AMD SimNow Simulator 4.4.4 Manual de usuario descargar pdf (Pagina 12)

is known to be harder to detect hardware virtualization, malware is unlikely

to go to great length to detect and avoid hardware virtualization platform if

by doing so exposes itself to malware detectors.

Several researches are utilizing hardware virtualization. KVM [36] uses

kernel modules to create a hypervisor on top of Linux, but it is based on

QEMU’s I/O model which is known to be detectable [37, 17]. A recent work

by Dinaburg et al, Ether [14], is perhaps the project most closely related to

ours. Ether make use of Xen HVM and its support for Intel VT hardware

virtualization technology for malware analysis. Intel VT, however, does not

support nested paging and DMA protection at the time this project is im-

plemented. This is the reason why we decided to use AMD SVM instead of

Intel VT. Using Xen makes it much easier to develop Ether, since the ana-

lyzer does not have to worry about boot-strapping itself and the guest OS,

protecting its integrity, or retrieving analysis data, etc... But this beneﬁt

comes at the cost of having a huge TCB. Ether’s trusted computing base

includes Xen and an additional domain0 OS with many unnecessary func-

tionalities. As we will show in this thesis, general purpose VMMs are not

appropriate for malware analysis. We on the other hand, use a lightweight

and customized VMM which is specially designed for this purpose.

Another interesting line of works uses a thin layer of hypervisor to en-

force guest security policies [38], to help reducing the TCB size of guest

applications [39], or to implement a low level rootkit and hide its malicious

behaviours [12]. Our work also focuses on separating functionalities and keep-

ing TCB at minimum, but we target a diﬀerent application which presents a

diﬀerent set of technical challenges.

1 2 ... 7 8 9 10 11 12 13 14 15 16 17 ... 36 37

Sin comentarios

AMD SimNow Simulator 4.4.4 Manual de usuario Pagina 12