High-Fidelity Virtual Machine Artifact Mitigation
Loading...
Authors
Singh, Gurminder
Subjects
high-fidelity virtualization
HFV
HFV artifact mitigation
HFVAM
Xen
DRAKVUF
process injection
virtual machine
Linux
cloud resilience
web resilience
insider threats
HFV
HFV artifact mitigation
HFVAM
Xen
DRAKVUF
process injection
virtual machine
Linux
cloud resilience
web resilience
insider threats
Advisors
Date of Issue
2022-09-30
Date
Publisher
Monterey, California: Naval Postgraduate School
Language
Abstract
The use of virtualized systems has grown across the application domains that include cyber operator training and offensive and defensive cyber operations. Using virtualized systems is, however, not without its risks, especially if an adversary can determine whether or not a host is virtualized. To prevent such detection, the fidelity of the hypervisor needs to be extended so that adversaries cannot distinguish between a virtualized or a real system. This project is a continuation of our previous work in high-fidelity virtualization (HFV) and HFV artifact mitigation (HFVAM). Previously, we used the Xen hypervisor and DRAKVUF to obfuscate an executable such that the adversary would not know that the system was virtualized. This new work concentrated on the use of a new DRAKVUF capability—process injection by execution—for mitigating HFV artifacts. Our hypothesis was that process injection would lead to even better mitigation of HFV artifacts. We found that process injection was not suitable at this time for mitigating virtualization artifacts, and that DRAKVUF process injection did not work, although the code reported that it had. Thesis research is on-going, including coordination with DRAKVUF developers on the contradictory results that we observed, and updated results should be available by the end of 2022 (Prince, 2022). This project also explored methods for obfuscating the operating system (OS) and libraries to mitigate attack vectors of intelligent malware.
Type
Report
Description
NPS NRP Executive Summary
Series/Report No
Department
Organization
Identifiers
NPS Report Number
Sponsors
MARFORCYBER
HQMC Deputy Commandant Information (DCI)
HQMC Deputy Commandant Information (DCI)
Funder
This research is supported by funding from the Naval Postgraduate School, Naval Research Program (PE 0605853N/2098).
Format
Citation
Distribution Statement
Approved for public release. Distribution is unlimited.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.