Title :
A VMM-Based System Call Interposition Framework for Program Monitoring
Author :
Li, Bo ; Li, Jianxin ; Wo, Tianyu ; Hu, Chunming ; Zhong, Liang
Author_Institution :
Sch. of Comput. Sci. & Eng., Beihang Univ., Beijing, China
Abstract :
System call interposition is a powerful method for regulating and monitoring program behavior. A wide variety of security tools have been developed which use this technique. However, traditional system call interposition techniques are vulnerable to kernel attacks and have some limitations on effectiveness and transparency. In this paper, we propose a novel approach named VSyscall, which leverages virtualization technology to enable system call interposition outside the operating system. A system call correlating method is proposed to identify the coherent system calls belonging to the same process from the system call sequence. We have developed a prototype of VSyscall and implemented it in two mainstream virtual machine monitors, Qemu and KVM, respectively. We also evaluate the effectiveness and performance overhead of our approach by comprehensive experiments. The results show that VSyscall achieves effectiveness with a small overhead, and our experiments with six real-world applications indicate its practicality.
Keywords :
operating system kernels; security of data; system monitoring; virtual machines; VMM-based system call interposition; VSyscall; kernel attack; operating system; program behavior monitoring; security tool; system call correlating method; system call sequence; virtual machine monitor; virtualization technology; VMM; program monitoring; system call interposition; virtualization;
Conference_Titel :
Parallel and Distributed Systems (ICPADS), 2010 IEEE 16th International Conference on
Conference_Location :
Shanghai
Print_ISBN :
978-1-4244-9727-0
Electronic_ISBN :
1521-9097
DOI :
10.1109/ICPADS.2010.53
