HyBIS: Advanced Introspection for Effective Windows Guest Protection

  • Roberto Di Pietro
  • Federico Franzoni
  • Flavio LombardiEmail author
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 502)


Effectively protecting the WindowsTM OS is a challenging task, since most implementation details are not publicly known. Windows OS has always been the main target of malware that have exploited numerous bugs and vulnerabilities exposed by its implementations. Recent trusted boot and additional integrity checks have rendered the Windows OS less vulnerable to kernel-level rootkits. Nevertheless, guest Windows Virtual Machines are becoming an increasingly interesting attack target. In this work we introduce and analyze a novel Hypervisor-Based Introspection System (HyBIS) we developed for protecting Windows OSes from malware and rootkits. The HyBIS architecture is motivated and detailed, while targeted experimental results show its effectiveness. Comparison with related work highlights main HyBIS advantages such as: effective semantic introspection, support for 64-bit architectures and for recent Windows versions (\(\ge \) win 7), and advanced malware disabling capabilities. We believe the research effort reported here will pave the way to further advances in the security of WindowsTM OSes.


Virtual Machine Forensic Analysis Memory Content Virtual Machine Monitor Memory Acquisition 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Kvm. Accessed 20 Feb 2017
  2. 2.
    Rekall memory forensic framework. Accessed 20 Feb 2017
  3. 3.
    The volatilty foundation. Accessed 20 Feb 2017
  4. 4.
    The xen project. Accessed 20 Feb 2017
  5. 5.
    Rekall profiles, February 2014. Accessed 20 Feb 2017
  6. 6.
    Windows Virtual Address Translation (2015). Accessed 20 Feb 2017
  7. 7.
    Balzarotti, D., Di Pietro, R., Villani, A.: The impact of GPU-assisted malware on memory forensics. Digit. Investig. 14(S1), S16–S24 (2015)CrossRefGoogle Scholar
  8. 8.
    Battistoni, R., Gabrielli, E., Mancini, L.V.: A host intrusion prevention system for windows operating systems. In: Samarati, P., Ryan, P., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 352–368. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30108-0_22 CrossRefGoogle Scholar
  9. 9.
    Deng, Z., Zhang, X., Xu, D.: Spider: stealthy binary program instrumentation and debugging via hardware virtualization. In: Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC 2013, pp. 289–298. ACM, New York (2013)Google Scholar
  10. 10.
    Di Pietro, R., Lombardi, F., Villani, A.: CUDA Leaks: a detailed hack for CUDA and a (Partial) fix. ACM Trans. Embed. Comput. Syst. 15(1), 15:1–15:25 (2016)Google Scholar
  11. 11.
    Di Pietro, R., Mancini, L.V.: Intrusion Detection Systems, 1st edn. Springer Publishing Company, Incorporated (2008)Google Scholar
  12. 12.
    Gu, Y., Lin, Z.: Derandomizing kernel address space layout for memory introspection and forensics. In: Proceedings of the 6th Conference on Data and Application Security and Privacy, CODASPY 2016, pp. 62–72. ACM, New York (2016)Google Scholar
  13. 13.
    Harrison, C.B.: ODinn: An In-Vivo Hypervisor-based Intrusion Detection System for the Cloud. Ph.D. thesis, Auburn University (2014)Google Scholar
  14. 14.
    Hebbal, Y., Laniepce, S., Menaud, J.-M.: Virtual machine introspection: Techniques and applications. In: 10th International Conference on Availability, Reliability and Security (ARES), pp. 676–685, August 2015Google Scholar
  15. 15.
    Henderson, A., Prakash, A., Yan, L.K., Hu, X., Wang, X., Zhou, R., Yin, H.: Make it work, make it right, make it fast: Building a platform-neutral whole-system dynamic binary analysis platform. In: Proceedings of the International Symposium on Software Testing and Analysis, ISSTA 2014, pp. 248–258. ACM, New York (2014)Google Scholar
