--14.

Digital Library

[39]

Owen S. Hofmann, Alan M. Dunn, Sangman Kim, Indrajit Roy, and Emmett Witchel. 2011. Ensuring operating system kernel integrity with OSck. In Proceedings of the 16th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XVI). 279--290.

Digital Library

[40]

Bhushan Jain, Mirza Basim Baig, Dongli Zhang, Donald E. Porter, and Radu Sion. 2014. SoK: Introspections on trust and the semantic gap. In Proceedings of the 2014 IEEE Symposium on Security and Privacy (SP’14). 605--620.

Digital Library

[41]

Xuxian Jiang and Xinyuan Wang. 2007. “Out-of-the-box” monitoring of VM-based high-interaction honeypots. In Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection (RAID’07). 198--218.

Digital Library

[42]

Xuxian Jiang, Xinyuan Wang, and Dongyan Xu. 2007. Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). 128--138.

Digital Library

[43]

Stephen T. Jones, Andrea C. Arpaci-Dusseau, and Remzi H. Arpaci-Dusseau. 2006. Antfarm: Tracking processes in a virtual machine environment. In Proceedings of the USENIX 2006 Annual Conference (ATEC’06). 1. http://dl.acm.org/citation.cfm?id=1267359.1267360

Digital Library

[44]

Stephen T. Jones, Andrea C. Arpaci-Dusseau, and Remzi H. Arpaci-Dusseau. 2008. VMM-based hidden process detection and identification using Lycosid. In Proceedings of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’08). 91--100.

Digital Library

[45]

Ashlesha Joshi, Samuel T. King, George W. Dunlap, and Peter M. Chen. 2005. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP’05). ACM, New York, NY, 91--104.

Digital Library

[46]

Eric Keller, Jakub Szefer, Jennifer Rexford, and Ruby B. Lee. 2010. NoHype: Virtualized cloud infrastructure without the virtualization. In Proceedings of the 37th Annual International Symposium on Computer Architecture (ISCA’10). 350--361.

Digital Library

[47]

Gene H. Kim and Eugene H. Spafford. 1994. The design and implementation of tripwire: A file system integrity checker. In Proceedings of the 2nd ACM Conference on Computer and Communications Security (CCS’94). ACM, New York, NY, 18--29.

Digital Library

[48]

Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, and Jacob R. Lorch. 2006. SubVirt: Implementing malware with virtual machines. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (SP’06). 314--327.

Digital Library

[49]

Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles. ACM, New York, NY, 207--220.

Digital Library

[50]

Srinivas Krishnan, Kevin Z. Snow, and Fabian Monrose. 2010. Trail of bytes: Efficient support for forensic analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS’10). ACM, New York, NY, 50--60.

Digital Library

[51]

Stephen Kuhn and Stephen Taylor. 2011. A Survey of Forensic Analysis in Virtualized Environments. Technical Report. Dartmouth College, Hanover, NH.

[52]

Andrea Lanzi, Monirul I. Sharif, and Wenke Lee. 2009. K-Tracer: A system for extracting kernel malware behavior. In Proceedings of the 2009 Annual Network and Distributed System Security Symposium (NDSS’09). http://www.isoc.org/isoc/conferences/ndss/09/pdf/12.pdf.

[53]

Ben Laurie and Abe Singer. 2008. Choose the red pill and the blue pill: A position paper. In Proceedings of the 2008 Workshop on New Security Paradigms. ACM, New York, NY, 127--133.

Digital Library

[54]

Hojoon Lee, Hyungon Moon, Daehee Jang, Kihwan Kim, Jihoon Lee, Yunheung Paek, and Brent ByungHoon Kang. 2013. KI-Mon: A hardware-assisted event-triggered monitoring platform for mutable kernel object. In Proceedings of the 22nd USENIX Conference on Security. 511--526. http://dl.acm.org/citation.cfm?id=2534766.2534810

Digital Library

[55]

Wenhao Li, Yubin Xia, Haibo Chen, Binyu Zang, and Haibing Guan. 2015. Reducing world switches in virtualized environment with flexible cross-world calls. In Proceedings of the 42nd Annual International Symposium on Computer Architecture (ISCA’15). ACM, New York, NY, 375--387.

Digital Library

[56]

Zhiqiang Lin. 2013. Toward guest OS writable virtual machine introspection. VMware Technical Journal 2, 2.

