X-TIER: Kernel Module Injection

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)


In spite of the fact that security applications can greatly benefit from virtualization, hypervisor-based security solutions remain sparse. The main cause for this is the semantic gap, which makes the development of hypervisor-based security applications cumbersome, error-prone, and time-consuming. In this paper, we present X-TIER, a framework that enables hypervisor-based security applications to bridge the semantic gap by injecting kernel modules from the outside into a running virtual machine (VM). While previous approaches bridge the semantic gap by reading kernel objects from memory, X-TIER goes beyond such work and allows the injected code to manipulate the guest operating system (OS) state and even call kernel functions without sacrificing the overall security. We have implemented a prototype of X-TIER on the x86 architecture that supports module injection for Windows and Linux guests. The evaluation of our system shows that kernel module injection only incurs a very small performance overhead, leaves no traces within the guest system, and provides access to all exported guest OS data structures and functions. Consequently, the mechanism is well-suited for creating hypervisor-based security applications.


Security Virtual Machine Introspection Semantic Gap 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Carbone, M., Conover, M., Montague, B., Lee, W.: Secure and robust monitoring of virtual machines through guest-assisted introspection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 22–41. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  2. 2.
    Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Proc. of 16th ACM Conf. on Computer and Communications Security, pp. 555–565. ACM (2009)Google Scholar
  3. 3.
    Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proc. of the 8th Workshop on Hot Topics in Operating Systems. IEEE (2001)Google Scholar
  4. 4.
    Chiueh, T., Conover, M., Lu, M., Montague, B.: Stealthy deployment and execution of in-guest kernel agents. In: BlackHat USA (2009)Google Scholar
  5. 5.
    Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: Narrowing the semantic gap in virtual machine introspection. In: Proc. of Symp. on Sec. & Priv. IEEE (2011)Google Scholar
  6. 6.
    Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.: Robust signatures for kernel data structures. In: Proc. of Conf. on Comp. and Comm. Sec. ACM (2009)Google Scholar
  7. 7.
    Fu, Y., Lin, Z.: Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: Proc. of Symp. on Sec. & Priv. IEEE (2012)Google Scholar
  8. 8.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. of NDSS Symposium (2003)Google Scholar
  9. 9.
    Gu, Z., Deng, Z., Xu, D., Jiang, X.: Process implanting: A new active introspection framework for virtualization. In: Proc. of 30th SRDS. IEEE (2011)Google Scholar
  10. 10.
    Intel, Inc., Intel 64 and IA-32 Architectures Software Developer’s Manual (2011)Google Scholar
  11. 11.
    Jiang, X., Wang, X., Xu, D.: Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction. ACM Trans. Inf. Syst. Secur. 13(2), 12:1–12:28 (2010)CrossRefGoogle Scholar
  12. 12.
    Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: Proc. of Sec. & Priv. IEEE (2008)Google Scholar
  13. 13.
    Pfoh, J., Schneider, C., Eckert, C.: A formal model for virtual machine introspection. In: Proc. of 2nd Workshop on Virtual Machine Security. ACM (2009)Google Scholar
  14. 14.
    Pfoh, J., Schneider, C., Eckert, C.: Nitro: Hardware-based system call tracing for virtual machines. In: Iwata, T., Nishigaki, M. (eds.) IWSEC 2011. LNCS, vol. 7038, pp. 96–112. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. 15.
    Schneider, C., Pfoh, J., Eckert, C.: Bridging the semantic gap through static code analysis. In: Proceedings of EuroSec 2012 Workshop. ACM (2012)Google Scholar
  16. 16.
    Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proc. of Conf. on Comp. and Comm. Sec. ACM (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  1. 1.Technische Universität MünchenMünchenGermany

Personalised recommendations