Supporting Virtualization-Aware Security Solutions Using a Systematic Approach to Overcome the Semantic Gap

A prerequisite to implementing virtualization-aware security solutions is to solve the "semantic gap" problem. Current approaches require a deep knowledge of the kernel data to manually solve the semantic gap. However, kernel data is very complex; an Operating System (OS) kernel contains thousands of data structures that have direct and indirect (pointer) relations between each other with no explicit integrity constraints. This complexity makes it impractical to use manual methods. In this paper, we present a new solution to systematically and efficiently solve the semantic gap for any OS, without any prior knowledge of the OS. We present: (i) KDD, a tool that systematically builds a precise kernel data definition for any C-based OS such as Windows and Linux. KDD generates this definition by performing points-to analysis on the kernel\´s source code to disambiguate the pointer relations. (ii) SVA, a security appliance that solves the semantic gap based on the generated definition, to systematically and externally map the virtual machines\´ physical memory and extract the runtime dynamic objects. We have implemented prototypes for KDD and SVA, and have performed different experiments to prove their effectiveness.