Open Access  Subscription Access

Presently, stealth malware has become a fatal threat to the PC platforms. Existing host-based security solutions suffer the difficulty to thwart the privileged malware, while previous hypervisor-based systems cannot protect preinstalled OSes because they have to introduce a heavyweight hypervisor layer and reinstall the OSes. In this paper, we propose a novel feather-weight hardware-assisted hypervisor, called ScalerVisor, to detect and clear the stealth malware. ScalerVisor offers four distinct advantages: preinstalled commodity OS compatibility, implicit detection of stealth malware, hypervisor-layer malware clearing and non-bypassable self-protection. Unlike typical hypervisors, deploying ScalerVisor does not require OS reinstallation. By intercepting the low-level interactions between the OS and the hardware, ScalerVisor is decoupled with the explicit OS implementation information which is subvertable for the privileged malware. To the best of our knowledge, ScalerVisor is the first approach that can manipulate various OS resources at a feather-weight hypervisor layer. ScalerVisor also can remove the malicious files without the help of OS. Besides, ScalerVisor provides a capability of protecting itself in a non-bypassable way. Our functionality evaluation shows ScalerVisor can impede more stealth malware than existing detectors while the performance evaluation shows desktop-oriented workloads achieve 93.28% of native speed on average.

Hypervisor; Stealth malware; Hardwareassisted hypervisor