KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

VirtAV: an Agentless Runtime Antivirus System for Virtual Machines

  • Tang, Hongwei (Shenzhen Institute of Advanced Technology, Chinese Academy of Sciences) ;
  • Feng, Shengzhong (Shenzhen Institute of Advanced Technology, Chinese Academy of Sciences) ;
  • Zhao, Xiaofang (University of Chinese Academy of Sciences) ;
  • Jin, Yan (University of Chinese Academy of Sciences)
  • Received : 2016.08.09
  • Accepted : 2017.07.10
  • Published : 2017.11.30
Download PDF
⟨ Previous Next ⟩

Abstract

Antivirus is an important issue to the security of virtual machine (VM). According to where the antivirus system resides, the existing approaches can be categorized into three classes: internal approach, external approach and hybrid approach. However, for the internal approach, it is susceptible to attacks and may cause antivirus storm and rollback vulnerability problems. On the other hand, for the external approach, the antivirus systems built upon virtual machine introspection (VMI) technology cannot find and prohibit viruses promptly. Although the hybrid approach performs virus scanning out of the virtual machine, it is still vulnerable to attacks since it completely depends on the agent and hooks to deliver events in the guest operating system. To solve the aforementioned problems, based on in-memory signature scanning, we propose an agentless runtime antivirus system VirtAV, which scans each piece of binary codes to execute in guest VMs on the VMM side to detect and prevent viruses. As an external approach, VirtAV does not rely on any hooks or agents in the guest OS, and exposes no attack surface to the outside world, so it guarantees the security of itself to the greatest extent. In addition, it solves the antivirus storm problem and the rollback vulnerability problem in virtualization environment. We implemented a prototype based on Qemu/KVM hypervisor and ClamAV antivirus engine. Experimental results demonstrate that VirtAV is able to detect both user-level and kernel-level virus programs inside Windows and Linux guest, no matter whether they are packed or not. From the performance aspect, the overhead of VirtAV on guest performance is acceptable. Especially, VirtAV has little impact on the performance of common desktop applications, such as video playing, web browsing and Microsoft Office series.

