Abstract :
The use of cryptography is becoming increasingly prevalent, and we see it in more and more contexts -on both sides of the fence. It is used to protect data from unauthorized access, but is also being used by adversaries - often for botnet C&C, manual control of compromised hosts, and data exfiltration. Virtual Machine Introspection (VMI) provides a mechanism by which the state of a virtual machine can be examined in real time (or near real time) from a vantage point external to the VM being monitored (e.g., the hypervisor or some other VM it delegates VMI capability to). This paper describes the results of a DARPA Cyber Fast Track project to develop a method that provides a hypervisor owner (e.g., government or corporate enterprise, a cloud provider, or honeynet operator) with the ability to recover and inspect the plaintext of encrypted data and communication channels within virtual machines.
Keywords :
cryptography; virtual machines; DARPA Cyber Fast Track project; VMI; botnet C&C; communication channels; compromised host manual control; cryptography circumventing; data exfiltration; data protection; encrypted data plaintext; hypervisor owner; virtual machine introspection; virtualized environments; Software;
