Skip to main content
SpringerLink
Log in

Introspect Virtual Machines Like It Is the Linux Kernel!

  • Conference paper
  • First Online:
Book cover Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12756))

  • 1348 Accesses

Abstract

Virtual machine introspection (VMI) allows a monitoring application, usually running in a separate virtual machine on the same host, to peek into another guest virtual machine running on the same host, check and modify both registers and memory state of the guest. It has gained popularity in malware analysis, software reverse engineering, and intrusion detection systems. However, VMI comes with a huge overhead, which not only is a waste of resources but also can tip malware that VMI is being used.

In this paper, we present an approach to significantly enhance the performance of VMI. Our work eliminates a large number of context switches between the monitored guest system, the hypervisor, and the monitoring application. Our approach implements the management of tracing directly into the hypervisor and uses asynchronous events between hypervisor and monitoring process to minimize the performance impact of tracing without losing functionality. We show that our approach reduces the main bottlenecks of introspection by more than an order of magnitude compared to the popular approach using LibVMI and the Xen hypervisor.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/libvmi/libvmi.

  2. 2.

    https://xenbits.xen.org/gitweb/?p=xen.git.

  3. 3.

    https://github.com/volatilityfoundation/volatility.git.

  4. 4.

    While there is a hypercall in Xen to toggle single stepping, Xen also offers the possibility to piggy-back that operation in the return (“Resume”) from Dom0 to Xen. Our baseline measurements for LibVMI in Sect. 7 make use of that optimization, but nevertheless are significantly slower than our proposed optimized method.

  5. 5.

    https://github.com/kdlucas/byte-unixbench (accessed 2021-05-10).

  6. 6.

    https://github.com/kdlucas/byte-unixbench (accessed 2021-05-10).

References

  1. Xen Hypercall ABI. http://xenbits.xenproject.org/docs/sphinx-unstable/guest-guide/x86/hypercall-abi.html#. Accessed 11 June 2020

  2. LibVMI: Simplified virtual machine introspection (2020). https://github.com/libvmi/libvmi/blob/master/README.rst. Accessed 7 June 2020

  3. Xen Hypercalls (2020). https://wiki.xenproject.org/wiki/Hypercall. Accessed 7 June 2020

  4. Xen Project Software Overview (2020). https://wiki.xen.org/wiki/Xen_Overview. Accessed 7 June 2020

  5. XenBus (2020). https://wiki.xen.org/wiki/XenBus. Accessed 7 June 2020

  6. XenStore (2020). https://wiki.xen.org/wiki/XenStore. Accessed 7 June 2020

  7. Bhatt, M., Ahmed, I., Lin, Z.: Using virtual machine introspection for operating systems security education. In: Proceedings of the 49th ACM Technical Symposium on Computer Science Education, pp. 396–401 (2018)

    Google Scholar 

  8. Dangl, T., Taubmann, B., Reiser, H.P.: RapidVMI: fast and multi-core aware active virtual machine introspection. In: Proceedings of the 16th International Conference on Availability, Reliability and Security (ARES) (2021)

    Google Scholar 

  9. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS), pp. 51–62 (2008)

    Google Scholar 

  10. Harrison, C., Cook, D., McGraw, R., Hamilton Jr., J.A.: Constructing a cloud-based IDS by merging VMI with FMA. In: IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 163–169 (2012)

    Google Scholar 

  11. Hsiao, S., Sun, Y.S., Chen, M.C.: Virtual machine introspection based malware behavior profiling and family grouping. CoRR arXiv:1705.01697 (2017)

  12. Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: SoK: introspections on trust and the semantic gap. In: 2014 IEEE Symposium on Security and Privacy, pp. 605–620 (2014)

    Google Scholar 

  13. Klemperer, P., Jeon, H.Y., Payne, B.D., Hoe, J.C.: High-performance memory snapshotting for real-time, consistent, hypervisor-based monitors. IEEE Trans. Dependable Secure Comput. 17, 518–535 (2018)

    Google Scholar 

  14. Lengyel, T.K.: Stealthy monitoring with Xen altp2m, April 2016. https://xenproject.org/2016/04/13/stealthy-monitoring-with-xen-altp2m/. Accessed 11 June 2020

  15. Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC 2014), pp. 386–395. ACM (2014). https://doi.org/10.1145/2664243.2664252

  16. Li, C., Xiang, Y., Shi, J.: A model of dynamic malware analysis based on VMI. In: Wang, G., Zomaya, A., Perez, G.M., Li, K. (eds.) ICA3PP 2015. LNCS, vol. 9532, pp. 465–475. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27161-3_42

    Chapter  Google Scholar 

  17. Mishra, P., Varadharajan, V., Pilli, E., Tupakula, U.: VMGuard: a VMI-based security architecture for intrusion detection in cloud environment. IEEE Trans. Cloud Comput. 8, 957–971 (2018)

    Google Scholar 

  18. Reginato, L.: Updated analysis of PatchGuard on Microsoft Windows 10 RS4 (2019). https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf

  19. Sentanoe, S., Taubmann, B., Reiser, H.P.: Sarracenia: enhancing the performance and stealthiness of SSH honeypots using virtual machine introspection. In: Gruschka, N. (ed.) NordSec 2018. LNCS, vol. 11252, pp. 255–271. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03638-6_16

    Chapter  Google Scholar 

  20. Taubmann, B., Rakotondravony, N., Reiser, H.P.: CloudPhylactor: harnessing mandatory access control for virtual machine introspection in cloud data centers. In: The 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-16) (2016)

    Google Scholar 

  21. Taubmann, B., Reiser, H.P.: Towards hypervisor support for enhancing the performance of virtual machine introspection. In: Remke, A., Schiavoni, V. (eds.) Distributed Applications and Interoperable Systems, pp. 41–54. Springer, Cham (2020)

    Chapter  Google Scholar 

  22. Windows Vista Security Team: An introduction to kernel patch protection (2006). https://web.archive.org/web/20061124094344/http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx. Accessed 7 June 2020

  23. Zhao, S., Ding, X., Xu, W., Gu, D.: Seeing through the same lens: introspecting guest address space at native speed. In: 26th USENIX Security Symposium (USENIX Security 17), Vancouver, BC, pp. 799–813. USENIX Association, August 2017. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/zhao

  24. Zillner, T.: Memory forensics using virtual machine introspection for cloud computing. Presented at Black Hat USA (2016)

    Google Scholar 

Download references

Acknowledgements

This work has been funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) – 361891819 (ARADIA).

Author information

Authors and Affiliations

  1. University of Passau, Passau, Germany

    Ahmed Abdelraoof, Benjamin Taubmann, Thomas Dangl & Hans P. Reiser

Authors
  1. Ahmed Abdelraoof
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Benjamin Taubmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas Dangl
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hans P. Reiser
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ahmed Abdelraoof .

Editor information

Editors and Affiliations

  1. NortonLifeLock Research Group, Biot, France

    Leyla Bilge

  2. King's College London, London, UK

    Lorenzo Cavallaro

  3. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Giancarlo Pellegrino

  4. University of Lisbon, Lisbon, Portugal

    Nuno Neves

Appendix

Appendix

See Table 1.

Table 1. Unix benchmark results (average of 5 runs in default configuration, results scaled by /1000
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Abdelraoof, A., Taubmann, B., Dangl, T., Reiser, H.P. (2021). Introspect Virtual Machines Like It Is the Linux Kernel!. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2021. Lecture Notes in Computer Science(), vol 12756. Springer, Cham. https://doi.org/10.1007/978-3-030-80825-9_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-80825-9_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-80824-2

  • Online ISBN: 978-3-030-80825-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation