Security Investigate

Hypervisor Support for Identifying Covertly Executing Binaries

Download now Free registration required

Executive Summary

Hypervisors have been proposed as a security tool to defend against malware that subverts the OS kernel. However, hypervisors must deal with the semantic gap between the low-level information available to them and the high-level OS abstractions they need for analysis. To bridge this gap, systems have proposed making assumptions derived from the kernel source code or symbol information. Unfortunately, this information is nonbinding - rootkits are not bound to uphold these assumptions and can escape detection by breaking them. In this paper, the authors introduce Patagonix, a hypervisor-based system that detects and identifies covertly executing binaries without making assumptions about the OS kernel.

  • Format: PDF
  • Size: 550.42 KB