4th International ICST Conference on Security and Privacy in Communication Networks

Research Article

Hiding “Real” Machine from Attackers and Malware with a Minimal Virtual Machine Monitor

  • @INPROCEEDINGS{10.1145/1460877.1460904,
        author={Yan Wen and Jinjing Zhao and Huaimin Wang},
        title={Hiding “Real” Machine from Attackers and Malware with a Minimal Virtual Machine Monitor},
        proceedings={4th International ICST Conference on Security and Privacy in Communication Networks},
        publisher={ACM},
        proceedings_a={SECURECOMM},
        year={2008},
        month={9},
        keywords={Hardware-assisted VMM VMM-aware malware},
        doi={10.1145/1460877.1460904}
    }
    
  • Yan Wen
    Jinjing Zhao
    Huaimin Wang
    Year: 2008
    Hiding “Real” Machine from Attackers and Malware with a Minimal Virtual Machine Monitor
    SECURECOMM
    ACM
    DOI: 10.1145/1460877.1460904
Yan Wen1,*, Jinjing Zhao2,*, Huaimin Wang1,*
  • 1: School of Computer, National University of Defense Technology, Changsha, China
  • 2: Beijing Institute of System Engineering, Beijing, China
*Contact email: wenyan@nudt.edu.cn, misszhaojinjing@sina.com.cn, whm_w@163.com

Abstract

With security researchers relying on the virtual machine (VM) in their analysis work, malware has a significant stake in detecting the presence of a VM to avoid executing its vicious behavior. But hiding a VM from malware by building a transparent virtual machine monitor (VMM) is fundamentally infeasible, as well as impractical from a performance and engineering standpoint. This paper proposes a new idea from another perspective: hiding the “real” machine from the VMM-aware malware. We propose a minimal VMM called MiniVMM which can migrate a booted OS, our protecting concern, to this VMM on demand. In our protection model, all the untrusted code, although having been verified by VMM-based malware detectors, should be executed in this migrated OS. Instead of building a transparent VMM, MiniVMM advisedly exposes the VMM fingerprints to prevent the computer against VMM-aware malicious programs by deceiving them into deactivating their destructive behavior by themselves. MiniVMM has two key features: dynamic OS migration and commodity VMM fingerprints emulation. Unlike existing VMM solutions, MiniVMM can make the protected OS transfer between VMM mode and native mode dynamically. MiniVMM can also emulate the fingerprints of prevalent VMMs to make the protected computer more like a “real” VM. MiniVMM might be deployed as a considerable complement of the existing VMM-based security approaches to make the native OSes immune to the VMM-aware malware.