• DocumentCode
    2321333
  • Title

    Surreptitious Deployment and Execution of Kernel Agents in Windows Guests

  • Author

    Chiueh, Tzi-cker ; Conover, Matthew ; Montague, Bruce

  • fYear
    2012
  • fDate
    13-16 May 2012
  • Firstpage
    507
  • Lastpage
    514
  • Abstract
    As more and more virtual machines (VM) are packed into a physical machine, refactoring common kernel components shared by the virtual machines running on the same physical machine significantly reduces the overall resource consumption. A refactored kernel component typically runs on a special VM called a virtual appliance. Because of the semantics gap in Hardware Abstraction Layer (HAL)-based virtualization, a physical machine´s virtual appliance requires the support of per-VM in-guest agents to perform VM-specific operations such as kernel data structure access and modification. To simplify deployment, these agents must be injected into guest virtual machines without requiring any manual installation. Moreover, it is essential to protect the integrity of in-guest agents at run time, especially when the underlying refactored kernel service is security-related. This paper describes the design, implementation and evaluation of a surreptitious kernel agent deployment and execution mechanism called SADE that requires zero installation effort and effectively hides the execution of agent code. To demonstrate the efficacy of SADE, we describe a signature-based memory scanning virtual appliance that uses SADE to inject its in-guest kernel agents without any support from the injected virtual machine, and show that both the start-up overhead and the run-time performance penalty of SADE are quite modest in practice.
  • Keywords
    digital signatures; operating system kernels; virtual machines; HAL; SADE; VM-specific operations; agent code; execution mechanism; hardware abstraction layer based virtualization; injected virtual machine; kernel data structure access; kernel data structure modification; per-VM in-guest agents; physical machine; refactored kernel component; run-time performance penalty; semantics gap; signature-based memory scanning virtual appliance; start-up overhead; surreptitious kernel agent deployment; windows guests; zero installation effort; Data structures; Home appliances; Kernel; Monitoring; Security; Virtual machine monitors; Virtual machining; agentless deployment; control hijacking; intropsection; stealthy code injection;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Cluster, Cloud and Grid Computing (CCGrid), 2012 12th IEEE/ACM International Symposium on
  • Conference_Location
    Ottawa, ON
  • Print_ISBN
    978-1-4673-1395-7
  • Type

    conf

  • DOI
    10.1109/CCGrid.2012.41
  • Filename
    6217460