The Experts below are selected from a list of 48 Experts worldwide ranked by ideXlab platform
Mattia Monga - One of the best experts on this subject based on the ideXlab platform.
-
ASE - Dynamic and transparent analysis of commodity production systems
Proceedings of the IEEE ACM international conference on Automated software engineering - ASE '10, 2010Co-Authors: Aristide Fattori, Roberto Paleari, Lorenzo Martignoni, Mattia MongaAbstract:We propose a framework that provides a programming interface to perform complex dynamic system-level analyses of deployed production systems. By leveraging hardware support for virtualization available nowadays on all commodity machines, our framework is completely transparent to the system under analysis and it guarantees isolation of the analysis tools running on top of it. Thus, the internals of the Kernel of the running system needs not to be modified and the whole platform runs unaware of the framework. Moreover, errors in the analysis tools do not affect the running system and the framework. This is accomplished by installing a minimalistic virtual machine monitor and migrating the system, as it runs, into a virtual machine. In order to demonstrate the potentials of our framework we developed an interactive Kernel Debugger, named HyperDbg. HyperDbg can be used to debug any critical Kernel component, and even to single step the execution of exception and interrupt handlers.
-
Dynamic and Transparent Analysis of Commodity Production Systems
Proceedings of the IEEE ACM international conference on Automated software engineering - ASE '10, 2010Co-Authors: Aristide Fattori, Roberto Paleari, Lorenzo Martignoni, Mattia MongaAbstract:We propose a framework that provides a programming interface to perform complex dynamic system-level analyses of deployed production systems. By leveraging hardware support for virtualization available nowadays on all commodity machines, our framework is completely transparent to the system under analysis and it guarantees isolation of the analysis tools running on its top. Thus, the internals of the Kernel of the running system needs not to be modified and the whole platform runs unaware of the framework. Moreover, errors in the analysis tools do not affect the running system and the framework. This is accomplished by installing a minimalistic virtual machine monitor and migrating the system, as it runs, into a virtual machine. In order to demonstrate the potentials of our framework we developed an interactive Kernel Debugger, nicknamed HyperDbg. HyperDbg can be used to debug any critical Kernel component, and even to single step the execution of exception and interrupt handlers.
Aristide Fattori - One of the best experts on this subject based on the ideXlab platform.
-
ASE - Dynamic and transparent analysis of commodity production systems
Proceedings of the IEEE ACM international conference on Automated software engineering - ASE '10, 2010Co-Authors: Aristide Fattori, Roberto Paleari, Lorenzo Martignoni, Mattia MongaAbstract:We propose a framework that provides a programming interface to perform complex dynamic system-level analyses of deployed production systems. By leveraging hardware support for virtualization available nowadays on all commodity machines, our framework is completely transparent to the system under analysis and it guarantees isolation of the analysis tools running on top of it. Thus, the internals of the Kernel of the running system needs not to be modified and the whole platform runs unaware of the framework. Moreover, errors in the analysis tools do not affect the running system and the framework. This is accomplished by installing a minimalistic virtual machine monitor and migrating the system, as it runs, into a virtual machine. In order to demonstrate the potentials of our framework we developed an interactive Kernel Debugger, named HyperDbg. HyperDbg can be used to debug any critical Kernel component, and even to single step the execution of exception and interrupt handlers.
-
Dynamic and Transparent Analysis of Commodity Production Systems
Proceedings of the IEEE ACM international conference on Automated software engineering - ASE '10, 2010Co-Authors: Aristide Fattori, Roberto Paleari, Lorenzo Martignoni, Mattia MongaAbstract:We propose a framework that provides a programming interface to perform complex dynamic system-level analyses of deployed production systems. By leveraging hardware support for virtualization available nowadays on all commodity machines, our framework is completely transparent to the system under analysis and it guarantees isolation of the analysis tools running on its top. Thus, the internals of the Kernel of the running system needs not to be modified and the whole platform runs unaware of the framework. Moreover, errors in the analysis tools do not affect the running system and the framework. This is accomplished by installing a minimalistic virtual machine monitor and migrating the system, as it runs, into a virtual machine. In order to demonstrate the potentials of our framework we developed an interactive Kernel Debugger, nicknamed HyperDbg. HyperDbg can be used to debug any critical Kernel component, and even to single step the execution of exception and interrupt handlers.
