Cory Hayes CSE 60641 Annotated Bibliography September 20, 2011 Intended Project: Detecting Virtual Machines via In-Band Mechanisms [1] (Journal Paper) Laureano M., Mazier C., Jamhour E. (2004) Intrusion Detection in Virtual Machine Environments. Euromicro Conference, 2004. Proceedings 30th, pp. 520-525. This paper describes the use of virtual machines in an attempt to improve the security of the host system for attacks over networks. The authors achieve this by observing process actions using an intrusion detection system from the virtual machine monitor. This paper could be useful because it discusses ways to interact with the guest system and sniff out potential dangerous processes, so this analysis could probably be applied to determining the sources of calls over the network. [2] (Journal Paper) Sundararaj A., Dinda P. (2004) Towards Virtual Networks for Virtual Machine Grid Computing. VM’04 Proceedings of the 3rd Conference on Virtual Machine Research and Technology Symposium, Vol 3. In this paper, the authors discuss the development of a network tool that connects a virtual machine to the user’s home network and they test the performance using WAN and LAN. By allowing the machines to dynamically change routing protocols, they combine to form a virtual network that can change to meet traffic loads. The usefulness of this paper is not entirely sure but its focus on combining virtual machines with a computer network could be useful. [3] (Unrefereed Paper) Jayaram M., Cytron R. (1995) Efficient Demultiplexing of Network Packets by Automatic Parsing. University of Arizona. The authors of this paper focused on packet filter specifications. These specifications are approached as language recognition problems with grammar rules corresponding to packets that should pass through a filter. This paper acknowledges existing parsing methods and attempts to reduce the overhead. The filtering mentioned in this paper could be useful when determining the whether the source of a packet over a network comes from a physical or virtual machine. [4] (Journal Paper) Chen P., Noble B. (2001) When Virtual is Better than Real. HOTOS ’01 Proceedings of the Eight Workshop on Hot Topics in Operating Systems. This paper focuses on three services that take advantage of using a virtual machine over a physical one. These services are secure logging, intrusion prevention and detection, and environment migration. The basic reasoning behind this is that since the virtual machine exists in a layer of software, these services can be modified and maintained more easily than doing so in the hardware layer. Aside from the intrusion detection mentioned by other papers, this paper also mentions the system keeping track of events, which could be applicable for determining properties of a remote source. [5] (Magazine Article) Clark D., Jacobson V., Romkey J., Salwen H. (1989) An Analysis of TCP Processing Overhead. IEEE Communications Magazine. The point of this paper is to locate the source of the overhead associated with the TCP/IP transport protocol. This is analyzed using both input and output processing as well as header prediction. The authors found that a lot of the overhead was a result of processing control parameters. This paper is useful because it discusses the overhead associated with TCP and will be helpful in making sure that whatever system we implement in this project will not have an unreasonable amount of overhead since it will inherently make use of IP. [6] (Journal Paper) Bellovin S. (1989) Security Problems in the TCP/IP Protocol Suite. ACM SIGCOMM Computer Communication Review, Vol 19 Issue 2. This paper points out the security flaws of TCP and the attacks that target these flaws. The authors also provide countermeasures for each of the attacks. The useful of this paper is not entirely clear, but it would not hurt to know the weaknesses of the protocol that will most likely be used in this project. [7] (Journal Paper) Travostino F. et al. (2006) Seamless Live Migration of Virtual Machines over the MAN/WAN. Future Generation Computer Systems – Igrid 2005: The Global Lambda Integrated Facility, Vol. 22 Issue 8. Virtual machines are taken to the next level in this paper, where instead of existing on a single machine, computations are moved over local area and wide area networks with minimal lag and overhead. Their approach uses a “VM Turntable” to demonstrate the ability to migrate virtual machines in a manner transparent to applications and users. The methods used to minimize overhead with virtual machines over networks could be applicable to this project [8] (Journal Paper) Haldar V., Chandra, D. Franz M. (2004) Semantic Remote Attestation – A Virtual Machine Directed Approach to Trusted Computing. VM’-4 Proceedings of the 3rd Conference on Virtual Machine Research and Technology Symposium, Vol. 3. Remote attestation allows outside parties to detect changes on a host machine. The authors of this paper propose semantic remote attestation where they use languagebased virtual machines to employ remote attestation. In this paper they implement a prototype for this framework and evaluate applications on a peer-to-peer and distributed network. The actual attestation mentioned may not be of much use, but the discussion and analysis of virtual machines communicating with remote hosts could be helpful. [9] (Journal Paper) Whitaker A., Shaw M., Gribble S. (2002) Denali: Lightweight Virtual Machines for Distributed and Networked Applications. In Proceedings of the USENIX Annual Technical Conference. Denali is a virtual machine monitor designed to execute numerous server