Catch you with cache: Out-of-VM introspection to trace malicious executions

Out-of-VM introspection is an imperative part of security analysis. The legacy methods either modify the system, introducing enormous overhead, or rely heavily on hardware features, which are neither available nor practical in most cloud environments. In this paper, we propose a novel analysis metho...

Full description

Saved in:
Bibliographic Details
Main Authors: SU, Chao, DING, Xuhua, ZENG, Qinghai
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2021
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/6737
https://ink.library.smu.edu.sg/context/sis_research/article/7740/viewcontent/357200a326.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-7740
record_format dspace
spelling sg-smu-ink.sis_research-77402022-01-27T10:54:00Z Catch you with cache: Out-of-VM introspection to trace malicious executions SU, Chao DING, Xuhua ZENG, Qinghai Out-of-VM introspection is an imperative part of security analysis. The legacy methods either modify the system, introducing enormous overhead, or rely heavily on hardware features, which are neither available nor practical in most cloud environments. In this paper, we propose a novel analysis method, named as Catcher, that utilizes CPU cache to perform out-of-VM introspection. Catcher does not make any modifications to the target program and its running environment, nor demands special hardware support. Implemented upon Linux KVM, it natively introspects the target's virtual memory. More importantly, it uses the cache-based side channel to infer the target control flow. To deal with the inherent limitations of the side channel, we propose several heuristics to improve the accuracy and stability of Catcher. Our experiments against various malware armored with packing techniques show that Catcher can recover the control flow in real time with around 67% to 97% accuracy scores. Catcher incurs a negligible overhead to the system and can be launched at anytime to monitor an ongoing attack inside a virtual machine. 2021-06-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/6737 info:doi/10.1109/DSN48987.2021.00045 https://ink.library.smu.edu.sg/context/sis_research/article/7740/viewcontent/357200a326.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Out-of-VM Introspection Cache Malware Analysis Non-intrusiveness Transparency Databases and Information Systems Information Security
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Out-of-VM Introspection
Cache
Malware Analysis
Non-intrusiveness
Transparency
Databases and Information Systems
Information Security
spellingShingle Out-of-VM Introspection
Cache
Malware Analysis
Non-intrusiveness
Transparency
Databases and Information Systems
Information Security
SU, Chao
DING, Xuhua
ZENG, Qinghai
Catch you with cache: Out-of-VM introspection to trace malicious executions
description Out-of-VM introspection is an imperative part of security analysis. The legacy methods either modify the system, introducing enormous overhead, or rely heavily on hardware features, which are neither available nor practical in most cloud environments. In this paper, we propose a novel analysis method, named as Catcher, that utilizes CPU cache to perform out-of-VM introspection. Catcher does not make any modifications to the target program and its running environment, nor demands special hardware support. Implemented upon Linux KVM, it natively introspects the target's virtual memory. More importantly, it uses the cache-based side channel to infer the target control flow. To deal with the inherent limitations of the side channel, we propose several heuristics to improve the accuracy and stability of Catcher. Our experiments against various malware armored with packing techniques show that Catcher can recover the control flow in real time with around 67% to 97% accuracy scores. Catcher incurs a negligible overhead to the system and can be launched at anytime to monitor an ongoing attack inside a virtual machine.
format text
author SU, Chao
DING, Xuhua
ZENG, Qinghai
author_facet SU, Chao
DING, Xuhua
ZENG, Qinghai
author_sort SU, Chao
title Catch you with cache: Out-of-VM introspection to trace malicious executions
title_short Catch you with cache: Out-of-VM introspection to trace malicious executions
title_full Catch you with cache: Out-of-VM introspection to trace malicious executions
title_fullStr Catch you with cache: Out-of-VM introspection to trace malicious executions
title_full_unstemmed Catch you with cache: Out-of-VM introspection to trace malicious executions
title_sort catch you with cache: out-of-vm introspection to trace malicious executions
publisher Institutional Knowledge at Singapore Management University
publishDate 2021
url https://ink.library.smu.edu.sg/sis_research/6737
https://ink.library.smu.edu.sg/context/sis_research/article/7740/viewcontent/357200a326.pdf
_version_ 1770576057051643904