Files in this item

FilesDescriptionFormat

application/pdf

application/pdfNguyen_Anh.pdf (235kB)
(no description provided)PDF

Description

Title:Lightweight and purpose built hypervisor for malware analysis
Author(s):Nguyen, Anh
Advisor(s):King, Samuel T.
Department / Program:Computer Science
Discipline:Computer Science
Degree Granting Institution:University of Illinois at Urbana-Champaign
Degree:M.S.
Genre:Thesis
Subject(s):hypervisor
virtual machine monitors (VMM)
small
specialized
malware
analysis
Abstract:Malicious software is rampant on the Internet and costs billions of dollars each year. Safe and thorough analysis of malware is key to protecting vulnerable systems and cleaning those that have already been infected. Most current state-of-the-art analysis platforms run alongside the malware, increasing their detectability. This reduces the value of analysis because some malware is known to behave differently when being analyzed. Virtualization offers a compelling platform for malware analysis, with strong isolation and the ability to save and restore guest state. Commodity virtual machine monitors (VMMs), however, are not designed for malware analysis. Due to their complexity, they often fail to provide transparency and even expose vulnerabilities which could be exploited by the malware running inside guest system. We design and implement a lightweight VMM (namely MAVMM) that is created specially for one job: malware analysis. MAVMM does not implement unnecessary virtualization features commonly found in general purpose hypervisors, including virtual device emulation. We take advantage of hardware virtualization support to make MAVMM more simple, secure and transparent. In this thesis, we describe the design and implementation of MAVMM, and the features that we can extract from programs running inside the guest OS. We evaluate our platform in three aspects: functionality, detectability and performance. We show that our system can extract useful information from malicious software, and that it is not susceptible to known virtualization detection techniques.
Issue Date:2012-09-18
URI:http://hdl.handle.net/2142/34375
Rights Information:Copyright 2012 Anh M. Nguyen
Date Available in IDEALS:2012-09-18
Date Deposited:2012-08


This item appears in the following Collection(s)

Item Statistics