{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T20:42:17Z","timestamp":1759092137163},"publisher-location":"Cham","reference-count":67,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319271361"},{"type":"electronic","value":"9783319271378"}],"license":[{"start":{"date-parts":[[2015,1,1]],"date-time":"2015-01-01T00:00:00Z","timestamp":1420070400000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2015]]},"DOI":"10.1007\/978-3-319-27137-8_32","type":"book-chapter","created":{"date-parts":[[2015,11,16]],"date-time":"2015-11-16T11:24:23Z","timestamp":1447673063000},"page":"429-448","source":"Crossref","is-referenced-by-count":3,"title":["Exploring Efficient and Robust Virtual Machine Introspection Techniques"],"prefix":"10.1007","author":[{"given":"Chonghua","family":"Wang","sequence":"first","affiliation":[]},{"given":"Xiaochun","family":"Yun","sequence":"additional","affiliation":[]},{"given":"Zhiyu","family":"Hao","sequence":"additional","affiliation":[]},{"given":"Lei","family":"Cui","sequence":"additional","affiliation":[]},{"given":"Yandong","family":"Han","sequence":"additional","affiliation":[]},{"given":"Qingxin","family":"Zou","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2015,12,16]]},"reference":[{"key":"32_CR1","unstructured":"Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS 2003, pp.191\u2013206 (2003)"},{"key":"32_CR2","doi-asserted-by":"crossref","unstructured":"Payne, B., Carbone, M., Lee, W.: Secure and flexible monitoring of virtual machines. In: ACSAC 2007, pp. 385\u2013397 (2007)","DOI":"10.1109\/ACSAC.2007.4413005"},{"key":"32_CR3","unstructured":"The volatility framework. \n                      https:\/\/github.com\/volatilityfoundation\/volatility"},{"key":"32_CR4","unstructured":"Volatilitux. \n                      https:\/\/code.google.com\/p\/volatilitux\/"},{"key":"32_CR5","doi-asserted-by":"crossref","unstructured":"Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based \u201cout-of-the-box\u201d semantic view reconstruction. In: CCS 2007, pp. 128\u2013138 (2007)","DOI":"10.1145\/1315245.1315262"},{"key":"32_CR6","unstructured":"LibVMI library. \n                      https:\/\/github.com\/libvmi\/libvmi"},{"key":"32_CR7","doi-asserted-by":"crossref","unstructured":"Jiang, X., Wang, X.: \u201cOut-of-the-Box\u201d monitoring of VM-based high-interaction honeypots. In: RAID 2007, pp. 198\u2013218 (2007)","DOI":"10.1007\/978-3-540-74320-0_11"},{"key":"32_CR8","doi-asserted-by":"crossref","unstructured":"Xiang, G., Jin, H., Zou, D., Zhang, X., Wen, S., Zhao, F.: VMDriver: a driver-based monitoring mechanism for virtualization. In: SRDS 2010, pp. 72\u201381 (2010)","DOI":"10.1109\/SRDS.2010.38"},{"key":"32_CR9","unstructured":"Andersen, L.O.: Program analysis and specialization for the C programming language. Ph.D. thesis, DIKU, University of Copenhagen (1994)"},{"key":"32_CR10","doi-asserted-by":"crossref","unstructured":"Heintze, N., Tardieu, O.: Ultra-fast aliasing analysis using CLA: a million lines of C code in a second. In: PLDI 2001, pp. 254\u2013263 (2001)","DOI":"10.1145\/381694.378855"},{"key":"32_CR11","unstructured":"Lin, Z., Rhee, J., Zhang, X., Xu, D., Jiang, X.: SigGraph: brute force scanning of kernel data structureinstances using graph-based signatures. In: NDSS 2011 (2011)"},{"key":"32_CR12","unstructured":"Cui, W., Peinado, M., Xu, Z., Chan, E.: Tracking rootkit footprints with a practical memory analysis system. In: USENIX Security 2012, p. 42 (2012)"},{"key":"32_CR13","doi-asserted-by":"crossref","unstructured":"Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: CCS 2009, pp. 555\u2013565 (2009)","DOI":"10.1145\/1653662.1653729"},{"key":"32_CR14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"237","DOI":"10.1007\/978-3-319-13039-2_14","volume-title":"Computer Security - ESORICS 2014","author":"Z Xu","year":"2014","unstructured":"Xu, Z., Zhang, J., Gu, G., Lin, Z.: SigPath: a memory graph based approach for program data introspection and modification. In: Vaidya, J., Kuty\u0142owski, M. