TUM Logo

Sebastian Vogl

Dr. Sebastian Vogl


now at FireEye, Senior Software Engineer

Research Interests

I am interested in malware detection, web security, and operating system security. However, my research is centered on the field virtual machine introspection (VMI). In particular, I am trying to devise novel techniques to trap in-guest events to the hypervisor and to create practical detection methods that are capable of identifying malware more reliably.

Currently, my research is focused on in-guest VMI approaches. That is VMI mechanisms that operate from within the guest system rather than on the hypervisor level. By placing detection mechanisms into the guest system, we can effectively circumvent many existing problems within the field of VMI such as the semantic gap or the interception of in-guest events. However, these advantages come at a cost. By placing security mechanisms into the guest system we break one of the fundamental security properties that virtualization provides: Isolation. This makes in-guest VMI approaches particularly interesting for research in the field of information security, since one faces the big security challenge of protecting an in-guest VMI component within an untrusted guest system.
X-TIER: Kernel Module Injection

X-TIER enables security applications residing within the hypervisor to inject kernel modules, also referred to as kernel drivers, into a running virtual machine (VM). An injected module will thereby, similar to a module that was loaded by the operating system (OS), be able to access all exported guest OS data structures and functions. In contrast to a normally loaded module, however, an injected module will be inaccessible to any other code residing within the VM. Even in the case that the injected module invokes a guest OS function, the function will neither be aware of the existence of the module nor be able to access any data of the module besides its function arguments. In fact, if a module constrains itself to only reading state information, its execution leaves no detectable traces within the VM (with the exception of timing attacks). A module may, however, apply selective changes to the state, for example, to remove a rootkit from a compromised system. Consequently, X-TIER provides a secure and elegant way for hypervisor-based security applications to bridge the semantic gap.

X-TIER is published as an open source project on Google Code. For additional information you may also consider reading our paper about X-TIER.
Persistent Data-Only Malware

We propose a new malware form that provides persistence without requiring the introduction of a single instruction to the victim's machine. To achieve this, the malware makes use of data-only techniques such as return-oriented programming and uses the existing instructions of the system against it. In contrast to previous work, the proposed data-only malware is capable of intercepting and reacting to events within the system. This proptery is essential for malware as it would otherwise be unable to protect itself against anti-virus software or fulfill simple tasks such as keylogging.

We implemented a proof of concept (POC) of a data-only rootkit for the Linux 3.8 kernel. In our POC we use a real vulnerability to load the rootkit and solely rely on already existing instructions within kernelspace to implement the rootkits functionality. The rootkit is capable of keylogging, process and file hiding.


2014 Code Validation for Modern OS Kernels
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data
Persistent Data-only Malware: Function Hooks without Code
2013 X-TIER: Kernel Module Injection
2012 Using Hardware Performance Events for Instruction-Level Monitoring on the x86 Architecture