Abstract
We propose a method to protect user-processes against malicious software attacks running an introspection and protection tool (U-HIPE) inside a hypervisor. Our solution is based on hardware virtualization support, imposing “no-write” and/or “no-execution” restrictions on different guest virtual machine’s (VM) memory pages. Protected components include process’ thread stacks, heaps and loadable modules. This way most attempts to execute malicious code in a process are detected and blocked. We propose a method to deal with swappable pages. We inject page-fault exceptions in the guest VM when trying to read swapped-out pages for introspection. We also intercept all swap-in and swap-out events to correctly maintain protection on needed memory pages. We implemented a testing prototype for protecting user-processes in several Microsoft Windows operating systems. Tests we performed proved the effectiveness of our solution against attacks like polymorphic/packed viruses, hook injection and injected code execution. The introduced overhead is acceptable for most applications.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: Journal of Computer Virology and Hacking Techniques
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
