Abstract
Recent device drivers are under threat of targeted attack called Advanced Persistent Threat (APT) since some device drivers handle industrial infrastructure systems and/or contain sensitive data e.g., secret keys for disk encryption and passwords for authentication. Even if attacks are found in these systems, it is not easy to update device drivers since these systems are required to be non-stop operation and these attacks are based on zero-day attacks. DriverGuard is developed to mitigate such problems. It is a light weight hypervisor and can be inserted into pre-installed OS (Windows) from USB memory at boot time. The memory regions for sensitive data in a Windows kernel are protected by VM introspection and stealth breakpoints in the hypervisor. The hypervisor recognizes memory structure of guest OS by VM introspection and manipulates a page table entry (PTE) using stealth breakpoints technique. DriverGuard prevents malicious write-access to code region that causes Blue Screen of Death of Windows, and malicious read and write access to data region which causes information leakage. Current implementation is applied on pre-installed Windows7 and increases security of device drivers from outside of OS.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: 15th European Institute for Computer Antivirus Research, EICAR (2006)
Ben-Cohen, O., Wool, A.: Korset: Automated, Zero False-Alarm Intrusion Detection for Linux. In: Linux Symposium (2008)
Bencsáth, B., Pék, G., Buttyán, L., Félegyházi, M.: Duqu: Analysis, Detection, and Lessons Learned. In: European Workshop on System Security, EuroSec (2012)
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware Analysis via Hardware Virtualization Extensions. In: ACM Conference on Computer and Communications Security, CCS (2008)
Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet Dossier, Symantec Security Response (2011)
Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: 10th Annual Network & Distributed System Security Symposium, NDSS (2003)
King, S.T., Dunlap, G.W., Chen, P.M.: Operating System Support for Virtual Machines. USENIX Annual Tech. (2003)
Murakami, J.: FFR GreenKiller - Automatic kernel-mode malware analysis system. In: 12th Associates of Anti-Virus Asia Reserachers International Conference (2009), http://www.fourteenforty.jp/research/research_papers/avar-2009-murakami.pdf
Nance, K., Bishop, M., Hay, B.: Virtual Machine Introspection: Observation or Interference? IEEE Security and Privacy 6(5) (2008)
Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In: The 21st ACM Symposium on Operating Systems Principles, SOSP (2007)
Shinagawa, T., et al.: BitVisor: A Thin Hypervisor for Enforcing I/O Device Security, Virtual Execution Environments, VEE (2009)
Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A New Approach to Computer Security via Binary Analysis. In: International Conference on Information Systems Security, ICISS (2008)
Swift, M.M., Bershad, B.N., Levy, H.M.: Improving the Reliability of Commodity Operating Systems. In: 19th ACM Symposium on Operating Systems Principles, SOSP (2003)
Vasudevan, A., Yerraballi, R.: Stealth Breakpoints. In: 21st Annual Computer Security Applications Conference, ACSAC (2005)
Xiong, X., Tian, D., Liu, P.: Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extension. In: 18th Annual Network & Distributed System Security Symposium, NDSS (2011)
Yan, L., Jayachandra, M., Zhang, M., Yin, H.: V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis, Virtual Execution Environments, VEE (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Suzaki, K., Yagi, T., Kobara, K., Ishiyama, T. (2014). Kernel Memory Protection by an Insertable Hypervisor Which Has VM Introspection and Stealth Breakpoints. In: Yoshida, M., Mouri, K. (eds) Advances in Information and Computer Security. IWSEC 2014. Lecture Notes in Computer Science, vol 8639. Springer, Cham. https://doi.org/10.1007/978-3-319-09843-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-09843-2_4
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-09842-5
Online ISBN: 978-3-319-09843-2
eBook Packages: Computer ScienceComputer Science (R0)