HyperLink: Virtual Machine Introspection and Memory Forensic Analysis without Kernel Source Code

Virtual Machine Introspection (VMI) is an approach to inspecting and analyzing the software running inside a virtual machine from the hypervisor. Similarly, memory forensics analyzes the memory snapshots or dumps to understand the runtime state of a physical or virtual machine. The existing VMI and memory forensic tools rely on up-to-date kernel information of the target operating system (OS) to work properly, which often requires the availability of the kernel source code. This requirement prevents these tools from being widely deployed in real cloud environments. In this paper, we present a VMI tool called HyperLink that partially retrieves running process information from a guest virtual machine without its source code. While current introspection and memory forensic solutions support only one or a limited number of kernel versions of the target OS, HyperLink is a one-for-many introspection and forensic tool, i.e., it supports most, if not all, popular OSes regardless of their versions. We implement both online and offline versions of HyperLink.We validate the efficacy of HyperLink under different versions of Linux, Windows, FreeBSD, and Mac OS X. For all the OSes we tested, HyperLink can successfully retrieve the process information in one minute or several seconds. Through online and offline analyses, we demonstrate that HyperLink can help users detect real-world kernel rootkits and play an important role in intrusion detection. Due to its version-agnostic property, HyperLink could become the first introspection and forensic tool that works well in autonomic cloud computing environments

Structures and stability of medium silicon clusters. II. Ab initio molecular orbital calculations of Si\u3csub\u3e12\u3c/sub\u3e–Si\u3csub\u3e20\u3c/sub\u3e

Ab initio all-electron molecular-orbital calculations are carried out to study the structures and relative stability of low-energy silicon clusters (Sin , n=12– 20). Selected geometric isomers include those predicted by Ho et al. [Nature (London) 392, 582 (1998)] based on an unbiased search with tight-binding/genetic algorithm, as well as those found by Rata et al. [Phys. Rev. Lett. 85, 546 (2000)] based on density-functional tight-binding/single-parent evolution algorithm. These geometric isomers are optimized at the Møller–Plesset (MP2) MP2/6-31G(d) level. The single-point energy at the coupled-cluster single and double substitutions (including triple excitations) [CCSD(T)] CCSD(T)/6-31G(d) level for several low-lying isomers are further computed. Harmonic vibrational frequency analysis at the MP2/6-31G(d) level of theory is also undertaken to assure that the optimized geometries are stable. For Si12–Si17 and Si19 the isomer with the lowest-energy at the CCSD(T)/6-31G(d) level is the same as that predicted by Ho et al., whereas for Si18 and Si20 , the same as predicted by Rata et al. However, for Si14 and Si15 , the vibrational frequency analysis indicates that the isomer with the lowest CCSD(T)/6-31G(d) single-point energy gives rise to imaginary frequencies. Small structural perturbation onto the Si14 and Si15 isomers can remove the imaginary frequencies and results in new isomers with slightly lower MP2/6-31G(d) energy; however the new isomers have a higher single-point energy at the CCSD(T)/6-31G(d) level. For most Sin (n=12– 18,20) the low-lying isomers are prolate in shape, whereas for Si19 a spherical-like isomer is slightly lower in energy at the CCSD(T)/6-31G(d) level than low-lying prolate isomers

Structures and stability of medium silicon clusters. II. Ab initio molecular orbital calculations of Si\u3csub\u3e12\u3c/sub\u3e–Si\u3csub\u3e20\u3c/sub\u3e

Ab initio all-electron molecular-orbital calculations are carried out to study the structures and relative stability of low-energy silicon clusters (Sin , n=12– 20). Selected geometric isomers include those predicted by Ho et al. [Nature (London) 392, 582 (1998)] based on an unbiased search with tight-binding/genetic algorithm, as well as those found by Rata et al. [Phys. Rev. Lett. 85, 546 (2000)] based on density-functional tight-binding/single-parent evolution algorithm. These geometric isomers are optimized at the Møller–Plesset (MP2) MP2/6-31G(d) level. The single-point energy at the coupled-cluster single and double substitutions (including triple excitations) [CCSD(T)] CCSD(T)/6-31G(d) level for several low-lying isomers are further computed. Harmonic vibrational frequency analysis at the MP2/6-31G(d) level of theory is also undertaken to assure that the optimized geometries are stable. For Si12–Si17 and Si19 the isomer with the lowest-energy at the CCSD(T)/6-31G(d) level is the same as that predicted by Ho et al., whereas for Si18 and Si20 , the same as predicted by Rata et al. However, for Si14 and Si15 , the vibrational frequency analysis indicates that the isomer with the lowest CCSD(T)/6-31G(d) single-point energy gives rise to imaginary frequencies. Small structural perturbation onto the Si14 and Si15 isomers can remove the imaginary frequencies and results in new isomers with slightly lower MP2/6-31G(d) energy; however the new isomers have a higher single-point energy at the CCSD(T)/6-31G(d) level. For most Sin (n=12– 18,20) the low-lying isomers are prolate in shape, whereas for Si19 a spherical-like isomer is slightly lower in energy at the CCSD(T)/6-31G(d) level than low-lying prolate isomers