  16. 16.
    Hizver, J., Chiueh, T.-C.: Real-time deep virtual machine introspection and its applications. In: ACM SIGPLAN Notices, vol. 49, pp. 3–14. ACM (2014)Google Scholar
  17. 17.
    Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Boston (2005)Google Scholar
  18. 18.
    Ionescu, A.: How control flow guard drastically caused windows 8.1 address space and behavior changes (2015). Accessed 20 Feb 2017
  19. 19.
    Kornblum, J.D.: Exploiting the rootkit paradox with windows memory analysis. Int. J. Digital Evid. 5(1), 1–5 (2006)MathSciNetGoogle Scholar
  20. 20.
    Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference (2014)Google Scholar
  21. 21.
    Lombardi, F., Di Pietro, R.: Secure virtualization for cloud computing. J. Netw. Comput. Appl. 34(4), 1113–1122 (2011)CrossRefGoogle Scholar
  22. 22.
    Mahapatra, C., Selvakumar, S.: An online cross view difference and behavior based kernel rootkit detector. SIGSOFT Softw. Eng. Notes 36(4), 1–9 (2011)CrossRefGoogle Scholar
  23. 23.
    Mulfari, D., Celesti, A., Puliafito, A., Villari, M.: How cloud computing can support on-demand assistive services. In: Proceedings of the 10th International Cross-Disciplinary Conference on Web Accessibility, W4A 2013, pp. 27:1–27:4. ACM, New York (2013)Google Scholar
  24. 24.
    Oracle Corp. Oracle vm virtualbox programming guide and reference (2016). Accessed 20 Feb 2017
  25. 25.
    Rutkowska, J.: Beyond the CPU: Defeating Hardware-based RAM acquisition. Black Hat Briefings (2006). Accessed 20 Feb 2017Google Scholar
  26. 26.
    M. Tech. Intercepting all system calls by hooking kifastsystemcall, April 2015. Accessed 20 Feb 2017
  27. 27.
    M. TechNet. What’s changed in security technologies in windows 8.1, July 2013. Accessed 20 Feb 2017
  28. 28.
    Tsaur, W., Yeh, L.: Identifying rootkit infections using a new windows hidden-driver-based rootkit. In: International Conference on Security and Management, Las Vegas, USA, pp. 16–19, July 2012Google Scholar
  29. 29.
    Vömel, S., Freiling, F.C.: Correctness, atomicity, and integrity: defining criteria for forensically-sound memory acquisition. Digital Invest. 9(2), 125–137 (2012)CrossRefGoogle Scholar
  30. 30.
    Win, T.Y., Tianfield, H., Mair, Q., Said, T.A., Rana, O.F.: Virtual machine introspection. In: Proceedings of the 7th International Conference on Security of Information and Networks, SIN 2014, pp. 405:405–405:410. ACM, New York (2014)Google Scholar
  31. 31.
    Wyke, J.: What is Zeus? Sophos Technical report, Sophos, May 2011Google Scholar
  32. 32.
    Wyke, J.: Zeroaccess. Technical report, April 2012Google Scholar
  33. 33.
    Zhang, F., Leach, K., Sun, K., Stavrou, A.: SPECTRE: a dependable introspection framework via System Management Mode. In: Proceedings of the 43rd IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), DSN 2013, pp. 1–12. IEEE Computer Society, Washington, DC (2013)Google Scholar
  34. 34.
    Zhang, N., Sun, K., Lou, W., Hou, Y.T., Jajodia, S.: Now you see me: Hide and seek in physical address space. In: Proceedings of the 10th Symposium on Information, Computer and Communications Security, ASIACCS 2015, pp. 321–331. ACM, New York (2015)Google Scholar
  35. 35.
    Zhong, X., Xiang, C., Yu, M., Qi, Z., Guan, H.: A virtualization based monitoring system for mini-intrusive live forensics. Int. J. Parallel Program. 43(3), 455–471 (2015)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  • Roberto Di Pietro
    • 1
    • 2
  • Federico Franzoni
    • 3
  • Flavio Lombardi
    • 4
    Email author
  1. 1.Nokia Bell LabsParis-SaclayParisFrance
  2. 2.Maths Dept.Università di PadovaPadovaItaly
  3. 3.Pompeu Fabra UniversityBarcelonaSpain
  4. 4.IAC-CNRRomeItaly

Personalised recommendations