[57]

Zhiqiang Lin, Junghwan Rhee, Xiangyu Zhang, Dongyan Xu, and Xuxian Jiang. 2011. SigGraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS’11). http://www.isoc.org/isoc/conferences/ndss/11/pdf/3_3.pdf.

[58]

Lionel Litty, H. Andrés Lagar-Cavilla, and David Lie. 2008. Hypervisor support for identifying covertly executing binaries. In Proceedings of the 17th Conference on Security Symposium (SS’08). 243--258. http://dl.acm.org/citation.cfm?id=1496711.1496728

Digital Library

[59]

Yutao Liu, Yubin Xia, Haibing Guan, Binyu Zang, and Haibo Chen. 2014. Concurrent and consistent virtual machine introspection with hardware transactional memory. In Proceedings of the 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA’14). IEEE, Los Alamitos, CA, 416--427.

[60]

Ziyi Liu, JongHyuk Lee, Junyuan Zeng, Yuanfeng Wen, Zhiqiang Lin, and Weidong Shi. 2013. CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM. In Proceedings of the 40th Annual International Symposium on Computer Architecture (ISCA’13). 392--403.

Digital Library

[61]

Lorenzo Martignoni, Stephen McCamant, Pongsin Poosankam, Dawn Song, and Petros Maniatis. 2012. Path-exploration lifting: Hi-fi tests for lo-fi emulators. In Proceedings of the 17th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XVII). 337--348.

Digital Library

[62]

Hyungon Moon, Hojoon Lee, Jihoon Lee, Kihwan Kim, Yunheung Paek, and Brent Byunghoon Kang. 2012. Vigilare: Toward snoop-based kernel integrity monitor. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). 28--37.

Digital Library

[63]

George C. Necula, Scott McPeak, Shree Prakash Rahul, and Westley Weimer. 2002. CIL: Intermediate language and tools for analysis and transformation of C programs. In Proceedings of the 11th International Conference on Compiler Construction (CC’02). 213--228. http://dl.acm.org/citation.cfm?id=647478.727796

Digital Library

[64]

Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T. King, and Hai D. Nguyen. 2009. MAVMM: Lightweight and purpose built VMM for malware analysis. In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC’09). 441--450.

Digital Library

[65]

Daniela Oliveira and Shyhtsun Felix Wu. 2009. Protecting kernel code and data with a virtualization-aware collaborative operating system. In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC’09). 451--460.

Digital Library

[66]

Roberto Paleari, Lorenzo Martignoni, Emanuele Passerini, Drew Davidson, Matt Fredrikson, Jon Giffin, and Somesh Jha. 2010. Automatic generation of remediation procedures for malware infections. In Proceedings of the 19th USENIX Conference on Security (USENIX Security’10). 27. http://dl.acm.org/citation.cfm?id=1929820.1929856

Digital Library

[67]

Bryan D. Payne, Martim Carbone, and Wenke Lee. 2007. Secure and flexible monitoring of virtual machines. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC’07). 385--397.

[68]

Bryan D. Payne, Martim Carbone, Monirul I. Sharif, and Wenke Lee. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the 2008 IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 233--247.

Digital Library

[69]

Nick L. Petroni Jr., Timothy Fraser, Jesus Molina, and William A. Arbaugh. 2004. Copilot—a coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium. 179--194. http://dl.acm.org/citation.cfm?id=1251375.1251388

Digital Library

[70]

Nick L. Petroni Jr., Timothy Fraser, AAron Walters, and William A. Arbaugh. 2006. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In Proceedings of the 15th Conference on USENIX Security Symposium. Article No. 20. http://dl.acm.org/citation.cfm?id=1267336.1267356

Digital Library

[71]

Nick L. Petroni Jr. and Michael Hicks. 2007. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, New York, NY, 103--115.

Digital Library

[72]

Gerald J. Popek and Robert P. Goldberg. 1974. Formal requirements for virtualizable third generation architectures. Communications of the ACM 17, 7, 412--421.

Digital Library

[73]

Aravind Prakash, Eknath Venkataramani, Heng Yin, and Zhiqiang Lin. 2013. Manipulating semantic values in kernel data structures: Attack assessments and implications. In Proceedings of the 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-PDS’13). 1--12.

