Invariant Evaluation Through Introspection for Proving Security Properties

Date Added: Jun 2009
Format: PDF

Semantics-driven monitoring discovers attacks against a process by evaluating invariants on the process state. To increase the robustness and the transparency of semantics-driven monitoring, it proposes an approach that introduces two Virtual Machines (VMs) running on the same platform. One VM runs the monitored process, i.e. the process to be protected, while the other one evaluates invariants on the process state each time a process invokes a system call. The evaluation of invariant exploits an Introspection Library that enables the monitoring VM to access the memory and the processor registers of the monitored VM.