{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,31]],"date-time":"2025-12-31T07:45:24Z","timestamp":1767167124923,"version":"build-2238731810"},"reference-count":54,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2013,9,1]],"date-time":"2013-09-01T00:00:00Z","timestamp":1377993600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2013,9]]},"abstract":"<jats:p>It is generally believed to be a tedious, time-consuming, and error-prone process to develop a virtual machine introspection (VMI) tool because of the semantic gap. Recent advance shows that the semantic-gap can be largely narrowed by reusing the executed code from a trusted OS kernel. However, the limitation for such an approach is that it only reuses the exercised code through a training process, which suffers the code coverage issues. Thus, in this article, we present Vmst, a new technique that can seamlessly bridge the semantic gap and automatically generate the VMI tools. The key idea is that, through system wide instruction monitoring, Vmst automatically identifies the introspection related data from a secure-VM and online redirects these data accesses to the kernel memory of a product-VM, without any training. Vmst offers a number of new features and capabilities. Particularly, it enables an in-VM inspection program (e.g., ps) to automatically become an out-of-VM introspection program. We have tested Vmst with over 25 commonly used utilities on top of a number of different OS kernels including Linux and Microsoft Windows. The experimental results show that our technique is general (largely OS-independent), and it introduces 9.3X overhead for Linux utilities and 19.6X overhead for Windows utilities on average for the introspected program compared to the native in-VM execution without data redirection.<\/jats:p>","DOI":"10.1145\/2505124","type":"journal-article","created":{"date-parts":[[2020,4,4]],"date-time":"2020-04-04T03:42:17Z","timestamp":1585971737000},"page":"1-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":28,"title":["Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection"],"prefix":"10.1145","volume":"16","author":[{"given":"Yangchun","family":"Fu","sequence":"first","affiliation":[{"name":"The University of Texas at Dallas"}]},{"given":"Zhiqiang","family":"Lin","sequence":"additional","affiliation":[{"name":"The University of Texas at Dallas"}]}],"member":"320","published-online":{"date-parts":[[2013,9]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"The Design of the UNIX Operating System","author":"Bach M. J."},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/SRDS.2010.39"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/IAS.2007.25"},{"key":"e_1_2_1_4_1","unstructured":"Bovet D. and Cesati M. 2005. Understanding the Linux Kernel. Oreilly & Associates Inc.   Bovet D. and Cesati M. 2005. Understanding the Linux Kernel . Oreilly & Associates Inc."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315286"},{"key":"e_1_2_1_6_1","volume-title":"Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS\u201910)","author":"Caballero J."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/1180405.1180445"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653729"},{"key":"e_1_2_1_9_1","volume-title":"Proceedings of the 8th Workshop on Hot Topics in Operating Systems.","author":"Chen P. M."},{"key":"e_1_2_1_10_1","volume-title":"Proceedings of the 13th USENIX Security Symposium.","author":"Chow J."},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455820"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455779"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653730"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2011.11"},{"key":"e_1_2_1_15_1","unstructured":"Dolan-Gavitt B. Payne B. and Lee W. 2011b. Leveraging forensic tools for virtual machine introspection. Tech. rep. GT-CS-11-05.  Dolan-Gavitt B. Payne B. and Lee W. 2011b. Leveraging forensic tools for virtual machine introspection. Tech. rep. GT-CS-11-05."},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the USENIX Annual Technical Conference (Usenix\u201907)","author":"Egele M."},{"key":"e_1_2_1_17_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy.","author":"Forrest S."},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.40"},{"key":"e_1_2_1_19_1","volume-title":"In Proceedings of Network and Distributed Systems Security Symposium (NDSS\u201903)","author":"Garfinkel T.","year":"2003"},{"key":"e_1_2_1_20_1","volume-title":"Proceedings of the Network and Distributed Systems Security Symposium (NDSS\u201903)","author":"Garfinkel T."},{"key":"e_1_2_1_21_1","volume-title":"Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS\u201908)","author":"Godefroid P."