Digital Library

[74]

Aravind Prakash, Eknath Venkataramani, Heng Yin, and Zhiqiang Lin. 2014. On the trustworthiness of memory analysis-an empirical study from the perspective of binary execution. IEEE Transactions on Dependable and Secure Computing 1, 1.

[75]

Junghwan Rhee, Zhiqiang Lin, and Dongyan Xu. 2011. Characterizing kernel malware behavior with kernel data access patterns. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS’11). 207--216.

Digital Library

[76]

Junghwan Rhee, Ryan Riley, Dongyan Xu, and Xuxian Jiang. 2010. Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID’10). 178--197. http://dl.acm.org/citation.cfm?id=1894166.1894179

Digital Library

[77]

Ryan Riley, Xuxian Jiang, and Dongyan Xu. 2008. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID’08). 1--20.

Digital Library

[78]

Ryan Riley, Xuxian Jiang, and Dongyan Xu. 2009. Multi-aspect profiling of kernel rootkit behavior. In Proceedings of the 4th ACM European Conference on Computer Systems (EuroSys’09). 47--60.

Digital Library

[79]

Alireza Saberi, Yangchun Fu, and Zhiqiang Lin. 2014. Hybrid-Bridge: Efficiently bridging the semantic-gap in virtual machine introspection via decoupled execution and training memoization. In Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS’14). http://www.internetsociety.org/doc/hybrid-bridge-efficiently-bridging-semantic-gap-virtual-machine-introspection-decoupled.

[80]

Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of the 21st ACM SIGOPS Symposium on Operating Systems Principles (SOSP’07). ACM, New York, NY, 335--350.

Digital Library

[81]

Monirul I. Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi. 2009. Secure in-VM monitoring using hardware virtualization. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). 477--487.

Digital Library

[82]

Kevin Snow, Srinivas Krishnan, Fabian Monrose, and Niels Provos. 2011. ShellOS: Enabling fast detection and forensic analysis of code injection attacks. In Proceedings of the 20th USENIX Security Symposium. http://static.usenix.org/events/sec11/tech/full_papers/Snow.pdf.

Digital Library

[83]

Deepa Srinivasan, Zhi Wang, Xuxian Jiang, and Dongyan Xu. 2011. Process out-grafting: An efficient “out-of-VM” approach for fine-grained process execution monitoring. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). ACM, New York, NY, 363--374.

Digital Library

[84]

Abhinav Srivastava and Jonathon Giffin. 2011. Efficient monitoring of untrusted kernel-mode execution. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS’11). http://www.isoc.org/isoc/conferences/ndss/11/pdf/3_2.pdf.

[85]

Abhinav Srivastava and Jonathon Giffin. 2012. Efficient protection of kernel data structures via object partitioning. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC’12). ACM, New York, NY, 429--438.

Digital Library

[86]

Udo Steinberg and Bernhard Kauer. 2010. NOVA: A microhypervisor-based secure virtualization architecture. In Proceedings of the 5th European Conference on Computer Systems (EuroSys’10). 209--222.

Digital Library

[87]

Jakub Szefer, Eric Keller, Ruby B. Lee, and Jennifer Rexford. 2011. Eliminating the hypervisor attack surface for a more secure cloud. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). ACM, New York, NY, 401--412.

Digital Library

[88]

Donghai Tian, Qiang Zeng, Dinghao Wu, Peng Liu, and Changzhen Hu. 2012. Kruiser: Semi-synchronized non-blocking concurrent kernel heap buffer overflow monitoring. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS’12). http://www.internetsociety.org/kruiser-semi-synchronized-non-blocking-con current-kernel-heap-buffer-overflow-monitoring.

[89]

Amit Vasudevan, Sagar Chaki, Limin Jia, Jonathan McCune, James Newsome, and Anupam Datta. 2013. Design, implementation and verification of an eXtensible and modular hypervisor framework. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP’13). IEEE, Los Alamitos, CA, 430--444.

Digital Library

[90]

Amit Vasudevan and Ramesh Yerraballi. 2006. Cobra: Fine-grained malware analysis using stealth localized-executions. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (SP’06). 264--279.

Digital Library

[91]

Jiang Wang, Angelos Stavrou, and Anup Ghosh. 2010. HyperCheck: A hardware-assisted integrity monitor. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID’10). 158--177. http://dl.acm.org/citation.cfm?id=1894166.1894178

Digital Library

[92]

Zhi Wang and Xuxian Jiang. 2010. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP’10). 380--395.

