Popis: |
Virtual machine introspection (VMI) has grown into a number of novel security measures in recent years. Virtualized environments provide isolation, which gives way to better security. This paper presents an extension, WinWizard, of LibVMI that creates a VMI-based intrusion detection system (IDS) with emphasis on memory introspection. WinWizard is able to detect rootkits that attempts to hide processes from the administrator. Rootkits are able to subvert traditional virus scanning services because they are able to run at the kernel level. Rootkit detection becomes difficult because if the operating system has been subverted, especially at the kernel level, then it is difficult to find unauthorized changes to itself or its components. Most anti-viruses and other rootkit detectors that work on infected systems are usually only effective against rookits that have a defect in their hiding techniques. Rootkit detection through VMI is one way to effectively detect rookits. VMI detection tools will also be useful in industry. Industry is beginning to advance in its usage of cloud based workspaces. Examples of companies include Amazons Workspaces and Citrix XenDesktop. They offer remote desktops for small and medium sized businesses. These workspaces offer a fully managed cloud-based desktop experience where users can access their work resources from a variety of devices. Many universities and small businesses use services like these to reduce the number of IT staff and ease administration of a large number of desktops. As this field becomes more accessible, rootkits are going to drastically affect the performance and security of not only one users desktop, but on entire cloud infrastructures. The main way to detect a rootkit inside of these workspaces would be through virtual machine introspection. WinWinzard has demonstrated to be successful in detecting these types of rootkits, while causing little additional overhead to other virtual machines being hosted on the same hypervisor. |