applications on a single machine. Denali is special in that it uses paravirtualization where it modifies virtual architecture. Once again, the usefulness of this paper is not clear but the paper goes very in-depth in topics regarding control flow and TCP/IP performance. [10] (Journal Paper) Garfinkel T., Rosenblum M. (2003) A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proc. Network and Distributed Systems Security Symposium. This paper focuses on using virtual machines during intrusion detection processes on the host machine. Also mentioned in this paper are the weaknesses of this approach. The authors in this paper evaluated a system they built and claimed it to be practical and feasible. This paper could be useful because it discusses inspecting a virtual machine from the outside, which could be applied to this project since we are attempting to inspect behavior on a virtual machine on a remote host. [11] (Journal Article) Ansari S., Rajeev S., Chandrashekar H. (2003) Packet Sniffing: A Brief Introduction. IEEE Potentials, Vol. 21 Issue 5, pp. 17-19. This short paper gives a quick primer to packet sniffing which is the method of inspecting data as it flows across a network. The authors provide a walkthrough to make a Linux packet sniffer and also address the weaknesses of packet sniffing. This paper will be useful since we will have to inspect the packets over the network in this project and we may have to develop a tool to intercept the packets. [12] (Journal Article) Clark D. (1988) The Design Philosophy of the DARPA Internet Protocols. SIGCOMM ’88 Symposium Proceedings on Communications Architectures and Protocols. This paper explains the reasoning that led to the design of internet protocols. The paper discusses the primary and secondary goals of the protocols, scalability, types of services, variety of networks, and architecture. Having a better understanding of internet protocols and why they were designed that way is something necessary for this project, so this paper will probably be a big contributor to this project. [13] (Journal Article) Sockut G. (1975) Firmware/Hardware Support for Operating Systems: Principles and Selected History. ACM SIGMICRO Newsletter, Vol. 6 Issue 4. This paper is a survey of firmware and hardware support for operating systems. The survey is performed on the areas of current and past research in both virtual and non-virtual machines. This is a dated paper that will most likely be referenced only in the introduction section of the project report. [14] (Journal Paper) King S., Dunlap G., Chen P. (2003) Operating System Support for Virtual Machines. Proceeding ATEC ’03 Proceedings of the Annual Conference on USENIX Annual Technical Conference. This paper is mostly and introduction to virtual machines and virtual machine monitors. The authors of this paper focus on Type II virtual machines and reducing the associated overhead. The paper could be useful since it discusses reducing overhead, but it will most likely just be used as a reference in the introduction or background section of the project report. [15] (Journal Paper) King S., Chen P. (2006) SubVirt: Implementing Malware with Virtual Machines. IEEE Symposium on Security and Privacy, pp. 327. A virtual machine based rootkit (VMBR) is a type of malware that gains control over a system by installing a virtual machine monitor in a system and then places the host operating system into the virtual machine. The authors of the paper implement two VMBRs and attack a Windows XP and Linux system then conclude the paper by discussing ways to defend against these attacks. Also mentioned in this paper are ways to detect and prevent VMBRs in the first place. This paper is useful because it acknowledges how hard it is to detect these rootkits and defend against them, so it could be directly applicable to this project where we are trying to detect whether source of a connection over a network comes from a virtual machine. [16] (Journal Paper) Schmidt A., Campbell R. (1993) Internet Protocol Traffic Analysis with Applications for ATM Switch Design. ACM SIGCOMM Computer Communications Review, Vol. 23 Issue 2. The motivation behind this paper is that knowing data traffic behavior is important in the design of virtual circuit packet switches. The authors of this paper focus on the behavior of wide and local area networks. Some effects of data traffic include determining buffering allocation, design the adaptation layer, and congestion control. This paper could be useful because we may need to analyze data traffic behavior to determine the source of packets over a network by seeing if they differ when using a physical machine and a virtual machine. [17] (Journal Paper) Kourai K., Chiba S. (2005) HyperSector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection. Proceedings of the 1st ACM/USENIX International Conference on Virtual Execution Environments. HyperSpector is a virtual monitoring environment that has secure intrusion detection over distributed systems. HyperSpector is able to prevent attacks by isolating detection systems in a manner similar to how a local virtual machine monitor is able to isolate its detection systems from its physical machine. This paper also included methods of evaluating overhead and integrity of the file systems. The research topic of this paper may not be directly useful but the methods used to monitor and decipher incoming data to determining whether a threat exists could be useful. [18] (Journal Paper) Popek G., Goldberg R. (1973) Formal Requirement for Virtualizable Third Generation Architectures. SOSP ’73 Proceedings of