Digital Library

[93]

Zhi Wang, Xuxian Jiang, Weidong Cui, and Peng Ning. 2009. Countering kernel rootkits with lightweight hook protection. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). 545--554.

Digital Library

[94]

Zhi Wang, Xuxian Jiang, Weidong Cui, and Xinyuan Wang. 2008. Countering persistent kernel rootkits through systematic hook discovery. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID’08). 21--38.

Digital Library

[95]

Zhi Wang, Chiachih Wu, Michael Grace, and Xuxian Jiang. 2012. Isolating commodity hosted hypervisors with HyperLock. In Proceedings of the 7th ACM European Conference on Computer Systems (EuroSys’12). ACM, New York, NY, 127--140.

Digital Library

[96]

Rafal Wojtczuk. 2008. Subverting the Xen hypervisor. In Proceedings of the Black Hat Technical Security Conference.

[97]

Chiachih Wu, Zhi Wang, and Xuxian Jiang. 2013. Taming hosted hypervisors with (mostly) deprivileged execution. In Proceedings of the Network and Distributed System Security Symposium (NDSS’13). http://internetsociety.org/doc/taming-hosted-hypervisors-mostly-deprivileged-execution.

[98]

Rui Wu, Ping Chen, Peng Liu, and Bing Mao. 2014. System call redirection: A practical approach to meeting real-world virtual machine introspection needs. In Proceedings of the 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’14). 574--585.

Digital Library

[99]

Yubin Xia, Yutao Liu, and Haibo Chen. 2013. Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks. In Proceedings of the 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA’13). IEEE, Los Alamitos, CA, 246--257.

Digital Library

[100]

Xi Xiong, Donghai Tian, and Peng Liu. 2011. Practical protection of kernel integrity for commodity OS from untrusted extensions. In Proceedings of the Network and Distributed System Security Symposium (NDSS’11). http://www.isoc.org/isoc/conferences/ndss/11/pdf/3_1.pdf.

[101]

Chaoting Xuan, John A. Copeland, and Raheem A. Beyah. 2009. Toward revealing kernel malware behavior in virtual execution environments. In Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection. 304--325.

Digital Library

[102]

Lok-Kwong Yan, Manjukumar Jayachandra, Mu Zhang, and Heng Yin. 2012. V2E: Combining hardware virtualization and software emulation for transparent and extensible malware analysis. In Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (VEE’12). ACM, New York, NY, 227--238.

Digital Library

[103]

Lok-Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis. In Proceedings of the 21st USENIX Conference on Security Symposium (Security’12). 29--29. http://dl.acm.org/citation.cfm?id=2362793.2362822

Digital Library

[104]

Jean Yang and Chris Hawblitzel. 2010. Safe to the last instruction: Automated verification of a type-safe operating system. In Proceedings of the 2010 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’10). ACM, New York, NY, 99--110.

Digital Library

[105]

Heng Yin, Zhenkai Liang, and Dawn Song. 2008. HookFinder: Identifying and understanding malware hooking behaviors. In Proceedings of the 2008 Annual Network and Distributed System Security Symposium (NDSS’08). http://www.isoc.org/isoc/conferences/ndss/08/papers/15_hookfinder_identifying.pdf.

[106]

Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda. 2007. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). 116--127. http://doi.acm.org/10.1145/1315245.1315261

Digital Library

[107]

Fengzhe Zhang, Jin Chen, Haibo Chen, and Binyu Zang. 2011. CloudVisor: Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles (SOSP’11). 203--216.

Digital Library

[108]

Shengzhi Zhang, Xiaoqi Jia, Peng Liu, and Jiwu Jing. 2010. Cross-layer comprehensive intrusion harm analysis for production workload server systems. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC’10). 297--306.

Digital Library

[109]

Yajin Zhou and Xuxian Jiang. 2012. Dissecting Android malware: Characterization and evolution. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP’12). IEEE, Los Alamitos, CA, 95--109.

