HITB SecConf 2009 Malaysia: eKimono: A Malware Scanner for Virtual Machines 1/7

Clip 1/7 Speaker: Nguyen Anh Quynh (Researcher, Japan National Institute of Advanced Industrial Science and Technology) This talk presents eKimono, a new malware scanner for Virtual Machine (VM). By putting eKimono outside of the protected VM, we can fix, or raise the bar in other cases, the most significant flaws in the legacy anti-malware solutions. Advantages offered by our scanner include, but not limited to, the followings: firstly, eKimono is tamper-resistant against malware inside VM, even if the malware compromises the VMs kernel. Secondly, it is harder to be fooled, because eKimono does not rely on the services provided by VM. Last, but not least, our scanner is invisible from VM, so that malware inside never know that they are being monitored. The architecture and implementation of eKimono will be discussed in length. We will show how our scanner easily supports hypervisors like Xen, KVM and QEMU out-of-the-box. The talk will also demonstrate that it is trivial to support other types of VM, such as VMWare, thanks to its extremely flexible design. Technically, eKimono is a top component of a multiple framework architecture. The talk analyses all the layers and explains how we solve challenges in designing and implementing eKimono. The extended application of the below layers is also examined to prove that our frameworks are not just useful for eKimono, but can also be the base to create many new tools, such as such as live memory forensic and VM administration
Video Rating: 0 / 5

Leave a Comment