Semantics-driven monitoring discovers attacks against a process by evaluating invariants on the process state. To increase the robustness and the transparency of semantics-driven monitoring, it proposes an approach that introduces two Virtual Machines (VMs) running on the same platform. One VM runs the monitored process, i.e. the process to be protected, while the other one evaluates invariants on the process state each time a process invokes a system call. The evaluation of invariant exploits an Introspection Library that enables the monitoring VM to access the memory and the processor registers of the monitored VM.
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.