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 237\u2013256. Springer, Heidelberg (2014)"},{"key":"32_CR15","doi-asserted-by":"crossref","unstructured":"Liang, B., You, W., Shi, W., Liang, Z.: Detecting stealthy malware with inter-structure and imported signatures. In: ASICCS 2011, pp. 217\u2013227 (2011)","DOI":"10.1145\/1966913.1966941"},{"key":"32_CR16","unstructured":"Schneider, C., Pfoh, J., Eckert, C.: Bridging the semantic gap through static code analysis. In: EuroSec 2012 (2012)"},{"key":"32_CR17","doi-asserted-by":"crossref","unstructured":"Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.: Robust signatures for kernel data structures. In: CCS 2009, pp. 566\u2013577 (2009)","DOI":"10.1145\/1653662.1653730"},{"key":"32_CR18","doi-asserted-by":"crossref","unstructured":"Pham, C., Estrada, Z., Cao, P., et al.: Reliability and security monitoring of virtual machines using hardware architectural invariants. In: DSN 2014, pp. 13\u201324 (2014)","DOI":"10.1109\/DSN.2014.19"},{"key":"32_CR19","unstructured":"Quynh, N.A., Suzaki, K.: Xenprobe: a lightweight user-space probing framework for xen virtual machine. In: USENIX ATC 2007 (2007)"},{"key":"32_CR20","doi-asserted-by":"crossref","unstructured":"Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: CCS 2008, pp. 51\u201362 (2008)","DOI":"10.1145\/1455770.1455779"},{"key":"32_CR21","doi-asserted-by":"crossref","unstructured":"Nguyen, A.M., Schear, N., Jung, H., Godiyal, A., King, S.T., Nguyen, H.D.: MAVMM: lightweight and purpose built VMM for malware analysis. In: ACSAC 2009, pp. 441\u2013450 (2009)","DOI":"10.1109\/ACSAC.2009.48"},{"key":"32_CR22","unstructured":"Vogl, S., Eckert, C.: Using hardware performance events for instruction-level monitoring on the x86 architecture. In: EuroSec 2012 (2012)"},{"key":"32_CR23","doi-asserted-by":"crossref","unstructured":"Willems, C., et al.: Down to the bare metal: using processor features for binary analysis. In: ACSAC 2012, pp. 189\u2013198 (2012)","DOI":"10.1145\/2420950.2420980"},{"key":"32_CR24","doi-asserted-by":"crossref","unstructured":"Yan, L., Jayachandra, M., Zhang, M., Heng, Y.: V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis. In: ACM SIGPLAN Notices, pp. 227\u2013238 (2012)","DOI":"10.1145\/2365864.2151053"},{"key":"32_CR25","doi-asserted-by":"crossref","unstructured":"Deng, Z., Zhang, X., Xu, D.: SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization. In: ACSAC 2013, pp. 289\u2013298 (2013)","DOI":"10.1145\/2523649.2523675"},{"key":"32_CR26","doi-asserted-by":"crossref","unstructured":"Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.:. Antfarm: tracking processes in a virtual machine environment. In: USENIX ATC 2006, pp. 1\u201314 (2006)","DOI":"10.1145\/1168918.1168861"},{"key":"32_CR27","doi-asserted-by":"crossref","unstructured":"Jones, S.T., Arpaci-Dusseau, A.C., ArpaciDusseau, R.H.: VMM-based hidden process detection and identification using lycosid. In: VEE 2008, pp. 91\u2013100 (2008)","DOI":"10.1145\/1346256.1346269"},{"key":"32_CR28","doi-asserted-by":"crossref","unstructured":"Forrest, S., Hofmeyr, S., Somayaji, A.: The evolution of system-call monitoring. In: ACSAC 2008, pp. 418\u2013430 (2008)","DOI":"10.1109\/ACSAC.2008.54"},{"key":"32_CR29","unstructured":"Intel corp. Intel 64 and IA-32 Architectures Developer\u2019s Manual, vol. 3B (2013)"},{"key":"32_CR30","unstructured":"AMD64 Architecture Programmer\u2019s Manual. Volume 2: System Programming. AMD Inc. (2013)"},{"key":"32_CR31","doi-asserted-by":"crossref","unstructured":"Li, B., et al.: A VMM-based system call interposition framework for program monitoring. In: ICPADS 2010, pp. 706\u2013711 (2010)","DOI":"10.1109\/ICPADS.2010.53"},{"key":"32_CR32","doi-asserted-by":"crossref","unstructured":"Payne, B., Carbone, M., Sharif, M., Lee, W.: Lares: anarchitecture for secure active monitoring using virtualization. In: SP 2008, pp. 233\u2013247 (2008)","DOI":"10.1109\/SP.2008.24"},{"key":"32_CR33","doi-asserted-by":"crossref","unstructured":"Pfoh, J., Schneider, C., Eckert, C.: Nitro: hardware-based system call tracing for virtual machines. In: AICS 2011, pp. 96\u2013112 (2011)","DOI":"10.1007\/978-3-642-25141-2_7"},{"key":"32_CR34","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"297","DOI":"10.1007\/978-3-642-15512-3_16","volume-title":"Recent Advances in Intrusion Detection","author":"L Martignoni","year":"2010","unstructured":"Martignoni, L., Fattori, A., Paleari, R., Cavallaro, L.: Live and trustworthy forensic analysis of commodity production systems. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 297\u2013316. Springer, Heidelberg (2010)"},{"key":"32_CR35","unstructured":"Sebek. \n                      http:\/\/www.honeynet.org\/tools\/sebek\/"},{"key":"32_CR36","unstructured":"Lin, Z., Zhang, X., Xu, D.: Automatic reverse engineering of data structures from binary execution. In: NDSS 2010 (2010)"},{"key":"32_CR37","doi-asserted-by":"crossref","unstructured":"Deng, Z., Xu, D., Zhang, X., Jiang, X.: Introlib: efficient and transparent library call introspection for malware forensics. In: DFRW 2012, pp.13\u201323 (2012)","DOI":"10.1016\/j.diin.2012.05.013"},{"key":"32_CR38","doi-asserted-by":"crossref","unstructured":"Shinagawa, T., et al.: BitVisor: a thin hypervisor for enforcing I\/O device security. In: VEE 2009, pp. 121\u2013130 (2009)","DOI":"10.1145\/1508293.1508311"},{"key":"32_CR39","unstructured":"Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: USENIX Security 2014, pp. 287\u2013301 (2014)"},{"key":"32_CR40","unstructured":"Srivastava, A., Giffin, J.: Efficient monitoring of untrusted kernel-mode execution. In: NDSS 2011 (2011)"},{"key":"32_CR41","doi-asserted-by":"crossref","unstructured":"Srinivasan, D., Wang, Z., Jiang, X., Xu, D.: Process out-grafting: an efficient \u201cout-of-VM\u201d approach for fine-grained process execution monitoring. In: CCS 2011, pp. 363\u2013374 (2011)","DOI":"10.1145\/2046707.2046751"},{"key":"32_CR42","doi-asserted-by":"crossref","unstructured":"Wu, R., Chen, P., Liu, P., Andmao, B.: System call redirection: a practical approach to meeting real-world VMI needs. In: DSN 2014, pp. 574\u2013585 (2014)","DOI":"10.1109\/DSN.2014.59"},{"key":"32_CR43","doi-asserted-by":"crossref","unstructured":"Gu, Z., Deng, Z., Xu, D., Jiang, X.: Process implanting: a new active introspection framework for virtualization. In: SRDS 2011, pp. 147\u2013156 (2011)","DOI":"10.1109\/SRDS.2011.26"},{"key":"32_CR44","doi-asserted-by":"crossref","unstructured":"Carbone, M., Conover, M., Montague, B., Lee, W.: Secure and robust monitoring of virtual machines through guest-assisted introspection. In: RAID 2012, pp. 22\u201341 (2012)","DOI":"10.1007\/978-3-642-33338-5_2"},{"key":"32_CR45","doi-asserted-by":"crossref","unstructured":"Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: S&P 2011, pp. 297\u2013312 (2011)","DOI":"10.1109\/SP.2011.11"},{"key":"32_CR46","doi-asserted-by":"crossref","unstructured":"Fu, Y., Lin, Z.: Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: S&P 2012, pp. 586\u2013600 (2012)","DOI":"10.1109\/SP.2012.40"},{"key":"32_CR47","doi-asserted-by":"crossref","unstructured":"Fu, Y., Lin, Z.: Exterior: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery. In: VEE 2013, pp. 97\u2013110 (2013)","DOI":"10.1145\/2517326.2451534"},{"key":"32_CR48","doi-asserted-by":"crossref","unstructured":"Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in VM monitoring using hardware virtualization. In: CCS 2009, pp. 477\u2013487 (2009)","DOI":"10.1145\/1653662.1653720"},{"key":"32_CR49","doi-asserted-by":"crossref","unstructured":"Liu, Y., Xia, Y., Guan, H., Zang, B., Chen, H.: Concurrent and consistent virtual machine introspection with hardware transactional memory. In: HPCA 2014, pp. 416\u2013427 (2014)","DOI":"10.1109\/HPCA.2014.6835951"},{"key":"32_CR50","doi-asserted-by":"crossref","unstructured":"Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: CCS 2012, pp. 28\u201337 (2012)","DOI":"10.1145\/2382196.2382202"},{"key":"32_CR51","doi-asserted-by":"crossref","unstructured":"Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: