Università di Pisa
Sistema bibliotecario di ateneo

Transparent Process Monitoring in a Virtual Environment

Sgandurra, Daniele and Maggiari, Dario and Tamberi, Francesco and Baiardi, Fabrizio (2009) Transparent Process Monitoring in a Virtual Environment. Electronic Notes in Theoretical Computer Science, Volume (2). pp. 85-100.

[img] PDF
Restricted to Registered users only

Download (497Kb)


    PsycoTrace is a system that integrates static and dynamic tools to protect a process from attacks that alter the process self as specified by the program source code. The static tools build a context-free grammar that describes the sequences of system calls the process may issue and a set of assertions on the process state, one for each invocation. The dynamic tools parse the call trace of the process to check that it belongs to the grammar language and evaluate the assertions. This paper describes the architecture of PsycoTrace, which exploits virtualization to introduce two virtual machines, the monitored and the monitoring virtual machines, to increase both the robustness and the transparency of the monitoring because the machine that implements all the checks is strongly separated from the monitored one. We discuss the modification to the kernel of the monitored machine to trace system call invocations, the definition of the legal traces and the checks to prove the trace is valid. We describe how PsycoTrace applies introspection to evaluate the assertions and analyze the state of the monitored machine and of its data structures. Finally, we present the security and performance results of the dynamic tools, and the implementation of the static tools. Sommario Il lavoro descrive PsycoTrace, uno strumento per la protezione da attacchi informatici basato su virtualizzazione. PsycoTrace fonde virtualizzazione ed introspezione per valutare asserzioni sullo stato di un processso in modo da rilevare attacchi che modifichino lo stato del processo. Inoltre, ad ogni processo viene associata una grammatica che descrive le tracce generate dall'esecuzione del processo. Una traccia definisce le invocazioni al sistema operativo del processo.

    Item Type: Article
    Uncontrolled Keywords: virtual machines; introspection; intrusion detection system
    Subjects: Area01 - Scienze matematiche e informatiche > INF/01 - Informatica
    Divisions: Dipartimenti (until 2012) > DIPARTIMENTO DI INFORMATICA
    Depositing User: prof fabrizio baiardi
    Date Deposited: 15 Jul 2009
    Last Modified: 20 Dec 2010 11:50
    URI: http://eprints.adm.unipi.it/id/eprint/610

    Repository staff only actions

    View Item