Roberto Paleari - One of the best experts on this subject based on the ideXlab platform.
-
DEALING WITH NEXT-GENERATION MALWARE
Università degli Studi di Milano, 2011Co-Authors: Roberto PaleariAbstract:Malicious programs are a serious problem that threatens the security of billions of Internet users. Today's malware authors are motivated by the easy financial gain they can obtain by selling on the underground market the information stolen from the infected hosts. To maximize their profit, miscreants continuously improve their creations to make them more and more resilient against anti-malware solutions. This increasing sophistication in malicious code led to next-generation malware, a new class of threats that exploit the limitations of state-of-the-art anti-malware products to bypass security protections and eventually evade detection. Unfortunately, current anti-malware technologies are inadequate to face next-generation malware. For this reason, in this dissertation we propose novel techniques to address the shortcomings of defensive technologies and to enhance current state-of-the-art security solutions. Dynamic behavior-based analysis is a very promising approach to automatically understand the behaviors a malicious program may exhibit at run-time. However, behavior-based solutions still present several limitations. First of all, these techniques may give incomplete results because the execution environments in which they are applied are synthetic and do not faithfully resemble the environments of end-users, the intended targets of the malicious activities. To overcome this problem, we present a new framework for improving behavior-based analysis of suspicious programs, that allows an end-user to delegate security labs the execution and the analysis of a program and to force the program to behave as if it were executed directly in the environment of the former. Our evaluation demonstrated that the proposed framework allows security labs to improve the completeness of the analysis, by analyzing a piece of malware on behalf of multiple end-users simultaneously, while performing a fine-grained analysis of the behavior of the program with no computational cost for the end-users. Another drawback of state-of-the-art defensive solutions is non-transparency: malicious programs are often able to determine that their execution is being monitored, and thus they can tamper with the analysis to avoid detection, or simply behave innocuously to mislead the anti-malware tool. At this aim, we propose a generic framework to perform complex dynamic system-level analyses of deployed production systems. By leveraging hardware support for virtualization available nowadays on all commodity machines, our framework is completely transparent to the system under analysis and it guarantees isolation of the analysis tools running on top of it. The internals of the Kernel of the running system need not to be modified and the whole platform runs unaware of the framework. Once the framework has been installed, even Kernel-level malware cannot detect it or affect its execution. This is accomplished by installing a minimalistic virtual machine monitor and migrating the system, as it runs, into a virtual machine. To demonstrate the potentials of our framework we developed an interactive Kernel Debugger, named HyperDbg. As HyperDbg can be used to monitor any critical system component, it is suitable to analyze even malicious programs that include Kernel-level modules. Despite all the progress anti-malware technologies can make, perfect malware detection remains an undecidable problem. When it is not possible to prevent a malicious threat from infecting a system, post-infection remediation remains the only viable possibility. However, if the machine has already been compromised, the execution of the remediation tool could be tampered by the malware that is running on the system. To address this problem we present Conqueror, a software-based attestation scheme for tamper-proof code execution on untrusted legacy systems. Besides providing load-time attestation of a piece of code, Conqueror also ensures run-time integrity. Conqueror constitutes a valid alternative to trusted computing platforms, for systems lacking specialized hardware for attestation. We implemented a prototype, specific for the Intel x86 architecture, and evaluated the proposed scheme. Our evaluation showed that, compared to competitors, Conqueror is resistant to both static and dynamic attacks. We believe Conqueror and our transparent dynamic analysis framework constitute important building blocks for creating new security applications. To demonstrate this claim, we leverage the aforementioned solutions to realize HyperSleuth, an infrastructure to securely perform live forensic analysis of potentially compromised production systems. HyperSleuth provides a trusted execution environment that guarantees an attacker controlling the system cannot interfere with the analysis and cannot tamper with the results. The framework can be installed as the system runs, without a reboot and without loosing any volatile data. Moreover, the analysis can be periodically and safely interrupted to resume normal execution of the system. On top of HyperSleuth we implemented three forensic analysis tools: a lazy physical memory dumper, a lie detector, and a system call tracer. The experimental evaluation we conducted demonstrated that even time consuming analyses, such as the dump of the content of the physical memory, can be securely performed without interrupting the services offered by the system
-
ASE - Dynamic and transparent analysis of commodity production systems
Proceedings of the IEEE ACM international conference on Automated software engineering - ASE '10, 2010Co-Authors: Aristide Fattori, Roberto Paleari, Lorenzo Martignoni, Mattia MongaAbstract:We propose a framework that provides a programming interface to perform complex dynamic system-level analyses of deployed production systems. By leveraging hardware support for virtualization available nowadays on all commodity machines, our framework is completely transparent to the system under analysis and it guarantees isolation of the analysis tools running on top of it. Thus, the internals of the Kernel of the running system needs not to be modified and the whole platform runs unaware of the framework. Moreover, errors in the analysis tools do not affect the running system and the framework. This is accomplished by installing a minimalistic virtual machine monitor and migrating the system, as it runs, into a virtual machine. In order to demonstrate the potentials of our framework we developed an interactive Kernel Debugger, named HyperDbg. HyperDbg can be used to debug any critical Kernel component, and even to single step the execution of exception and interrupt handlers.
