The lecture by Sartakov A. Vasily for Summer Systems School'12.
Brief introduction to VMI and FMA technologies.
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
1. http://ksyslabs.org/
2. FMA - Forencsic memory analisys
seeks to extract forensic information from dumps of physical memory.
VMI - Virtual Machine Introspection
VMI software runs in an isolated FMA, by contrast, typically takes
virtualized environment and monitors place after a security incident is
the state of other VMs. This isolation suspected to have occurred. An
protects it from tampering by software investigator acquires an image of
inside the monitored VM, making it an physical memory and then performs
attractive way to implement security offline analysis, extracting
software. VMI-based monitoring is information about the system state to
performed online and focuses on explain the incident.
detecting security events as they occur.
четверг, 26 июля 12 г.
3. VMI:
+ Dyncamic - changes over
time
- Need a lot of resources
- Effect on system
FMA:
+ No time/resource restrictions
+ No effect on system
- Static
Problem:
Semantic Gap
четверг, 26 июля 12 г.
4. A. Schuster. Searching for processes and threads in Microsoft Windows memory
dumps. In Proceedings of the 6th Annual Digital Forensic Research Workshop
(DFRWS), 2006.
VMWare, Inc. VMWare VMSafe security technology. http://www.vmware.com/
technology/security/vmsafe.html.
A. Walters. The Volatility framework: Volatile memory artifact extraction utility
framework. https://www.volatilesystems.com/default/volatility.
T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture
for Intrusion Detection. In Proceedings of the Network and Distributed Systems
Security Symposium, 2003.
четверг, 26 июля 12 г.