| Computer network defence capabilities are enhanced by the ability to observe attackers in compromised computers. A fundamental limitation of conducting this observation in the same operating system (OS) that an attacker has compromised---that observation tools risk being detected and subverted by a sophisticated attacker---has prompted recent research to explore raising the compromised OS into a virtual machine and moving the observation tools into the underlying virtual machine monitor. This arrangement provides observation tools with strong security guarantees but limits their access to the OS's abstractions, and thus severely degrades the quality of information that can be observed---a problem known as the semantic gap.;Keywords: virtual machine introspection, semantic gap, Xen.;Current approaches to overcoming the semantic gap are not suitable for observing an attacker's programs in a virtual machine, primarily because they require either an agent in the compromised OS or prior knowledge of the OS's internal implementation. This thesis introduces two techniques that are more appropriate for attacker observation: the first offers a new method for passively intercepting and reconstructing a program's system calls, and the second technique offers a way to actively query an OS for information about its programs. Validation is provided by comparing the information acquired using prototype implementations of these techniques to that which is available from within the OS. |