-
Dynamic and Transparent Analysis of Commodity Production Systems
Proceedings of the IEEE ACM international conference on Automated software engineering - ASE '10, 2010Co-Authors: Aristide Fattori, Roberto Paleari, Lorenzo Martignoni, Mattia MongaAbstract:We propose a framework that provides a programming interface to perform complex dynamic system-level analyses of deployed production systems. By leveraging hardware support for virtualization available nowadays on all commodity machines, our framework is completely transparent to the system under analysis and it guarantees isolation of the analysis tools running on its top. Thus, the internals of the Kernel of the running system needs not to be modified and the whole platform runs unaware of the framework. Moreover, errors in the analysis tools do not affect the running system and the framework. This is accomplished by installing a minimalistic virtual machine monitor and migrating the system, as it runs, into a virtual machine. In order to demonstrate the potentials of our framework we developed an interactive Kernel Debugger, nicknamed HyperDbg. HyperDbg can be used to debug any critical Kernel component, and even to single step the execution of exception and interrupt handlers.
Lorenzo Martignoni - One of the best experts on this subject based on the ideXlab platform.
-
ASE - Dynamic and transparent analysis of commodity production systems
Proceedings of the IEEE ACM international conference on Automated software engineering - ASE '10, 2010Co-Authors: Aristide Fattori, Roberto Paleari, Lorenzo Martignoni, Mattia MongaAbstract:We propose a framework that provides a programming interface to perform complex dynamic system-level analyses of deployed production systems. By leveraging hardware support for virtualization available nowadays on all commodity machines, our framework is completely transparent to the system under analysis and it guarantees isolation of the analysis tools running on top of it. Thus, the internals of the Kernel of the running system needs not to be modified and the whole platform runs unaware of the framework. Moreover, errors in the analysis tools do not affect the running system and the framework. This is accomplished by installing a minimalistic virtual machine monitor and migrating the system, as it runs, into a virtual machine. In order to demonstrate the potentials of our framework we developed an interactive Kernel Debugger, named HyperDbg. HyperDbg can be used to debug any critical Kernel component, and even to single step the execution of exception and interrupt handlers.
-
Dynamic and Transparent Analysis of Commodity Production Systems
Proceedings of the IEEE ACM international conference on Automated software engineering - ASE '10, 2010Co-Authors: Aristide Fattori, Roberto Paleari, Lorenzo Martignoni, Mattia MongaAbstract:We propose a framework that provides a programming interface to perform complex dynamic system-level analyses of deployed production systems. By leveraging hardware support for virtualization available nowadays on all commodity machines, our framework is completely transparent to the system under analysis and it guarantees isolation of the analysis tools running on its top. Thus, the internals of the Kernel of the running system needs not to be modified and the whole platform runs unaware of the framework. Moreover, errors in the analysis tools do not affect the running system and the framework. This is accomplished by installing a minimalistic virtual machine monitor and migrating the system, as it runs, into a virtual machine. In order to demonstrate the potentials of our framework we developed an interactive Kernel Debugger, nicknamed HyperDbg. HyperDbg can be used to debug any critical Kernel component, and even to single step the execution of exception and interrupt handlers.
David A. Solomon - One of the best experts on this subject based on the ideXlab platform.
-
Windows Internals - Parts 1 and 2
2012Co-Authors: Mark Russinovich, David A. Solomon, Alex IonescuAbstract:Delve inside Windows architecture and internalsand see how core components work behind the scenes. Led by three renowned internals experts, this classic guide is fully updated for Windows 7 and Windows Server 2008 R2. As always, you get critical insider perspectives on how Windows operates. And through hands-on experiments, youll experience its internal behavior firsthandknowledge you can apply to improve application design, debugging, system performance, and support. You will:Understand how core system and management mechanisms workincluding the object manager, synchronization, Wow64, Hyper-V, and the registry Examine the data structures and activities behind processes, threads, and jobs Go inside the Windows security model to see how it manages access, auditing, and authorization Explore the Windows networking stack from top to bottomincluding APIs, BranchCache, protocol and NDIS drivers, and layered services Dig into internals hands-on using the Kernel Debugger, performance monitor, and other tools Explore core subsystems for I/O, storage, memory management, cache manager, and file systems Master startup and shutdown processes Learn crash-dump analysis, including troubleshooting tools and techniques
-
Windows® Internals, Part 1: Covering Windows Server® 2008 R2 and Windows 7
2012Co-Authors: Mark Russinovich, David A. Solomon, Alex IonescuAbstract:Delve inside Windows architecture and internalsand see how core components work behind the scenes. Led by three renowned internals experts, this classic guide is fully updated for Windows 7 and Windows Server 2008 R2and now presents its coverage in two volumes. As always, you get critical insider perspectives on how Windows operates. And through hands-on experiments, youll experience its internal behavior firsthandknowledge you can apply to improve application design, debugging, system performance, and support. In Part 1, you will:Understand how core system and management mechanisms workincluding the object manager, synchronization, Wow64, Hyper-V, and the registry Examine the data structures and activities behind processes, threads, and jobs Go inside the Windows security model to see how it manages access, auditing, and authorization Explore the Windows networking stack from top to bottomincluding APIs, BranchCache, protocol and NDIS drivers, and layered services Dig into internals hands-on using the Kernel Debugger, performance monitor, and other tools NOTE: Part 2 Available Fall 2012
-
Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition
2009Co-Authors: Mark Russinovich, David A. SolomonAbstract:See how the core components of the Windows operating system work behind the scenesguided by a team of internationally renowned internals experts. Fully updated for Windows Server 2008 and Windows Vista, this classic guide delivers key architectural insights on system design, debugging, performance, and supportalong with hands-on experiments to experience Windows internal behavior firsthand. Delve inside Windows architecture and internals: Understand how the core system and management mechanisms workfrom the object manager to services to the registry Explore internal system data structures using tools like the Kernel Debugger Grasp the scheduler's priority and CPU placement algorithms Go inside the Windows security model to see how it authorizes access to data Understand how Windows manages physical and virtual memory Tour the Windows networking stack from top to bottomincluding APIs, protocol drivers, and network adapter drivers Troubleshoot file-system access problems and system boot problems Learn how to analyze crashes
-
Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition
2009Co-Authors: Mark Russinovich, David A. SolomonAbstract:See how the core components of the Windows operating system work behind the scenesguided by a team of internationally renowned internals experts. Fully updated for Windows Server 2008 and Windows Vista, this classic guide delivers key architectural insights on system design, debugging, performance, and supportalong with hands-on experiments to experience Windows internal behavior firsthand. Delve inside Windows architecture and internals: Understand how the core system and management mechanisms workfrom the object manager to services to the registry Explore internal system data structures using tools like the Kernel Debugger Grasp the scheduler's priority and CPU placement algorithms Go inside the Windows security model to see how it authorizes access to data Understand how Windows manages physical and virtual memory Tour the Windows networking stack from top to bottomincluding APIs, protocol drivers, and network adapter drivers Troubleshoot file-system access problems and system boot problems Learn how to analyze crashes
