VM Research Group

Attacks for computer systems are highly technical and difficult to prevent. Our research purpose is to develop computer security technologies supposing attacks and intrusions. In addition, we develop computer security for emerging virtual machine environment.

• Effective monitoring of virtual machines
• Protecting information inside virtual machines from outside them (Out-of-VM protection)

Prevention of log-tampering and loss

Logging information about the activities that placed in a computer is essential for understanding its behavior. However, attackers can delete logs to hide evidence of their activities. Additionally, various problems may result in logs being lost.

To prevent log-tampering and loss, we utilize a virtual machine monitor. In our scheme, a virtual machine monitor detects log production inside a virtual machine and copies it to another virtual machine. With this mechanism, chances for tampering are reduced and tampering of logs after the copy becomes difficult because of virtual machine-level isolation.

By copying and transferring logs to another virtual machine, log-tampering after log storing becomes difficult. In addition, we can detect log-tampering not only its occurrence but also the area where the tampering occurred by comparing logs inside the monitored virtual machine and the logging virtual machine. Further, our scheme is implemented with only modifying a virtual machine monitor, therefore, no modification to software inside a virtual machine is required. This enlarges adaptability of our scheme to various operating systems.

Attack complication by hiding process information

As attacks to computers increase, protective software is developed. However, that software is still open to attacks by attackers that disable its functionality. If that software is stopped or disabled, the risk of damage to the computer increases.

To decrease the risk and to address theses problems, we proposed an attack avoidance method that hides process from attackers who intend to terminate essential services, which include protective software. The proposed method complicates identification based on process information by dynamically replacing the information held by a kernel with dummy information. Replacing process information makes identifying the attack target difficult because attackers cannot find the attack target by seeking the process information.

1. “Virtual Machine Monitor-based Hiding Method for Access to Debug Registers，” The Eighth International Symposium on Computing and Networking (CANDAR'20), (11, 2020)(Accepted).
2. “Implementation and Evaluation of Communication-Hiding Method by System Call Proxy, ” International Journal of Networking and Computing, Vol. 9, No. 2, pp. 217–238 (07, 2019).
3. “Design and Implementation of Hiding Method for File Manipulation of Essential Services by System Call Proxy using Virtual Machine Monitor, ” International Journal of Space-Based and Situated Computing, Vol. 9, No. 1, pp. 1–10 (05, 2019).
4. “Hiding Communication of Essential Services by System Call Proxy, ” 2018 Sixth International Symposium on Computing and Networking (CANDAR'18), pp. 47–56 (11, 2018).
5. “Hiding File Manipulation of Essential Services by System Call Proxy, ” The 7-th International Workshop on Advances in Data Engineering and Mobile Computing (DEMoC-2018), (09, 2018).
6. “Memory Access Monitoring and Disguising of Process Information to Avoid Attacks to Essential Services，” 2016 Fourth International Symposium on Computing and Networking, pp. 635–641 (11, 2016).
7. “Process Hiding by Virtual Machine Monitor for Attack Avoidance,” Journal of Information Processing, Vol. 23, No. 5, pp. 673–682 (09, 2015).