BEGIN:VCALENDAR
PRODID:-//Mercury//HGEvent//EN
VERSION:2.0
METHOD:PUBLISH
BEGIN:VEVENT
STATUS:CONFIRMED
LAST-MODIFIED:20130521T071506
PRIORITY:0
CLASS:PUBLIC
UID:ATEvent-eed436ece7e23bbcfe0d4623c4969225
SUMMARY:Defense of Dissertation: Martim Carbone
DESCRIPTION:Ph.D. Defense of Dissertation AnnouncementTitle: Semantic View Re-creation for the Secure Monitoring of Virtual MachinesMartim CarboneSchool of Computer ScienceCollege of ComputingGeorgia Institute of TechnologyDate: Wednesday\, June 13th\, 2012Time: 2:00 PM - 4:00 PMLocation: Klaus 3126 (GTISC War Room)Committee:\nProf. Wenke Lee\, School of Computer Science (Advisor)Prof. Mustaque Ahamad\, School of Computer ScienceProf. Jonathon Giffin\, School of Computer ScienceProf. Karsten Schwan\, School of Computer ScienceDr. Weidong Cui\, Microsoft ResearchAbstract:Virtual Machine Introspection (VMI) leverages the isolation provided by virtualization to separate security monitoring applications from untrusted monitored OS\, placing each inside a distinct virtual machine. Despite its security benefits\, significant challenges are associated with this type monitoring. The most significant relates to the level of access to the GVM state provided by the hypervisor to the monitoring application. As a low-level resource manager\, the hypervisor knows nothing of the internal semantics of the guest OS state. All it sees are memory pages\, CPU registers\, instruction executions\, interrupts and memory exceptions: data at a level too low to be useful to a security application\, like an anti-virus tool. This problem is known as the semantic gap. This thesis proposes and investigates novel techniques to overcome the semantic gap\, advancing the state-of-the-art on the syntactic and semantic guest view re-creation for security applications that conduct passive and active out-of-VM monitoring of operating systems. It makes three contributions.First\, we present a passive out-of-VM memory analysis technique for reconstructing a syntactic view of the guest OS’s heap state. By applying a combination of offline static source code analysis and dynamic memory matching techniques\, our KOP system is able to reconstruct a map of the guest OS’s dynamic kernel objects with near complete coverage and accuracy. The completeness of our analysis translates into stronger monitoring capabilities for security applications. Second\, we present a novel passive monitoring technique that combines the security of out-of-VM monitoring with the robustness of in-VM monitoring. Our infrastructure\, SYRINGE\,&nbsp; securely leverages the guest OS’s own code to collect guest information at a high abstraction level\, effectively bypassing the semantic gap. It allows the application to extract high-level semantic information from the guest without having to worry about the low-level structure of the monitored OS.Our third contribution is in the context of active monitoring. To overcome the semantic gap\, traditional virtualization-based active monitoring techniques compromise by relying on code execution hooks\, which are easily circumvented by malware. We propose DARP\, an active monitoring infrastructure based on a new event interception primitive: data access hooks. The key idea behind this primitive is to intercept and infer high-level OS events by monitoring activity at the level of dynamic kernel objects. It makes the task of hook circumvention considerably harder while still providing the foundation necessary for high-level event inference.\n
DTSTART:20120613T140000
DTEND:20120613T160000
CREATED:20121220T161512
DTSTAMP:20121220T161512
SEQUENCE:0
LOCATION:
END:VEVENT
END:VCALENDAR