Article

Manitou: a layer-below approach to fighting malware

Authors:

Lionel Litty,

David LieAuthors Info & Claims

ASID '06: Proceedings of the 1st workshop on Architectural and system support for improving software dependability

Pages 6 - 11

https://doi.org/10.1145/1181309.1181311

Published: 21 October 2006 Publication History

Get Access

Abstract

Unbeknownst to many computer users, their machines are running malware. Others are aware that strange software inhabits their machine, but cannot get rid of it. In this paper, we present Manitou, a system that provides users with the ability to assign, track and revoke execution privileges for code, regardless of the integrity and type of operating system the machine is using.Manitou is implemented within a hypervisor and uses the per-page permission bits to ensure that any code contained in an executable page corresponds to authorized code. Manitou authenticates code by taking a cryptographic hash of the content of a page right before executing code contained in that page. Our system guarantees that only authorized code can be run on the system.

References

[1]

P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP 2003), pages 164--177, Oct. 2003.

Digital Library

Google Scholar

[2]

T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP 2003), Oct. 2003.

Digital Library

Google Scholar

[3]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 10th Annual Symposium on Network and Distributed System Security (NDSS 2003), Feb. 2003.

Google Scholar

[4]

P. A. Karger, M. E. Zurko, D. W. Bonin, A. H. Mason, and C. E. Kahn. A retrospective on the VAX VMM security kernel. IEEE Transactions on Software Engineering, 17(11):1147--1165, 1991.

Digital Library

Google Scholar

[5]

G. H. Kim and E. H. Spafford. The design and implementation of Tripwire: A file system integrity checker. In ACM Conference on Computer and Communications Security, pages 18--29, 1994.

Digital Library

Google Scholar

[6]

S. T. King, P. M. Chen, Y.-M. Wang, C. Verbowski, H. J. Wang, and J. R. Lorch. Subvirt: Implementing malware with virtual machines. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, May 2006.

Digital Library

Google Scholar

[7]

Microsoft Antimalware Team. The Windows malicious software removal tool: Progress made, trends observed. Technical report, Microsoft, June 2006.

Google Scholar

[8]

A. Moshchuk, T. Bragin, S. D. Gribble, and H. Levy. A crawler-based study of spyware in the web. In Proceedings of the 13th Annual Symposium on Network and Distributed System Security (NDSS 2006), Feb. 2006.

Google Scholar

[9]

R. Naraine. Microsoft says recovery from malware becoming impossible, 2006. www.eweek.com/article2/0,1895,1945808,00.asp

Google Scholar

[10]

N. L. Petroni Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - a coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium, pages 179--194, Aug. 2004.

Digital Library

Google Scholar

[11]

R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and implementation of a TCG-based integrity measurement architecture. In Proceedings of the 13th USENIX Security Symposium, pages 223--238, Aug. 2004.

Digital Library

Google Scholar

[12]

W. Sun, Z. Liang, R. Sekar, and V. Venkatakrishnan. One-way isolation: An effective approach for realizing safe execution environments. In Proceedings of the 12th Annual Symposium on Network and Distributed System Security (NDSS 2005), Feb. 2002.

Google Scholar

[13]

X. Zhang, L. van Doorn, T. Jaeger, R. Perez, and R. Sailer. Secure coprocessor-based intrusion detection. In Proceedings of the 10th ACM SIGOPS European Workshop, Sept. 2002.

Digital Library

Google Scholar

Cited By

View all

Nemati HTetreault FPuncher JDagenais M(2022)Critical Path Analysis through Hierarchical Distributed Virtualized Environments Using Host Kernel TracingIEEE Transactions on Cloud Computing10.1109/TCC.2019.295325810:2(774-791)Online publication date: 1-Apr-2022
https://doi.org/10.1109/TCC.2019.2953258
Nemati HAzhari SShakeri MDagenais M(2021)Host-Based Virtual Machine Workload Characterization Using Hypervisor Trace MiningACM Transactions on Modeling and Performance Evaluation of Computing Systems10.1145/34601976:1(1-25)Online publication date: 8-Jun-2021
https://dl.acm.org/doi/10.1145/3460197
Nemati HAzhari SDagenais M(2019)Host Hypervisor Trace Mining for Virtual Machine Workload Characterization2019 IEEE International Conference on Cloud Engineering (IC2E)10.1109/IC2E.2019.00024(102-112)Online publication date: Jun-2019
https://doi.org/10.1109/IC2E.2019.00024
Show More Cited By

Index Terms

Manitou: a layer-below approach to fighting malware
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

On the development of an internetwork-centric defense for scanning worms

Studies of worm outbreaks have found that the speed of worm propagation makes manual intervention ineffective. Consequently, many automated containment mechanisms have been proposed to contain worm outbreaks before they grow out of control. These ...
BLADE: an attack-agnostic approach for preventing drive-by malware infections
CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Web-based surreptitious malware infections (i.e., drive-by downloads) have become the primary method used to deliver malicious software onto computers across the Internet. To address this threat, we present a browser independent operating system kernel ...
Countering kernel rootkits with lightweight hook protection
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Kernel rootkits have posed serious security threats due to their stealthy manner. To hide their presence and activities, many rootkits hijack control flows by modifying control data or hooks in the kernel space. A critical step towards eliminating ...