the 4th ACM Symposium on Operating System Principles. This paper is a primer on virtual machines. Operating system concepts such as traps, privileged instructions, and virtual machine monitors are also discussed. The machinery in focus are “third generation” models like the IBM 360, Honeywell 6000, and DEC PDP-10. As a dated paper from the 1970s, this will most likely be used as a reference for the introduction or background for the project report. [19] (Unrefereed Paper) Liston T., Skoudis E. (2006) On the cutting Edge: Thwarting Virtual Machine Detection. This is a presentation discussing malicious attackers trying to determine the presence of a virtual machine across a network. Virtual machines are useful in preventing typical attacks on physical systems by monitoring potential threats, so the goal of the attacker is to determine if a virtual machine is being used and try to remain hidden. The paper discusses detection on both a local and remote system. This presentation is directly related to the research topic and the tips and guidelines provided should be very helpful. [20] (Journal Paper) Garfinkel T., Rosenblum M. (2005) When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computed Environments. HOTOS ’05 Proceedings of the 10th Conference on Hot Topics in Operating Systems, Vol. 10. This paper focuses on the security problems facing virtual machines. Virtual machines have been thought to be more advantageous than physical machines as mentioned in other papers in the bibliography, but the author states that this is not true since it could lead to unpredictable interactions with security mechanisms on the physical machine. This paper provides no experimental results and only discusses various problems, but it is useful to get a better understanding of the system that will be implemented in the project. [21] (Journal Paper) Mallach E. (1973) On the Relationship Between Virtual Machines and Emulators. Proceedings of the Workshop on Virtual Computer Systems. This is an early virtualization paper discussing the similarities of virtual machines and emulators. While emulators operated under software packages, virtual machines operate under virtual machine monitors. The main point of the paper is to show that it is possible to combine virtual machines and emulators in one system but other than that, they are essentially the same. This paper will probably be most useful as a reference for the introduction of the project report. [22] (Journal Paper) Gueron, S., Seifert J.P. (2009) On the Impossibility of Detecting Virtual Machine Monitors. In Proceedings of SEC’09, Vol. 297, pp. 143-151. According to this paper, it is not possible to determine if a program is running in a virtualized environment under a classical virtual machine model. This paper is basically a sequence of theorems and proofs. But the authors of this paper acknowledge that virtual machines in use are not perfect and that there exists vulnerabilities that lead to information leaks. This probably means that it is possible to determine if a program if running in a virtualized environment as long as these systems remain imperfect and exploitable. [23] (Journal Paper) Jones, S., Arpaci-Dusseau A., Arpaci-Dusseau R. (2006). Antfarm: Tracking Processess in a Virtual Machine Environment. USENIX 2006 Annual Technical Conference Technical Program. This paper discusses bridging the gap between the VMM layer and the native OS layer by allowing the VMM to track the activities of operating system processes. The implementation of the technique they use is called Antfarm. The authors were able to use Antfarm in two virtualization environments and two operating system shows and achieved promising results with very little overheard. Even though this article goes in the reverse direction of our intended experiment, it is possible that some of the techniques used could be applicable to the project. [24] (Journal Paper) Santos J., Turner Y. (2008) Bridging the Gap between Software and Hardware Techniques for I/O Virtualization. ATC’08 USENIX 2008 Annual Technical Conference. This paper explores the paravirtualization model that is popularly known for its use in Xen. One of the drawbacks though is that device driver isolation and other virtualization features come at the price of high overhead. So the authors propose a Direct I/O method that leads to a 56% reduction in cost for network interface controllers. The research results in this paper may not be useful for the intended project but it may be a good idea to have a relatively solid background in paravirtualization just in case. [25] (Journal Paper) Paleari R., Martignoni L., Bruschi D. (2009) A Fistful of RedPills: How to Automatical Generate Procedures to Detect CPU Emulators. WOOT’09 Proceedings of the 3rd USENIX Conference on Offensive Technologies. Malware faces a problem when dealing with virtual environments since they can be analyzed in a system away from the target machine using the inherent isolation feature of virtual machine monitors. In order for malware to maintain its existence, it makes a series of checks to determine whether it is in a virtual environment and modify its behavior. The authors refer to these tests and checks as red-pills and implement a method to allow a program to automatically determine whether it is in a physical or virtual environment. The environments used for testing are the QUEMU and BOCHS CPU emulators and they were successfully able to discover redpills for detecting the emulators. This paper will probably be one of the more useful ones for this project since it directly addresses the main problem.