CCS 2012, pp. 28\u201337 (2012)","DOI":"10.1145\/2382196.2382202"},{"key":"32_CR52","doi-asserted-by":"crossref","unstructured":"Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy incontext measurement of hypervisor integrity. In: CCS 2010, pp. 38\u201349 (2010)","DOI":"10.1145\/1866307.1866313"},{"key":"32_CR53","doi-asserted-by":"crossref","unstructured":"Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: SRDS 2010, pp. 82\u201391 (2010)","DOI":"10.1109\/SRDS.2010.39"},{"key":"32_CR54","unstructured":"Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: USENIX Security 2009, pp. 383\u2013398 (2009)"},{"key":"32_CR55","unstructured":"Butler, J., Hoglund, G.: Vice - catch the hookers!. In: Black Hat USA (2004)"},{"key":"32_CR56","doi-asserted-by":"crossref","unstructured":"Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: S&P 2010, pp. 380\u2013395 (2010)","DOI":"10.1109\/SP.2010.30"},{"key":"32_CR57","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"158","DOI":"10.1007\/978-3-642-15512-3_9","volume-title":"Recent Advances in Intrusion Detection","author":"J Wang","year":"2010","unstructured":"Wang, J., Stavrou, A., Ghosh, A.: Hypercheck: a hardware-assisted integrity monitor. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 158\u2013177. Springer, Heidelberg (2010)"},{"key":"32_CR58","doi-asserted-by":"crossref","unstructured":"Wang, Z., Wu, C., Grace, M., Jiang, X.: Isolating commodity hosted hypervisors with hyperlock. In: EuroSys 2012, pp. 127\u2013140 (2012)","DOI":"10.1145\/2168836.2168850"},{"key":"32_CR59","doi-asserted-by":"crossref","unstructured":"Zhang, F., Chen, J., Chen, H., Zang, B.: CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: SOSP 2011, pp. 203\u2013216 (2011)","DOI":"10.1145\/2043556.2043576"},{"key":"32_CR60","doi-asserted-by":"crossref","unstructured":"Seshadri, A., Luk, M., Qu, N., Perring, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: SOSP 2007, pp. 335\u2013350 (2007)","DOI":"10.1145\/1323293.1294294"},{"key":"32_CR61","unstructured":"Litty, L., Lagar-Cavilla, H., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: USENIX Security 2008, pp. 243\u2013258 (2008)"},{"key":"32_CR62","doi-asserted-by":"crossref","unstructured":"Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: RAID 2008, pp. 1\u201320 (2008)","DOI":"10.1007\/978-3-540-87403-4_1"},{"key":"32_CR63","doi-asserted-by":"crossref","unstructured":"Hofmann, O.S., Dunn, A.M., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with OSck. In: ASPLOS 2011, pp. 279\u2013290 (2011)","DOI":"10.1145\/1961295.1950398"},{"key":"32_CR64","unstructured":"Fu, Y., Zeng, J., Lin, Z.: HYPERSHELL: a practical hypervisor layer guest OS shell for automated in-VM management. In: USENIX ATC 2014, pp. 85\u201396 (2014)"},{"key":"32_CR65","doi-asserted-by":"crossref","unstructured":"Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: SoK: introspections on trust and the semantic gap. In: S&P 2014, pp. 605\u2013620 (2014)","DOI":"10.1109\/SP.2014.45"},{"key":"32_CR66","doi-asserted-by":"crossref","unstructured":"Zhang, F., Leach, K., Sun, K., Stavrou, A.: SPECTRE: a dependable introspection framework via system management mode. In: DSN 2013, pp. 1\u201312 (2013)","DOI":"10.1109\/DSN.2013.6575343"},{"key":"32_CR67","doi-asserted-by":"crossref","unstructured":"Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: CCS 2009, pp. 545\u2013554 (2009)","DOI":"10.1145\/1653662.1653728"}],"container-title":["Lecture Notes in Computer Science","Algorithms and Architectures for Parallel Processing"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-27137-8_32","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,5,31]],"date-time":"2019-05-31T15:11:50Z","timestamp":1559315510000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-27137-8_32"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015]]},"ISBN":["9783319271361","9783319271378"],"references-count":67,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-27137-8_32","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2015]]}}}