Keywords

References

  1. J. O. Kephart and W. C. Arnold, "Automatic extraction of computer virus signatures," in Proc. of 4th Virus Bulletin Int. Conf., pp.179-194, 1994.
  2. A. V. Aho and M. J. Corasick, "Efficient string matching: an aid to bibliographic search," Communications of the ACM, vol. 18, no. 6, pp.333-340, June 1975. https://doi.org/10.1145/360825.360855
  3. ClamAV. http://www.clamav.net.
  4. McAfee Antivirus. http://www.mcafee.com/.
  5. Trend Micro White Paper, "Changing the game for antivirus in the virtual datacenter," September 2010.
  6. Y. Xia, Y. Liu, H. Chen and B. Zang, "Defending against VM rollback attack," in Proc. of 2012 IEEE/IFIP 42nd Int. Conf. on Dependable Systems and Networks Workshops (DSN-W), pp.1-5, June 25-28, 2012.
  7. T. Garfinkel and M. Rosenblum, "When virtual is harder than real: security challenges in virtual machine Based computing environments," in Proc. of 10th Conf. on Hot Topics in Operating Systems, vol. 10, pp.20-20, June 12-15, 2005.
  8. T. Garfinkel and M. Rosenblum, "A virtual machine introspection based architecture for intrusion detection," in Proc. of the 10th Annual Network and Distributed System Security Symp., pp.191-206, February 6-7, 2003.
  9. X. Jiang, X. Wang and D. Xu, "Stealthy malware detection through VMM-based 'out-of-the-box' semantic view reconstruction," in Proc. of 14th ACM Conf. on Computer and Communications Security, pp.128-138, October 29-November 2, 2007.
  10. P. M. Chen and B. D. Noble, "When virtual is better than real," in Proc. of 8th Workshop on Hot Topics in Operating Systems (HOTOS'01), pp.133-138, May 20-2, 2001.
  11. H. Xiong, Z. Liu, W. Xu and S. Jiao, "Libvmi: a library for bridging the semantic gap between guest OS and VMM," in Proc. of 12th Int. Conf. on Computer and Information Technology (CIT), pp.549-556, October 27-29, 2012.
  12. B. D. Payne, M. Carbone, M. Sharif and W Lee, "Lares: an architecture for secure active monitoring using virtualization," in Proc. of 29th IEEE Symp. on Security and Privacy, pp.233-247, May 18-22, 2008.
  13. VMWare vShield Endpoint. http://www.vmware.com/products/vsphere/features/endpoint.html.
  14. Libguestfs. http://libguestfs.org/.
  15. Microsoft PE and COFF Specification, https://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx.
  16. Intel, "Intel 64 and IA-32 Architectures Software Developer's Manual, Volume 3B: System Programming Guide Part 2."
  17. atozvirus.rar. http://yun.baidu.com/wap/link?uk=2852875414&shareid=3677790463&third=0.
  18. PCMark. http://cn.futuremark.com/benchmarks/pcmark.
  19. SysInternalsSuite. https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx.
  20. M. Sharif, W. Lee, W. Cui and A. Lanzi, "Secure in-VM monitoring using hardware virtualization," in Proc. of 16th ACM Conf. on Computer and Communications Security, pp.477-487, November 9-13, 2009.
  21. G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai and P. M. Chen, "ReVirt: enabling intrusion analysis through virtual-machine logging and replay," ACM SIGOPS Operating Systems Review, vol. 36, no. SI, pp.211-224, 2002. https://doi.org/10.1145/844128.844148
  22. J. R. Crandall, G. Wassermann, D. A. Oliveira, Z. Su, S. F. Wu and F. T. Chong, "Temporal search: detecting hidden malware timebombs with virtual machines," ACM SIGOPS Operating Systems Review, vol. 40, no. 5, December 2006.
  23. Y. Wang, D. Beck, X. Jiang and R. Roussev, "Automated web patrol with strider HoneyMonkeys: finding web sites that exploit browser vulnerabilities," in Proc. of 13th Network and Distributed Systems Security Symp., pp.1-15, February 2-3, 2006.
  24. A. Dinaburg, P. Royal, M. Sharif and W. Lee, "Ether: malware analysis via hardware virtualization extensions," in Proc. of 15th ACM Conf. on Computer and Communications Security, pp.51-62, October 27-31, 2008.
  25. M. Andreas, K. Christopher and K. Engin, "Exploring multiple execution paths for malware analysis," in Proc. of 28th IEEE Symp. on Security and Privacy, pp.231-245, May 20-23, 2007.
  26. G. Xiang, H. Jin, D. Zou and X. Chen, "Virtualization based security monitoring," Journal of Software, vol. 23, no. 8, pp.2173-2187, 2012. https://doi.org/10.3724/SP.J.1001.2012.04219
  27. S. Wessel and F. Stumpf, "Page-based runtime integrity protection of user and kernel Code," in Proc. of 5th European Workshop on System Security (EuroSec'12), April 10, 2012.
  28. A. Arcangeli, I. Eidus and C. Wright, "Increasing memory density by using KSM," in Proc. of Linux Symp., pp.19-28, July 13-17, 2009.
  29. T. Brosch and M. Morgenstern, "Runtime packers: the hidden problem," in Proc. of Black Hat USA, 2006.
  30. PE Formart. https://msdn.microsoft.com/en-us/library/ms680339(v=vs.85).aspx.
