SoK: Introspections on trust and the semantic gap

Bhushan Jain; Mirza Basim Baig; Dongli Zhang; Donald E. Porter; Radu Sion

doi:10.1109/SP.2014.45

SoK: Introspections on trust and the semantic gap

Bhushan Jain
, Mirza Basim Baig
, Dongli Zhang
, Donald E. Porter
, Radu Sion

Computer Science

Stony Brook University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

111 Scopus citations

Abstract

An essential goal of Virtual Machine Introspection (VMI) is assuring security policy enforcement and overall functionality in the presence of an untrustworthy OS. A fundamental obstacle to this goal is the difficulty in accurately extracting semantic meaning from the hypervisor's hardware level view of a guest OS, called the semantic gap. Over the twelve years since the semantic gap was identified, immense progress has been made in developing powerful VMI tools. Unfortunately, much of this progress has been made at the cost of reintroducing trust into the guest OS, often in direct contradiction to the underlying threat model motivating the introspection. Although this choice is reasonable in some contexts and has facilitated progress, the ultimate goal of reducing the trusted computing base of software systems is best served by a fresh look at the VMI design space. This paper organizes previous work based on the essential design considerations when building a VMI system, and then explains how these design choices dictate the trust model and security properties of the overall system. The paper then observes portions of the VMI design space which have been under-explored, as well as potential adaptations of existing techniques to bridge the semantic gap without trusting the guest OS. Overall, this paper aims to create an essential checkpoint in the broader quest for meaningful trust in virtualized environments through VM introspection.

Original language	English
Title of host publication	Proceedings - IEEE Symposium on Security and Privacy
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	605-620
Number of pages	16
ISBN (Electronic)	9781479946860
DOIs	https://doi.org/10.1109/SP.2014.45
State	Published - Nov 13 2014
Event	35th IEEE Symposium on Security and Privacy, SP 2014 - San Jose, United States Duration: May 18 2014 → May 21 2014

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
ISSN (Print)	1081-6011

Conference

Conference	35th IEEE Symposium on Security and Privacy, SP 2014
Country/Territory	United States
City	San Jose
Period	05/18/14 → 05/21/14

Keywords

semantic gap
trust
VM Introspection

Access to Document

10.1109/SP.2014.45

Cite this

@inproceedings{ed3bb44650ce459dbbad0dbd51c61da0,

title = "SoK: Introspections on trust and the semantic gap",

abstract = "An essential goal of Virtual Machine Introspection (VMI) is assuring security policy enforcement and overall functionality in the presence of an untrustworthy OS. A fundamental obstacle to this goal is the difficulty in accurately extracting semantic meaning from the hypervisor's hardware level view of a guest OS, called the semantic gap. Over the twelve years since the semantic gap was identified, immense progress has been made in developing powerful VMI tools. Unfortunately, much of this progress has been made at the cost of reintroducing trust into the guest OS, often in direct contradiction to the underlying threat model motivating the introspection. Although this choice is reasonable in some contexts and has facilitated progress, the ultimate goal of reducing the trusted computing base of software systems is best served by a fresh look at the VMI design space. This paper organizes previous work based on the essential design considerations when building a VMI system, and then explains how these design choices dictate the trust model and security properties of the overall system. The paper then observes portions of the VMI design space which have been under-explored, as well as potential adaptations of existing techniques to bridge the semantic gap without trusting the guest OS. Overall, this paper aims to create an essential checkpoint in the broader quest for meaningful trust in virtualized environments through VM introspection.",

keywords = "semantic gap, trust, VM Introspection",

author = "Bhushan Jain and Baig, \{Mirza Basim\} and Dongli Zhang and Porter, \{Donald E.\} and Radu Sion",

note = "Publisher Copyright: {\textcopyright} 2014 IEEE.; 35th IEEE Symposium on Security and Privacy, SP 2014 ; Conference date: 18-05-2014 Through 21-05-2014",