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2391229.2391234"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/1368506.1368517"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/1950365.1950398"},{"key":"e_1_2_1_25_1","volume-title":"Proceedings of the Annual Symposium on Information Assurance.","author":"Inoue H."},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315262"},{"key":"e_1_2_1_27_1","volume-title":"Proceedings of the USENIX Annual Technical Conference (Usenix\u201906)","author":"Jones S. T."},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/1346256.1346269"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.10"},{"key":"e_1_2_1_30_1","volume-title":"Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS\u201908)","author":"Lin Z."},{"key":"e_1_2_1_31_1","volume-title":"Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS\u201910)","author":"Lin Z."},{"key":"e_1_2_1_32_1","volume-title":"Proceedings of the 40th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN-DCCS","author":"Lin Z.","year":"2010"},{"key":"e_1_2_1_33_1","volume-title":"Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS\u201911)","author":"Lin Z."},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/1065010.1065034"},{"key":"e_1_2_1_35_1","volume-title":"Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS\u201905)","author":"Newsome J."},{"key":"e_1_2_1_36_1","volume-title":"Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC","author":"Payne B. D.","year":"2007"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2008.24"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315260"},{"key":"e_1_2_1_39_1","volume-title":"Proceedings of the 13th USENIX Security Symposium. USENIX, 179--194","author":"Petroni N. L., Jr."},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/1217935.1217938"},{"key":"e_1_2_1_41_1","volume-title":"Proceedings of the 12th USENIX Security Symposium. USENIX, 257--272","author":"Provos N.","year":"2003"},{"key":"e_1_2_1_42_1","unstructured":"QEMU\n  : An open source processor emulator. http:\/\/www.qemu.org\/.  QEMU: An open source processor emulator. http:\/\/www.qemu.org\/."},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.5555\/1433006.1433008"},{"key":"e_1_2_1_44_1","unstructured":"Sekar R. Classification and grouping of linux system calls. http:\/\/seclab.cs.sunysb.edu\/sekar\/papers\/syscallclassif.htm.  Sekar R. Classification and grouping of linux system calls. http:\/\/seclab.cs.sunysb.edu\/sekar\/papers\/syscallclassif.htm."},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046751"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-87403-4_3"},{"key":"e_1_2_1_47_1","unstructured":"VProbe:a VMI framework. http:\/\/communities.vmware.com\/community\/vmtn\/developer\/forums\/vprobes.  VProbe:a VMI framework. http:\/\/communities.vmware.com\/community\/vmtn\/developer\/forums\/vprobes."},{"key":"e_1_2_1_48_1","unstructured":"Walters A. The volatility framework: Volatile memory artifact extraction utility framework. https:\/\/www.volatilesystems.com\/default\/volatility.  Walters A. The volatility framework: Volatile memory artifact extraction utility framework. https:\/\/www.volatilesystems.com\/default\/volatility."},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2005.39"},{"key":"e_1_2_1_50_1","volume-title":"Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS\u201908)","author":"Wondracek G."},{"key":"e_1_2_1_51_1","unstructured":"Xed: X86 encoder decoder. http:\/\/www.pintool.org\/docs\/24110\/Xed\/html\/.  Xed: X86 encoder decoder. http:\/\/www.pintool.org\/docs\/24110\/Xed\/html\/."},{"key":"e_1_2_1_52_1","volume-title":"Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS\u201911)","author":"Xiong X."},{"key":"e_1_2_1_53_1","volume-title":"Temu: Binary code analysis via whole-system layered annotative execution. Tech. rep. UCB\/EECS-2010-3, EECS Department","author":"Yin H.","year":"2010"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315261"}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2505124","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2505124","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T03:28:57Z","timestamp":1750217337000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2505124"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2013,9]]},"references-count":54,"aliases":["10.1145\/2516951.2505124"],"journal-issue":{"issue":"2","published-print":{"date-parts":[[2013,9]]}},"alternative-id":["10.1145\/2505124"],"URL":"https:\/\/doi.org\/10.1145\/2505124","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"value":"1094-9224","type":"print"},{"value":"1557-7406","type":"electronic"}],"subject":[],"published":{"date-parts":[[2013,9]]},"assertion":[{"value":"2012-12-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2013-06-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2013-09-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}