  31. P. Royal, M. Halpin, D. Dagon, R. Edmonds and W. Lee, "PolyUnpack: automating the hidden-code extraction of unpack-executing malware," in Proc. of Computer Security Applications Conf. 2006 (ACSAC '06), pp.289-300, December 11-15, 2006.
  32. Malfease Project. http://malfease.oarci.net.
  33. M. M. K. Al-Anezi, "Generic packing detection using several complexity analysis for accurate malware detection," International Journal of Advanced Computer Science and Applications (IJACSA), vol.5, no. 1, pp.7-14, 2014.
  34. K. Griffin, S. Schneider, X. Hu and T. C. Chiueh, "Automatic generation of string signatures for malware detection," in Proc. of Recent Advances in Intrusion Detection Int. Symp. (RAID 2009), pp.101-120, September 23-25, 2009.
  35. Y. Afek, A. Bremler-Barr and S. Landau-Feibish, "Automated signature extraction for high volume attacks," in Proc. of 2013 ACM/IEEE Symp. on Architectures for Networking and Communications Systems (ANCS), pp.147-156, October 21-22, 2013.
  36. Z. Li, X. F. Wang, Z. Liang and M. K. Reiter, "AGIS: towards automatic generation of infection signatures," in Proc. of IEEE Int. Conf. on Dependable Systems and Networks with FTCS and DCC, pp.237-246, June 24-27, 2008.
  37. C. Pham, Z. Estrada, P. Cao and Z. Kalbarczyk, "Reliability and security monitoring of virtual machines using hardware architectural invariants," in Proc. of 2014 44th Annual IEEE/IFIP Int. Conf. on Dependable Systems and Networks (DSN), pp.13-24, June 23-26, 2014.
  38. H. W. Baek, A. Srivastava and d. M. J. Van, "CloudVMI: virtual machine introspection as a cloud service," in Proc. of IEEE Int. Conf. on Cloud Engineering, pp.153-158, March 11-14, 2014.
  39. S. Mariani, L. Fontana, F. Gritti and S. D'Alessio, "PinDemonium: a DBI-based generic unpacker for Windows executables," in Proc. of Black Hat USA, 2016.
  40. E. Bauman, G. Ayoade and Z. Lin, "A survey on hypervisor-based monitoring: approaches, applications, and evolutions," ACM Computing Surveys, vol. 48, no. 1, pp.1-33, September 2015.
  41. D. Srinivasan, Z. Wang, X. Jiang, and D. Xu, "Process out-grafting: an efficient "out-of-VM" approach for fine-grained process execution monitoring," in Proc. of ACM Conf. on Computer and Communications Security (CCS 2011), pp.363-374, October 17-21, 2011.
  42. Y. Xia, Y. Liu and H. Chen, "Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks," in Proc. of IEEE Int. Symp. on High Performance Computer Architecture, pp.246-257, February 23-27, 2013.
  43. R. Wu, P. Chen, P. Liu and B. Mao, "System call redirection: a practical approach to meeting real-world virtual machine introspection needs," in Proc. of 2014 IEEE/IFIP Int. Conf. on Dependable Systems and Networks, pp.574-585, June 23-26, 2014.
  44. S. Suneja, R. Koller, C. Isci, E. de Lara, A. Hashemi, A. Bhattacharyya and et al., "Safe inspection of live virtual machines," in Proc. of the 13th ACM SIGPLAN/SIGOPS Int. Conf. on Virtual Execution Environments, pp.97-111, April 8-9, 2017.
  45. J. Xiao, L. Lu, H. Wang and X. Zhu, "HyperLink: virtual machine introspection and memory forensic analysis without kernel source code," in Proc. of IEEE Int. Conf. on Autonomic Computing, pp.127-136, July 17-22, 2016.
  46. A. More and S. Tapaswi, "Virtual machine introspection: towards bridging the semantic gap," Journal of Cloud Computing: Advances, Systems and Applications, 3:16, October 2014. https://doi.org/10.1186/s13677-014-0016-2
  47. Y. Liu, Y. Xia, H. Guan, B. Zang and H. Chen, "Concurrent and consistent virtual machine introspection with hardware transactional memory," in Proc. of IEEE Int. Symp. on High Performance Computer Architecture, pp.416-427, February 15-19, 2014.
  48. L. Liu, J. Ming, Z. Wang, D. Gao and C. Jia, "Denial-of-service attacks on host-based generic unpackers," in Proc. of Int. Conf. on Information and Communications Security (ICICS 2009), pp.241-253, December 14-17, 2009.
  49. H. Noh, "Complexity-based packed executable classification with high accuracy," Master Thesis, School of Engineering, Information and Communications University, Korea, 2009.
  50. A. Fischer, T. Kittel, B. Kolosnjaji, T. K. Lengyel, W. Mandarawi, H. D. Meer and et al., "CloudIDEA: a malware defense architecture for cloud data centers," in Proc. of OTM Confederated Int. Conf. "On the Move to Meaningful Internet Systems," pp.594-611, October 26-30, 2015.
  51. S. Biedermann and S. Katzenbeisser, "Detecting computer worms in the cloud," in Proc. of IFIP WG 11.4 Int. Workshop (iNetSec 2011), pp.43-54, June 9, 2011.
  52. J. Shi, Y. Yang, and C. Tang, "Hardware assisted hypervisor introspection," SpringerPlus, 5:647, May 2016. https://doi.org/10.1186/s40064-016-2257-7
  53. G. Jeong, E. Choo, J. Lee and M. Bat-Erdene, "Generic unpacking using entropy analysis," in Proc. of Int. Conf. on Malicious and Unwanted Software, pp.98-105, October 19-20, 2010.