Jennia Hizver

Type

Text

Type

Dissertation

Advisor

Chiueh, Tzi-cker | Gao, Jie | Stoller, Scott | Murdoch, Steven.

Date

2015-08-01

Keywords

Computer science

Department

Department of Computer Science.

Language

en_US

Source

This work is sponsored by the Stony Brook University Graduate School in compliance with the requirements for completion of degree.

Identifier

http://hdl.handle.net/11401/77283

Publisher

The Graduate School, Stony Brook University: Stony Brook, NY.

Format

application/pdf

Abstract

Virtual Machine Introspection (VMI) is a new and important technique developed specifically for virtualized environments. VMI provides the ability to perform virtual machine (VM) monitoring by gathering VM run-time states from the hypervisor and analyzing those states to obtain information about a running operating system (OS) without installing an agent inside the VM. The agentless VMI approach has enabled the development of applications that combine the best of two worlds: efficient centralization and effective monitoring. VMI's primary drawback is the semantic gap problem. The semantic gap refers to the difficulty in interpreting low level run-time OS states obtained through VMI into a high level model of the OS's state. We approached the problem through the creation of the real-time kernel data structure monitoring (RTKDSM) system. The RTKDSM system leverages the rich OS analysis capabilities of Volatility, an open source forensics framework, to simplify and automate analysis of VM run-time states of Windows and Linux OSes. The RTKDSM system is designed as an extensible software framework, which can be extended by writing Volatility plugins to perform new VM analysis tasks. In addition, the RTKDSM system is built to perform real-time monitoring of the extracted OS states in guest VMs to detect changes made to these states. This feature is especially important for effective security monitoring of VMs. To improve the efficiency of the RTKDSM framework, we reduce the overhead of monitoring changes to guest OS states. The RTKDSM system is capable of supporting a wide range of VMI applications due to the RTKDSM framework's flexibility and extensibility. Leveraging the RTKDSM framework, VMI developers can easily create new VMI applications. To demonstrate the practicality and effectiveness of the RTKDSM framework, we built three novel applications on top of the framework: (1) an inter-VM data flow tracking tool, (2) a VM lock down tool to restrict the execution environment to running only approved user applications, and (3) a tool for detection of malicious attacks that manipulate privileges of running processes. These systems are expected to contribute to enhanced system monitoring in virtual machine environments. | 182 pages

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.