Catch you with cache: Out-of-VM introspection to trace malicious executions
Out-of-VM introspection is an imperative part of security analysis. The legacy methods either modify the system, introducing enormous overhead, or rely heavily on hardware features, which are neither available nor practical in most cloud environments. In this paper, we propose a novel analysis metho...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2021
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/6737 https://ink.library.smu.edu.sg/context/sis_research/article/7740/viewcontent/357200a326.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-7740 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-77402022-01-27T10:54:00Z Catch you with cache: Out-of-VM introspection to trace malicious executions SU, Chao DING, Xuhua ZENG, Qinghai Out-of-VM introspection is an imperative part of security analysis. The legacy methods either modify the system, introducing enormous overhead, or rely heavily on hardware features, which are neither available nor practical in most cloud environments. In this paper, we propose a novel analysis method, named as Catcher, that utilizes CPU cache to perform out-of-VM introspection. Catcher does not make any modifications to the target program and its running environment, nor demands special hardware support. Implemented upon Linux KVM, it natively introspects the target's virtual memory. More importantly, it uses the cache-based side channel to infer the target control flow. To deal with the inherent limitations of the side channel, we propose several heuristics to improve the accuracy and stability of Catcher. Our experiments against various malware armored with packing techniques show that Catcher can recover the control flow in real time with around 67% to 97% accuracy scores. Catcher incurs a negligible overhead to the system and can be launched at anytime to monitor an ongoing attack inside a virtual machine. 2021-06-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/6737 info:doi/10.1109/DSN48987.2021.00045 https://ink.library.smu.edu.sg/context/sis_research/article/7740/viewcontent/357200a326.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Out-of-VM Introspection Cache Malware Analysis Non-intrusiveness Transparency Databases and Information Systems Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Out-of-VM Introspection Cache Malware Analysis Non-intrusiveness Transparency Databases and Information Systems Information Security |
| spellingShingle |
Out-of-VM Introspection Cache Malware Analysis Non-intrusiveness Transparency Databases and Information Systems Information Security SU, Chao DING, Xuhua ZENG, Qinghai Catch you with cache: Out-of-VM introspection to trace malicious executions |
| description |
Out-of-VM introspection is an imperative part of security analysis. The legacy methods either modify the system, introducing enormous overhead, or rely heavily on hardware features, which are neither available nor practical in most cloud environments. In this paper, we propose a novel analysis method, named as Catcher, that utilizes CPU cache to perform out-of-VM introspection. Catcher does not make any modifications to the target program and its running environment, nor demands special hardware support. Implemented upon Linux KVM, it natively introspects the target's virtual memory. More importantly, it uses the cache-based side channel to infer the target control flow. To deal with the inherent limitations of the side channel, we propose several heuristics to improve the accuracy and stability of Catcher. Our experiments against various malware armored with packing techniques show that Catcher can recover the control flow in real time with around 67% to 97% accuracy scores. Catcher incurs a negligible overhead to the system and can be launched at anytime to monitor an ongoing attack inside a virtual machine. |
| format |
text |
| author |
SU, Chao DING, Xuhua ZENG, Qinghai |
| author_facet |
SU, Chao DING, Xuhua ZENG, Qinghai |
| author_sort |
SU, Chao |
| title |
Catch you with cache: Out-of-VM introspection to trace malicious executions |
| title_short |
Catch you with cache: Out-of-VM introspection to trace malicious executions |
| title_full |
Catch you with cache: Out-of-VM introspection to trace malicious executions |
| title_fullStr |
Catch you with cache: Out-of-VM introspection to trace malicious executions |
| title_full_unstemmed |
Catch you with cache: Out-of-VM introspection to trace malicious executions |
| title_sort |
catch you with cache: out-of-vm introspection to trace malicious executions |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2021 |
| url |
https://ink.library.smu.edu.sg/sis_research/6737 https://ink.library.smu.edu.sg/context/sis_research/article/7740/viewcontent/357200a326.pdf |
| _version_ |
1770576057051643904 |