University of Illinois Urbana-Champaign

Lightweight and purpose built hypervisor for malware analysis

Nguyen, Anh

Permalink

https://hdl.handle.net/2142/34375

Description

Title
Lightweight and purpose built hypervisor for malware analysis
Author(s)
Nguyen, Anh
Issue Date
2012-09-18T21:13:58Z
Director of Research (if dissertation) or Advisor (if thesis)
King, Samuel T.
Department of Study
Computer Science
Discipline
Computer Science
Degree Granting Institution
University of Illinois at Urbana-Champaign
Degree Name
M.S.
Degree Level
Thesis
Keyword(s)
  • hypervisor
  • virtual machine monitors (VMM)
  • small
  • specialized
  • malware
  • analysis
Abstract
Malicious software is rampant on the Internet and costs billions of dollars each year. Safe and thorough analysis of malware is key to protecting vulnerable systems and cleaning those that have already been infected. Most current state-of-the-art analysis platforms run alongside the malware, increasing their detectability. This reduces the value of analysis because some malware is known to behave differently when being analyzed. Virtualization offers a compelling platform for malware analysis, with strong isolation and the ability to save and restore guest state. Commodity virtual machine monitors (VMMs), however, are not designed for malware analysis. Due to their complexity, they often fail to provide transparency and even expose vulnerabilities which could be exploited by the malware running inside guest system. We design and implement a lightweight VMM (namely MAVMM) that is created specially for one job: malware analysis. MAVMM does not implement unnecessary virtualization features commonly found in general purpose hypervisors, including virtual device emulation. We take advantage of hardware virtualization support to make MAVMM more simple, secure and transparent. In this thesis, we describe the design and implementation of MAVMM, and the features that we can extract from programs running inside the guest OS. We evaluate our platform in three aspects: functionality, detectability and performance. We show that our system can extract useful information from malicious software, and that it is not susceptible to known virtualization detection techniques.
Graduation Semester
2012-08
Permalink
http://hdl.handle.net/2142/34375
Copyright and License Information
Copyright 2012 Anh M. Nguyen

Owning Collections

Graduate Dissertations and Theses at Illinois PRIMARY
Graduate Theses and Dissertations at Illinois
Dissertations and Theses - Computer Science
Dissertations and Theses from the Dept. of Computer Science