Search results for "Hypervisor"

showing 10 items of 17 documents

Hypervisor Memory Introspection and Hypervisor Based Malware Honeypot

2020

Memory acquisition is a tool used in advanced forensics and malware analysis. Various methods of memory acquisition exist. Such solutions are ranging from tools based on dedicated hardware to software-only solutions. We proposed a hypervisor based memory acquisition tool. [22]. Our method supports ASLR and Modern operating systems which is an innovation compared to past methods [27, 36]. We extend the hypervisor assisted memory acquisition by adding mass storage device honeypots for the malware to cross and propose hiding the hypervisor using bluepill technology.

021110 strategic defence & security studiesAtomicitySoftware_OPERATINGSYSTEMSHoneypotComputer science0211 other engineering and technologiesHypervisor02 engineering and technologycomputer.software_genreVirtualizationMemory forensicsMass storage0202 electrical engineering electronic engineering information engineeringOperating systemMalware020201 artificial intelligence & image processingMalware analysiscomputer
researchProduct

HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication

2020

Malicious programs vary widely in their functionality, from key-logging to disk encryption. However, most malicious programs communicate with their operators, thus revealing themselves to various security tools. The security tools incorporated within an operating system are vulnerable to attacks due to the large attack surface of the operating system kernel and modules. We present a kernel module that demonstrates how kernel-mode access can be used to bypass any security mechanism that is implemented in kernel-mode. External security tools, like firewalls, lack important information about the origin of the intercepted packets, thus their filtering policy is usually insufficient to prevent c…

021110 strategic defence & security studiesSoftware_OPERATINGSYSTEMSNetwork securitybusiness.industryComputer scienceNetwork packet0211 other engineering and technologiesHypervisor02 engineering and technologyAttack surfaceComputer securitycomputer.software_genreOperator (computer programming)Trusted computing baseDisk encryptionKernel (image processing)020204 information systems0202 electrical engineering electronic engineering information engineeringbusinesscomputer
researchProduct

Arm Hypervisor and Trustzone Alternatives

2020

Many scenarios such as DRM, payments, and homeland security require a trusted and verified trusted execution environment (TEE) on ARM. In most cases such TEE should be available in source code mode. The vendor cannot conduct code review and ensure that the operating system is trustworthy unless source code is available. Android and other rich execution environments (REEs) support various TEE implementations. Each TEE implementation has its own unique way of deploying trusted applications and features. Most TEEs in ARM can be started at TrustZone™ or Hyp (Hypervisor) mode. Choosing a proper TEE operating system can be a problem for trusted application developers and hardware vendors. This ar…

0303 health sciences03 medical and health sciencesComputer science0202 electrical engineering electronic engineering information engineeringOperating system020206 networking & telecommunicationsHypervisor02 engineering and technologycomputer.software_genrecomputer030304 developmental biology
researchProduct

Hypervisor-based Protection of Code

2019

The code of a compiled program is susceptible to reverse-engineering attacks on the algorithms and the business logic that are contained within the code. The main existing countermeasure to reverse-engineering is obfuscation. Generally, obfuscation methods suffer from two main deficiencies: 1) the obfuscated code is less efficient than the original and 2) with sufficient effort, the original code may be reconstructed. We propose a method that is based on cryptography and virtualization. The most valuable functions are encrypted and remain inaccessible even during their execution, thus preventing their reconstruction. A specially crafted hypervisor is responsible for decryption, execution, a…

Computer Networks and CommunicationsComputer science0211 other engineering and technologiesCryptography02 engineering and technologysecurityComputer securitycomputer.software_genreEncryptionkryptografiaObfuscationCode (cryptography)tietoturvavirtual machine monitorsSafety Risk Reliability and QualitySystem bustrusted platform moduleta113021110 strategic defence & security studiescode protectioncryptographybusiness.industryHypervisorVirtualizationObfuscation (software)businesscomputerIEEE Transactions on Information Forensics and Security
researchProduct

Hypervisor-assisted dynamic malware analysis

2021

AbstractMalware analysis is a task of utmost importance in cyber-security. Two approaches exist for malware analysis: static and dynamic. Modern malware uses an abundance of techniques to evade both dynamic and static analysis tools. Current dynamic analysis solutions either make modifications to the running malware or use a higher privilege component that does the actual analysis. The former can be easily detected by sophisticated malware while the latter often induces a significant performance overhead. We propose a method that performs malware analysis within the context of the OS itself. Furthermore, the analysis component is camouflaged by a hypervisor, which makes it completely transp…