Comments

Information & Contributors

Information

Published In

ASID '06: Proceedings of the 1st workshop on Architectural and system support for improving software dependability

October 2006

76 pages

ISBN:1595935762

DOI:10.1145/1181309

Moderator:
Josep Torrellas
University of Illinois

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

ASPLOS06

ASPLOS06: Architectural Support for Programming Languages and Operating Systems

October 21, 2006

California, San Jose

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

39
Total Citations
View Citations
576
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Nemati HTetreault FPuncher JDagenais M(2022)Critical Path Analysis through Hierarchical Distributed Virtualized Environments Using Host Kernel TracingIEEE Transactions on Cloud Computing10.1109/TCC.2019.295325810:2(774-791)Online publication date: 1-Apr-2022
https://doi.org/10.1109/TCC.2019.2953258
Nemati HAzhari SShakeri MDagenais M(2021)Host-Based Virtual Machine Workload Characterization Using Hypervisor Trace MiningACM Transactions on Modeling and Performance Evaluation of Computing Systems10.1145/34601976:1(1-25)Online publication date: 8-Jun-2021
https://dl.acm.org/doi/10.1145/3460197
Nemati HAzhari SDagenais M(2019)Host Hypervisor Trace Mining for Virtual Machine Workload Characterization2019 IEEE International Conference on Cloud Engineering (IC2E)10.1109/IC2E.2019.00024(102-112)Online publication date: Jun-2019
https://doi.org/10.1109/IC2E.2019.00024
Nemati HDagenais M(2018)VM processes state detection by hypervisor tracing2018 Annual IEEE International Systems Conference (SysCon)10.1109/SYSCON.2018.8369612(1-8)Online publication date: Apr-2018
https://doi.org/10.1109/SYSCON.2018.8369612
Nemati HBastieny GDagenaisz M(2018)Wait analysis of virtual machines using host kernel tracing2018 IEEE International Conference on Consumer Electronics (ICCE)10.1109/ICCE.2018.8510984(1-6)Online publication date: Jan-2018
https://doi.org/10.1109/ICCE.2018.8510984
Patel ASingh RPatel JKapadia H(2017)Industrial Internet of Thing Based Smart Process Control Laboratory: A Case Study on Level Control SystemInformation and Communication Technology for Intelligent Systems (ICTIS 2017) - Volume 210.1007/978-3-319-63645-0_21(190-198)Online publication date: 17-Aug-2017
https://doi.org/10.1007/978-3-319-63645-0_21
Sgandurra DLupu E(2016)Evolution of Attacks, Threat Models, and Solutions for Virtualized SystemsACM Computing Surveys10.1145/285612648:3(1-38)Online publication date: 8-Feb-2016
https://dl.acm.org/doi/10.1145/2856126
Ali TAwadelseed OEldewahi A(2016)Random multiple layouts: Keylogger prevention technique2016 Conference of Basic Sciences and Engineering Studies (SGCAC)10.1109/SGCAC.2016.7457997(1-5)Online publication date: Feb-2016
https://doi.org/10.1109/SGCAC.2016.7457997
Li WWu DLiu P(2016)iCruiser: Protecting Kernel Link-Based Data Structures with Secure Canary2016 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C)10.1109/QRS-C.2016.9(31-38)Online publication date: Aug-2016
https://doi.org/10.1109/QRS-C.2016.9
Joe-Uzuegbu CIwuchukwu UEzema L(2015)Application virtualization techniques for malware forensics in social engineering2015 International Conference on Cyberspace (CYBER-Abuja)10.1109/CYBER-Abuja.2015.7360508(45-56)Online publication date: Nov-2015
https://doi.org/10.1109/CYBER-Abuja.2015.7360508
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

On the development of an internetwork-centric defense for scanning worms

BLADE: an attack-agnostic approach for preventing drive-by malware infections

Countering kernel rootkits with lightweight hook protection

Comments

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

On the development of an internetwork-centric defense for scanning worms

BLADE: an attack-agnostic approach for preventing drive-by malware infections

Countering kernel rootkits with lightweight hook protection

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations