Abstract
Virtual machine introspection (VMI) allows a monitoring application, usually running in a separate virtual machine on the same host, to peek into another guest virtual machine running on the same host, check and modify both registers and memory state of the guest. It has gained popularity in malware analysis, software reverse engineering, and intrusion detection systems. However, VMI comes with a huge overhead, which not only is a waste of resources but also can tip malware that VMI is being used.
In this paper, we present an approach to significantly enhance the performance of VMI. Our work eliminates a large number of context switches between the monitored guest system, the hypervisor, and the monitoring application. Our approach implements the management of tracing directly into the hypervisor and uses asynchronous events between hypervisor and monitoring process to minimize the performance impact of tracing without losing functionality. We show that our approach reduces the main bottlenecks of introspection by more than an order of magnitude compared to the popular approach using LibVMI and the Xen hypervisor.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
While there is a hypercall in Xen to toggle single stepping, Xen also offers the possibility to piggy-back that operation in the return (“Resume”) from Dom0 to Xen. Our baseline measurements for LibVMI in Sect. 7 make use of that optimization, but nevertheless are significantly slower than our proposed optimized method.
- 5.
https://github.com/kdlucas/byte-unixbench (accessed 2021-05-10).
- 6.
https://github.com/kdlucas/byte-unixbench (accessed 2021-05-10).
References
Xen Hypercall ABI. http://xenbits.xenproject.org/docs/sphinx-unstable/guest-guide/x86/hypercall-abi.html#. Accessed 11 June 2020
LibVMI: Simplified virtual machine introspection (2020). https://github.com/libvmi/libvmi/blob/master/README.rst. Accessed 7 June 2020
Xen Hypercalls (2020). https://wiki.xenproject.org/wiki/Hypercall. Accessed 7 June 2020
Xen Project Software Overview (2020). https://wiki.xen.org/wiki/Xen_Overview. Accessed 7 June 2020
XenBus (2020). https://wiki.xen.org/wiki/XenBus. Accessed 7 June 2020
XenStore (2020). https://wiki.xen.org/wiki/XenStore. Accessed 7 June 2020
Bhatt, M., Ahmed, I., Lin, Z.: Using virtual machine introspection for operating systems security education. In: Proceedings of the 49th ACM Technical Symposium on Computer Science Education, pp. 396–401 (2018)
Dangl, T., Taubmann, B., Reiser, H.P.: RapidVMI: fast and multi-core aware active virtual machine introspection. In: Proceedings of the 16th International Conference on Availability, Reliability and Security (ARES) (2021)
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS), pp. 51–62 (2008)
Harrison, C., Cook, D., McGraw, R., Hamilton Jr., J.A.: Constructing a cloud-based IDS by merging VMI with FMA. In: IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 163–169 (2012)
Hsiao, S., Sun, Y.S., Chen, M.C.: Virtual machine introspection based malware behavior profiling and family grouping. CoRR arXiv:1705.01697 (2017)
Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: SoK: introspections on trust and the semantic gap. In: 2014 IEEE Symposium on Security and Privacy, pp. 605–620 (2014)
Klemperer, P., Jeon, H.Y., Payne, B.D., Hoe, J.C.: High-performance memory snapshotting for real-time, consistent, hypervisor-based monitors. IEEE Trans. Dependable Secure Comput. 17, 518–535 (2018)
Lengyel, T.K.: Stealthy monitoring with Xen altp2m, April 2016. https://xenproject.org/2016/04/13/stealthy-monitoring-with-xen-altp2m/. Accessed 11 June 2020
Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC 2014), pp. 386–395. ACM (2014). https://doi.org/10.1145/2664243.2664252
Li, C., Xiang, Y., Shi, J.: A model of dynamic malware analysis based on VMI. In: Wang, G., Zomaya, A., Perez, G.M., Li, K. (eds.) ICA3PP 2015. LNCS, vol. 9532, pp. 465–475. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27161-3_42
Mishra, P., Varadharajan, V., Pilli, E., Tupakula, U.: VMGuard: a VMI-based security architecture for intrusion detection in cloud environment. IEEE Trans. Cloud Comput. 8, 957–971 (2018)
Reginato, L.: Updated analysis of PatchGuard on Microsoft Windows 10 RS4 (2019). https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf
Sentanoe, S., Taubmann, B., Reiser, H.P.: Sarracenia: enhancing the performance and stealthiness of SSH honeypots using virtual machine introspection. In: Gruschka, N. (ed.) NordSec 2018. LNCS, vol. 11252, pp. 255–271. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03638-6_16
Taubmann, B., Rakotondravony, N., Reiser, H.P.: CloudPhylactor: harnessing mandatory access control for virtual machine introspection in cloud data centers. In: The 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-16) (2016)
Taubmann, B., Reiser, H.P.: Towards hypervisor support for enhancing the performance of virtual machine introspection. In: Remke, A., Schiavoni, V. (eds.) Distributed Applications and Interoperable Systems, pp. 41–54. Springer, Cham (2020)
Windows Vista Security Team: An introduction to kernel patch protection (2006). https://web.archive.org/web/20061124094344/http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx. Accessed 7 June 2020
Zhao, S., Ding, X., Xu, W., Gu, D.: Seeing through the same lens: introspecting guest address space at native speed. In: 26th USENIX Security Symposium (USENIX Security 17), Vancouver, BC, pp. 799–813. USENIX Association, August 2017. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/zhao
Zillner, T.: Memory forensics using virtual machine introspection for cloud computing. Presented at Black Hat USA (2016)
Acknowledgements
This work has been funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) – 361891819 (ARADIA).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
See Table 1.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Abdelraoof, A., Taubmann, B., Dangl, T., Reiser, H.P. (2021). Introspect Virtual Machines Like It Is the Linux Kernel!. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2021. Lecture Notes in Computer Science(), vol 12756. Springer, Cham. https://doi.org/10.1007/978-3-030-80825-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-80825-9_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-80824-2
Online ISBN: 978-3-030-80825-9
eBook Packages: Computer ScienceComputer Science (R0)