Computer engineering. Computer hardwareSoftware_OPERATINGSYSTEMSvirtualisointiComputer Networks and CommunicationsComputer scienceContext (language use)Static program analysiscomputer.software_genreTK7885-7895Artificial IntelligenceComponent (UML)Overhead (computing)tietoturvaMalware analysiskyberturvallisuusbusiness.industryHypervisorQA75.5-76.95haittaohjelmatComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMSTask (computing)Electronic computers. Computer scienceEmbedded systemMalwarebusinesscomputerSoftwareInformation SystemsCybersecurity
researchProduct

Nanovised Control Flow Attestation

2022

This paper presents an improvement of control flow attestation (C-FLAT) for Linux. C-FLAT is a control attestation system for embedded devices. It was implemented as a software executing in ARM’s TrustZone on bare-metal devices. We extend the design and implementation of C-FLAT through the use of a type 2 Nanovisor in the Linux operating system. We call our improved system “C-FLAT Linux”. Compared to the original C-FLAT, C-FLAT Linux reduces processing overheads and is able to detect the SlowLoris attack. We describe the architecture of C-FLAT Linux and provide extensive measurements of its performance in benchmarks and real-world scenarios. In addition, we demonstrate the…

Fluid Flow and Transfer ProcessespääsynvalvontaSoftware_OPERATINGSYSTEMSvirtualisointiProcess Chemistry and TechnologyLinuxhypervisor; ARM; Linux; control flow; SlowLoris; TrustZoneSlowLorisGeneral EngineeringTrustZonecontrol flowComputer Science ApplicationsARMGeneral Materials SciencehypervisortietoturvaInstrumentationApplied Sciences; Volume 12; Issue 5; Pages: 2669
researchProduct

Hypervisor memory acquisition for ARM

2021

Abstract Cyber forensics use memory acquisition in advanced forensics and malware analysis. We propose a hypervisor based memory acquisition tool. Our implementation extends the volatility memory forensics framework by reducing the processor's consumption, solves the in-coherency problem in the memory snapshots and mitigates the pressure of the acquisition on the network and the disk. We provide benchmarks and evaluation.

Hardware_MEMORYSTRUCTURESComputer scienceHypervisorcomputer.software_genreMemory forensicsComputer Science ApplicationsPathology and Forensic MedicineMedical Laboratory TechnologyData_FILESOperating systemMemory acquisitionVolatility (finance)Malware analysisLawcomputerInformation SystemsForensic Science International: Digital Investigation
researchProduct

Protection against reverse engineering in ARM

2020

With the advent of the mobile industry, we face new security challenges. ARM architecture is deployed in most mobile phones, homeland security, IoT, autonomous cars and other industries, providing a hypervisor API (via virtualization extension technology). To research the applicability of this virtualization technology for security in this platform is an interesting endeavor. The hypervisor API is an addition available for some ARMv7-a and is available with any ARMv8-a processor. Some ARM platforms also offer TrustZone, which is a separate exception level designed for trusted computing. However, TrustZone may not be available to engineers as some vendors lock it. We present a method of appl…

IoTmobiililaitteetARMtakaisinmallinnusesineiden internetsecuritymobilelangaton tekniikkahypervisortietoturvamikroprosessorit
researchProduct

Hyplets - Multi Exception Level Kernel towards Linux RTOS

2018

This paper presents the concept of a Multi-Exception level operating system. We add a hypervisor awareness to the Linux kernel and execute code in hyp exception level. We do that through the use of Hyplets. Hyplets are an innovative way to code interrupt service routines under ARM. Hyplets provide high performance, security, running time predictability, an RPC mechanism and a possible solution for the priority inversion problem. Hyplets uses special features of ARM8va hypervisor memory architecture.

Priority inversionSoftware_OPERATINGSYSTEMSComputer scienceKernel (statistics)Memory architectureCode (cryptography)Operating systemHypervisorLinux kernelInterruptcomputer.software_genreReal-time operating systemcomputerProceedings of the 11th ACM International Systems and Storage Conference
researchProduct

Using Hypervisors to Overcome Structured Exception Handler Attacks

2019

Microsoft windows is a family of client and server operating systems that needs no introduction. Microsoft windows operating system family has a feature to handle exceptions by storing in the stack the address of an exception handler. This feature of Microsoft Windows operating system family is called SEH (Structured exception handlers). When using SEH the exception handler address is specifically located on the stack like the function return address. When an exception occurs the address acts as a trampoline and the EIP jumps to the SEH address. By overwriting the stack one can create a unique type of return oriented programming (ROP) exploit that force the instruction pointer to jump to a …

WindowshaittaohjelmatSEHapplication controlhypervisortietoturvarootkit
researchProduct