Abstract
Active virtual machine introspection mechanisms intercept the control flow of a virtual machine running on top of a hypervisor. They enable external tools to monitor and inspect the state at predetermined locations of interest synchronous to the execution of the system. Such mechanisms, in particular, require support from the processor vendor by facilitating interpositioning. This support is missing on AMD x86 processors, leading to inferior introspection solutions. We outline implicit assumptions about active introspection mechanisms in previous work, offer constructions for solution strategies on AMD systems and discuss stealthiness and correctness. Finally, we show empirically that such retrofitted software solutions exhibit performance metrics in the same order of magnitude as native hardware solutions.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Newer publications refer to the same extension as AMD Virtualization (AMD-V) [18].
- 3.
- 4.
Available at: https://github.com/smartvmi/VMI-on-AMD.
- 5.
- 6.
- 7.
References
Advanced Micro Devices: AMD64 Architecture Programmer’s Manual, Volume 2 (2019)
Barham, P., et al.: Xen and the art of virtualization. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, SOSP, pp. 164–177. Association for Computing Machinery, Bolton Landing, NY, USA (2003). https://doi.org/10.1145/945445.945462
Byte Magazine: byte-unixbench (1983). https://github.com/kdlucas/byte-unixbench. Accessed 20 Apr 2023
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS, vol. 3, pp. 191–206 (2003)
Intel Corporation: Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 2A (2009)
Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: SoK: introspections on trust and the semantic gap. In: IEEE Symposium on Security and Privacy, pp. 605–620 (2014). https://doi.org/10.1109/SP.2014.45
Kiszka, J.: Debugging kernel and modules via GDB (2023). https://www.kernel.org/doc/Documentation/dev-tools/gdb-kernel-debugging.rst. Accessed 31 Mar 2023
Lazăr, A.: KVMi subsystem v7 for KVM. KVM mailing list (2021). https://lore.kernel.org/kvm/20200207181636.1065-1-alazar@bitdefender.com/. Accessed 24 Mar 2023
Lengyel, T.K.: Stealthy monitoring with Xen altp2m (2016). https://xenproject.org/2016/04/13/stealthy-monitoring-with-xen-altp2m/. Accessed 24 Mar 2023
Pék, G., Buttyán, L., Bencsáth, B.: A survey of security issues in hardware virtualization. ACM Comput. Surv. 45(3), 1–34 (2013)
Proskurin, S., Lengyel, T., Momeu, M., Eckert, C., Zarras, A.: Hiding in the shadows: empowering ARM for stealthy virtual machine introspection. In: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC, pp. 407–417. Association for Computing Machinery, New York, NY, USA (2018). https://doi.org/10.1145/3274694.3274698
Sato, M., Nakamura, R., Yamauchi, T., Taniguchi, H.: Improving transparency of hardware breakpoints with virtual machine introspection. In: 12th International Congress on Advanced Applied Informatics (IIAI-AAI), pp. 113–117 (2022). https://doi.org/10.1109/IIAIAAI55812.2022.00031
Tanda, S.: AMD-V for hackers. Hypervisor Development Hands On for Security Researchers on Windows, Workshop, VXCON (2019). http://tandasat.github.io/VXCON/AMD-V_for_Hackers.pdf. Accessed 24 Mar 2023
Taubmann, B.: Improving digital forensics and incident analysis in production environments by using virtual machine introspection. Ph.D. thesis, Faculty of Computer Science and Mathematics, University of Passau (2019)
Tuzel, T., Bridgman, M., Zepf, J., Lengyel, T.K., Temkin, K.J.: Who watches the watcher? detecting hypervisor introspection from unprivileged guests. Digit. Invest. 26, S98–S106 (2018)
Uhlig, R., et al.: Intel virtualization technology. Computer 38(5), 48–56 (2005)
Van Doorn, L.: Hardware virtualization trends. In: ACM/Usenix International Conference On Virtual Execution Environments, vol. 14, pp. 45–45 (2006)
VMWare Inc.: Performance Evaluation of AMD RVI Hardware Assist (2008). https://www.cse.iitd.ernet.in/~sbansal/csl862-virt/2010/readings/RVI_performance.pdf. Accessed 24 Mar 2023
Wessel, J.: Using kgdb, kdb and the kernel debugger internals (2022). https://www.kernel.org/doc/Documentation/dev-tools/kgdb.rst. Accessed 31 Mar 2023
Zhang, M., Zonouz, S.: How to hide a hook: a hypervisor for rootkits. Phrack Mag. 15(69) (2016)
Acknowledgement
This work has been funded by the Bundesministerium für Bildung und Forschung (BMBF, German Federal Ministry of Education and Research) – project 01IS21063A-C (SmartVMI).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Dangl, T., Sentanoe, S., Reiser, H.P. (2023). Retrofitting AMD x86 Processors with Active Virtual Machine Introspection Capabilities. In: Goumas, G., Tomforde, S., Brehm, J., Wildermann, S., Pionteck, T. (eds) Architecture of Computing Systems. ARCS 2023. Lecture Notes in Computer Science, vol 13949. Springer, Cham. https://doi.org/10.1007/978-3-031-42785-5_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-42785-5_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-42784-8
Online ISBN: 978-3-031-42785-5
eBook Packages: Computer ScienceComputer Science (R0)