year = "2014",

month = nov,

day = "13",

doi = "10.1109/SP.2014.45",

language = "English",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "605--620",

booktitle = "Proceedings - IEEE Symposium on Security and Privacy",

}

Jain, B, Baig, MB, Zhang, D, Porter, DE & Sion, R 2014, SoK: Introspections on trust and the semantic gap. in Proceedings - IEEE Symposium on Security and Privacy., 6956590, Proceedings - IEEE Symposium on Security and Privacy, Institute of Electrical and Electronics Engineers Inc., pp. 605-620, 35th IEEE Symposium on Security and Privacy, SP 2014, San Jose, United States, 05/18/14. https://doi.org/10.1109/SP.2014.45

SoK: Introspections on trust and the semantic gap. / Jain, Bhushan; Baig, Mirza Basim; Zhang, Dongli et al.
Proceedings - IEEE Symposium on Security and Privacy. Institute of Electrical and Electronics Engineers Inc., 2014. p. 605-620 6956590 (Proceedings - IEEE Symposium on Security and Privacy).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - SoK

T2 - 35th IEEE Symposium on Security and Privacy, SP 2014

AU - Jain, Bhushan

AU - Baig, Mirza Basim

AU - Zhang, Dongli

AU - Porter, Donald E.

AU - Sion, Radu

PY - 2014/11/13

Y1 - 2014/11/13

N2 - An essential goal of Virtual Machine Introspection (VMI) is assuring security policy enforcement and overall functionality in the presence of an untrustworthy OS. A fundamental obstacle to this goal is the difficulty in accurately extracting semantic meaning from the hypervisor's hardware level view of a guest OS, called the semantic gap. Over the twelve years since the semantic gap was identified, immense progress has been made in developing powerful VMI tools. Unfortunately, much of this progress has been made at the cost of reintroducing trust into the guest OS, often in direct contradiction to the underlying threat model motivating the introspection. Although this choice is reasonable in some contexts and has facilitated progress, the ultimate goal of reducing the trusted computing base of software systems is best served by a fresh look at the VMI design space. This paper organizes previous work based on the essential design considerations when building a VMI system, and then explains how these design choices dictate the trust model and security properties of the overall system. The paper then observes portions of the VMI design space which have been under-explored, as well as potential adaptations of existing techniques to bridge the semantic gap without trusting the guest OS. Overall, this paper aims to create an essential checkpoint in the broader quest for meaningful trust in virtualized environments through VM introspection.

AB - An essential goal of Virtual Machine Introspection (VMI) is assuring security policy enforcement and overall functionality in the presence of an untrustworthy OS. A fundamental obstacle to this goal is the difficulty in accurately extracting semantic meaning from the hypervisor's hardware level view of a guest OS, called the semantic gap. Over the twelve years since the semantic gap was identified, immense progress has been made in developing powerful VMI tools. Unfortunately, much of this progress has been made at the cost of reintroducing trust into the guest OS, often in direct contradiction to the underlying threat model motivating the introspection. Although this choice is reasonable in some contexts and has facilitated progress, the ultimate goal of reducing the trusted computing base of software systems is best served by a fresh look at the VMI design space. This paper organizes previous work based on the essential design considerations when building a VMI system, and then explains how these design choices dictate the trust model and security properties of the overall system. The paper then observes portions of the VMI design space which have been under-explored, as well as potential adaptations of existing techniques to bridge the semantic gap without trusting the guest OS. Overall, this paper aims to create an essential checkpoint in the broader quest for meaningful trust in virtualized environments through VM introspection.

KW - semantic gap

KW - trust

KW - VM Introspection

UR - https://www.scopus.com/pages/publications/84914124212

U2 - 10.1109/SP.2014.45

DO - 10.1109/SP.2014.45

M3 - Conference contribution

AN - SCOPUS:84914124212

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 605

EP - 620

BT - Proceedings - IEEE Symposium on Security and Privacy

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 18 May 2014 through 21 May 2014

ER -

SoK: Introspections on trust and the semantic gap

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this