| As the Internet popularizing, the illegal behaviors caused by malware becomemore and more frequent and serious. Since current analysis software of maliciouscode as well as the detection mechanisms has many shortcomings, a novel methodcalled sandbox, which has the high degree of isolated environment to run thesuspicious program, is favored by many institutions and organizations.By analyzing the status quo of sandbox, this paper proposes a novel sandboxmechanism, called VMSandbox, which is based on the technology of lightweightvirtualization. VMSandbox has four advantages over the traditional ones. First, thesimplicity of code base, not only ensures the acceptable performance of programrunning inside it, but also provides the interior reliability. Second, the policy of fastrollback can launch a process for restoring the files or registers, which have beentampered by the malicious software. Third, by monitoring the low-level API,VMSandbox provides the deeper protection for isolating the malware. Fourth,VMSandbox has a tailor-made mechanism to secure the information exchangebetween different modules, which further improve the reliability of whole system.The four points are implemented as four modules, which refer respectively toLightVM, TransBackup, DeepIsolation and Safecom.This paper implements VMSandbox on Windows platform, and also presents therelated details. Specifically, VMSandbox first provide processes and threads, whichare running in the target program, with basic operating environment, and thenimplement the functions of file re-direction, register re-direction, behaviormonitoring and the record of resource access. By conducting extensive experiments,this paper verifies that VMSandbox is enough to provide the safe operatingenvironment to users with tiny performance penalty, to protect the host environmentfrom being damaged by malware and to give a fast mechanism for rolling back. |
PDF Full Text Request