| dc.identifier.uri | http://hdl.handle.net/11401/77283 | |
| dc.description.sponsorship | This work is sponsored by the Stony Brook University Graduate School in compliance with the requirements for completion of degree. | en_US |
| dc.format | Monograph | |
| dc.format.medium | Electronic Resource | en_US |
| dc.language.iso | en_US | |
| dc.publisher | The Graduate School, Stony Brook University: Stony Brook, NY. | |
| dc.type | Dissertation | |
| dcterms.abstract | Virtual Machine Introspection (VMI) is a new and important technique developed specifically for virtualized environments. VMI provides the ability to perform virtual machine (VM) monitoring by gathering VM run-time states from the hypervisor and analyzing those states to obtain information about a running operating system (OS) without installing an agent inside the VM. The agentless VMI approach has enabled the development of applications that combine the best of two worlds: efficient centralization and effective monitoring. VMI's primary drawback is the semantic gap problem. The semantic gap refers to the difficulty in interpreting low level run-time OS states obtained through VMI into a high level model of the OS's state. We approached the problem through the creation of the real-time kernel data structure monitoring (RTKDSM) system. The RTKDSM system leverages the rich OS analysis capabilities of Volatility, an open source forensics framework, to simplify and automate analysis of VM run-time states of Windows and Linux OSes. The RTKDSM system is designed as an extensible software framework, which can be extended by writing Volatility plugins to perform new VM analysis tasks. In addition, the RTKDSM system is built to perform real-time monitoring of the extracted OS states in guest VMs to detect changes made to these states. This feature is especially important for effective security monitoring of VMs. To improve the efficiency of the RTKDSM framework, we reduce the overhead of monitoring changes to guest OS states. The RTKDSM system is capable of supporting a wide range of VMI applications due to the RTKDSM framework's flexibility and extensibility. Leveraging the RTKDSM framework, VMI developers can easily create new VMI applications. To demonstrate the practicality and effectiveness of the RTKDSM framework, we built three novel applications on top of the framework: (1) an inter-VM data flow tracking tool, (2) a VM lock down tool to restrict the execution environment to running only approved user applications, and (3) a tool for detection of malicious attacks that manipulate privileges of running processes. These systems are expected to contribute to enhanced system monitoring in virtual machine environments. | |
| dcterms.available | 2017-09-20T16:52:20Z | |
| dcterms.contributor | Chiueh, Tzi-cker | en_US |
| dcterms.contributor | Gao, Jie | en_US |
| dcterms.contributor | Stoller, Scott | en_US |
| dcterms.contributor | Murdoch, Steven. | en_US |
| dcterms.creator | Hizver, Jennia | |
| dcterms.dateAccepted | 2017-09-20T16:52:20Z | |
| dcterms.dateSubmitted | 2017-09-20T16:52:20Z | |
| dcterms.description | Department of Computer Science. | en_US |
| dcterms.extent | 182 pg. | en_US |
| dcterms.format | Application/PDF | en_US |
| dcterms.format | Monograph | |
| dcterms.identifier | http://hdl.handle.net/11401/77283 | |
| dcterms.issued | 2015-08-01 | |
| dcterms.language | en_US | |
| dcterms.provenance | Made available in DSpace on 2017-09-20T16:52:20Z (GMT). No. of bitstreams: 1
Hizver_grad.sunysb_0771E_11445.pdf: 1298700 bytes, checksum: fe062dfebbea7fe42d76d71d46636a79 (MD5)
Previous issue date: 2013 | en |
| dcterms.publisher | The Graduate School, Stony Brook University: Stony Brook, NY. | |
| dcterms.subject | Computer science | |
| dcterms.title | Run-Time Deep Virtual Machine Introspection and Its Applications | |
| dcterms.type | Dissertation | |