Digital Library

Cited By

Yang XKun ZJun XBibo TChen L(2024)CloudFusion: Multi-Source Intrusion Detection in Cloud Environments2024 27th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD61410.2024.10580508(2656-2661)Online publication date: 8-May-2024
https://doi.org/10.1109/CSCWD61410.2024.10580508
Takemura TYamamoto RSuzaki K(2024)TEE-PA: TEE Is a Cornerstone for Remote Provenance Auditing on Edge Devices With Semi-TCBIEEE Access10.1109/ACCESS.2024.336634412(26536-26549)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3366344
Tzenetopoulos AMasouros DXydis SSoudris D(2024)Orchestration Extensions for Interference- and Heterogeneity-Aware Placement for Data-AnalyticsInternational Journal of Parallel Programming10.1007/s10766-024-00771-252:4(298-323)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s10766-024-00771-2
Show More Cited By

Index Terms

A Survey on Hypervisor-Based Monitoring: Approaches, Applications, and Evolutions
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Architectural support for hypervisor-secure virtualization
ASPLOS '12

Virtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual ...
Virtual Machine Migration Method between Different Hypervisor Implementations and Its Evaluation
WAINA '12: Proceedings of the 2012 26th International Conference on Advanced Information Networking and Applications Workshops

Virtualization technologies are an important building block for cloud services. Each service will run on virtual machines (VMs) deployed over different hyper visors in the future. Therefore, a VM migration method between different hyper visor ...
Architectural support for hypervisor-secure virtualization
ASPLOS '12

Virtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 48, Issue 1

September 2015

592 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/2808687

Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering / University of Florida / Gainesville, FL 32611

Issue’s Table of Contents

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 August 2015

Accepted: 01 August 2015

Revised: 01 December 2014

Received: 01 February 2014

Published in CSUR Volume 48, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Research
Refereed

Funding Sources

NSF
AFOSR

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

66
Total Citations
View Citations
2,244
Total Downloads

Downloads (Last 12 months)557
Downloads (Last 6 weeks)14

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yang XKun ZJun XBibo TChen L(2024)CloudFusion: Multi-Source Intrusion Detection in Cloud Environments2024 27th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD61410.2024.10580508(2656-2661)Online publication date: 8-May-2024
https://doi.org/10.1109/CSCWD61410.2024.10580508
Takemura TYamamoto RSuzaki K(2024)TEE-PA: TEE Is a Cornerstone for Remote Provenance Auditing on Edge Devices With Semi-TCBIEEE Access10.1109/ACCESS.2024.336634412(26536-26549)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3366344
Tzenetopoulos AMasouros DXydis SSoudris D(2024)Orchestration Extensions for Interference- and Heterogeneity-Aware Placement for Data-AnalyticsInternational Journal of Parallel Programming10.1007/s10766-024-00771-252:4(298-323)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s10766-024-00771-2
Eichler CRöckl JJung BSchlenk RMüller THönig T(2024)Profiling with trust: system monitoring from trusted execution environmentsDesign Automation for Embedded Systems10.1007/s10617-024-09283-128:1(23-44)Online publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1007/s10617-024-09283-1
Liu HXing JHuang YZhuo DDevadas SChen ACalandrino JTroncoso C(2023)Remote direct memory introspectionProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620575(6043-6060)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620575
Golightly LModesti PChang V(2023)Deploying Secure Distributed Systems: Comparative Analysis of GNS3 and SEED Internet EmulatorJournal of Cybersecurity and Privacy10.3390/jcp30300243:3(464-492)Online publication date: 3-Aug-2023
https://doi.org/10.3390/jcp3030024
Wang YYu JYu Z(2023)Resource scheduling techniques in cloud from a view of coordination: a holistic survey从协同视角论云资源调度技术：综述Frontiers of Information Technology & Electronic Engineering10.1631/FITEE.210029824:1(1-40)Online publication date: 23-Jan-2023
https://doi.org/10.1631/FITEE.2100298
S NV VYadav D(2023)Service-Centric Architectures in Cloud Security: An In-Depth Analysis2023 International Conference on Advances in Computation, Communication and Information Technology (ICAICCIT)10.1109/ICAICCIT60255.2023.10465904(917-922)Online publication date: 23-Nov-2023
https://doi.org/10.1109/ICAICCIT60255.2023.10465904
Dangl TSentanoe SReiser H(2023)VMIFreshComputers and Security10.1016/j.cose.2023.103527135:COnline publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103527
Matos EAhvenjärvi M(2022)seL4 Microkernel for Virtualization Use-Cases: Potential Directions towards a Standard VMMElectronics10.3390/electronics1124420111:24(4201)Online publication date: 16-Dec-2022
https://doi.org/10.3390/electronics11244201
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents