[Ongoing Project] From Sept. 2015 to Aug. 2017 @ Institute of Information Science, Sinica as Postdoctoral Fellow under the supervision of Dr. Meng Chang Chen with National Taiwan University and Ben-Gurion University of the Negev, Israel.
Motivation. Employing virtualization technology in cloud computing infrastructure changes the model of computing, as well as the development and deployment of security. The additional virtualization layer provides a good instrumentation point to conduct security inspection of a virtual machine (VM) and the target processes in the VM which cannot be done in a physical machine before. Some researches leverage the virtualization layer to provide better virtualization-aware (v-aware) security services.
Problem. Current v-aware security tools suffer from three main problems: semantic gap problem, performance degradation, lack of high-level execution information. It is difficult for security professionals to real-time observe, inspect, and detect the runtime execution of a VM. In this case, developing effective and practical malware detection, intrusion handling, security isolation, and intrusion prevention are not feasible without solving these three main problems first.
Goal. Design and implement a hardware-assisted virtual machine introspection (VMI) based profiling system in QEMU/KVM virtualization environment that can perform runtime execution introspection of a target (malware) process in a VM. The profile should contains the execution trace in terms of a sequence of API call with parameter values and return values of a target process in a VM.
Applications. By applying different analysis methods to the profile, it can be used for on-line identification of attacks and anomalies in system behavior, possibly pre-crash, pre-failure, pre-malfunction circumstances.
- A hardware-assisted VMI based profiling system with transparency, high performance, and efficient logging that VM users would not experience performance degradation (less than 10%).
- A open-source virtual machine introspection library for academic use.
- A malware profile database (500+ Windows malware) for academic use.