基於虛擬機器內省記憶體檢測之虛擬化執行保護

Abstract

在雲端計算的時代中，虛擬化技術的出現不僅大大節省建設伺服器的成本，同時也給予資安研究者在系統安全上一個新的契機，他們利用虛擬機器來架設安全且獨立的環境進行惡意軟體的分析，大部分現有的VMI系統只提供對於instruction或system call等低階的系統資訊，這讓資安專家很難即時獲取虛擬機器內部高階執行的語意行為，此外VMI系統在進行側錄時常產生大量的系統負擔，導致執行效率低落。本論文所提出的VMI-based Malware Profiling System能對虛擬機器中執行的程式側錄下其呼叫的Windows API call以及API參數值與回傳值，以彌補VMI技術中的semantic gap問題，本系統不同以往採用強制觸發VMExit的方式進行側錄的行為，我們利用 VMI的方式將API Profiling的機制實作在guest mode中，在側錄時不觸發額外的VMExit，同時本系統能在不安裝任何driver或program的情況下，以最乾淨的guest OS進行惡意軟體行為的側錄，我們也設計in-memory logging的機制，大幅減少系統進行檔案IO讀寫的動作，從實驗數據中可以發現本論文設計的API Profiling機制帶來的系統負擔是非常的低。總體來說，本系統達到同時兼顧malware profiling system的Transparency與Performance兩大特性，並以VMI-based的方式來完成惡意軟體Windows API call的側錄。

The emergence of virtualization technology not only saves the cost of building servers in cloud computing but also provides a good instrumentation point for security experts to implement the profiling system. They use the virtual machine to build the secure and isolate environment for analyzing malwares. Many existing VMI systems only provide instruction or system call level execution sequence logging. But it is difficult for security experts to learn and grasp the high-level semantics of the runtime execution state of an application in guest VM. Moreover, most of the VMI systems incur huge overhead during profiling that results in low system performance. In this thesis, we proposed a novel VMI-based malware profiling system that profiles a target process running in VM with Windows API call parameters and return value to bridge the semantic gap. Our system leverages the VMI technique to implement the profiling mechanism in guest mode to avoid additional virtualization overhead (i.e., VMExit) whiling profiling. Our system also provides a clean VM with no modification and no additional driver installed to guest OS. In addition, we design a in-memory logging mechanism to reduce the overhead incurred from IO operations. The experiment results show that our system has the minimum system overhead while profiling a process in guest VM. Overall, our system achieves the properties of transparency and low performance and leverages VMI-based techniques to log the Windows API call.