Abstract: An alarming trend in malware attacks is that they are armed with stealthy techniques to detect, evade, and subvert malware detection facilities of the victim. On the defense side, a fundamental limitation of traditional host-based anti-malware systems is that they run inside the very hosts they are protecting ('in the box'), making them vulnerable to counter-detection and subversion by malware. To address this limitation, recent solutions based on virtual machine (VM) technologies advocate placing the malware detection facilities outside of the protected VM ('out of the box'). However, they gain tamper resistance at the cost of losing the native, semantic view of the host which is enjoyed by the traditional approach, posing a challenge known as the semantic gap.

In this talk, I will present OBSERV -- an 'out-of-the-box' approach that addresses the semantic gap challenge. OBSERV stands for 'Out of the Box with SEmantically Reconstructed View'. More specifically, the OBSERV mechanism -- missing in existing VM platforms -- systematically reconstructs internal semantic views (e.g., files, processes, and kernel modules) of a VM from the outside in a non-intrusive manner. To do that OBSERV casts semantic definitions of guest OS data structures and functions on virtual machine monitor (VMM)-level VM states and events, so that the semantic view can be reconstructed. With the semantic gap bridged, OBSERV enables a number of powerful malware defense capabilities, three of which will be demonstrated in my talk: (1) invisible system logging; (2) view comparison-based malware detection; and (3) external run of COTS anti-malware software with improved detection accuracy and tamper-resistance. I will also give an overview of my research and education efforts in virtualization-based computer system security and outline my future work.

Short Bio: Xuxian Jiang is an assistant professor in the Department of Information and Software Engineering at George Mason University. He received his Ph.D. in Computer Science from Purdue University in 2006 and M.S. in Computer Science from Xi'an Jiaotong University, China in 2001. His research interests include system and network security, operating systems, virtualization technologies, and distributed systems. Further information is available at http://www.ise.gmu.edu/~xjiang.