Skip to main content
SpringerLink
Log in

Proposed Processor Extensions for Significant Speedup of Hypervisor Memory Introspection

  • Conference paper
  • First Online:
Trust and Trustworthy Computing (Trust 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9229))

Included in the following conference series:

Abstract

Hypervisor based memory introspection can greatly enhance the security and trustworthiness of endpoints. The memory introspection logic requires numerous memory address space translations. Those in turn, inevitably, impose a considerable performance penalty. We identified that a significant part of the overall overhead induced by introspection is generated by mappings of guest pages into the virtual memory space of the hypervisor. We show that even if we employ highly efficient software caching, the mapping overhead still remains significant. We propose several new x86 instructions, which can fully eliminate the mapping overhead from memory introspection techniques. We give performance estimates for and argue why we strongly believe the implementation of such instructions to be feasible. The introspection logic also relies on monitoring guest page tables. Here we identified a second important performance overhead source, showing that numerous VM-exits induced by EPT violations are caused by the CPU updating page table A/D bits. We propose a set of simple x86 architectural modifications, that can fully eliminate this overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. ARM: ARM Architecture Reference Manual ARMv7-A and ARMv7-R (2014)

    Google Scholar 

  2. BOCHS: The cross-platform IA-32 emulator. http://bochs.sourceforge.net/. Accessed on 24–11–2014

  3. BROMIUM: Bromium vSentry and LAVA products (2014–11-24). http://www.bromium.com/products.html. Accessed on 24–11–2014

  4. Bugnion, E., Devine, S., Rosenblum, M., Sugerman, J., Wang, E.Y.: Bringing virtualization to the x86 architecture with the original vmware workstation. ACM Trans. Comput. Syst 30(4), 12:1–12:51 (2012)

    Article  Google Scholar 

  5. Chang, C.J., Wu, J.J., Hsu, W.C., Liu, P., Yew, P.C.: Efficient memory virtualization for cross-ISA system mode emulation. In: Proceedings of the 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE 2014), pp. 117–128. ACM, New York (2014)

    Google Scholar 

  6. Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems (HOTOS 2001), IEEE Computer Society, Washington, DC (2001)

    Google Scholar 

  7. Chennupaty, S., Jiang, H., Sreenivas, A.: Technology Insight: Intel’s Next Generation 14nm Microarchitecture for Client and Server (2014)

    Google Scholar 

  8. Citrix: XenClient XT. The ultimate in multi-level secure local virtual desktops. http://www.citrix.com/products/xenclient/features/editions/xt.html. Accessed on 24–11–2014

  9. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), pp. 51–62. ACM, New York (2008)

    Google Scholar 

  10. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: IEEE Symposium on Security and Privacy (SP), pp. 297–312. IEEE (2011)

    Google Scholar 

  11. Dontu, M., Sahita, R.: Zero-Footprint Guest Memory Introspection from Xen. In: XenProject Developer Summit (2014)

    Google Scholar 

  12. Durham, D.: Mitigating exploits, rootkits and advanced persistent threats. In: Proceedings of the 2014 Symposium on High Performance Chips (Hot Chips 2014), IEEE Technical Committee on Microprocessors and Microcomputers in Cooperation with ACM SIGARCH (2014)

    Google Scholar 

  13. FireEye: Advantage FireEye. Debunking the Myth of Sandbox Security (2013)

    Google Scholar 

  14. Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proceedings of Network and Distributed Systems Security Symposium, pp. 191–206 (2003)

    Google Scholar 

  15. Hammarlund, P.: 4th Generation Intel Core Processor, codenamed Haswell. In: HotChips (2013)

    Google Scholar 

  16. Intel Corporation: intel\(^{\textregistered }\) 64 and IA-32 Architectures Software Developer’s Manual (2015). Accessed on 02 Feb 2015

    Google Scholar 

  17. Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: SoK: Introspections on trust and the semantic gap. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy (SP 2014), pp. 605–620. IEEE Computer Society, Washington, DC (2014)

    Google Scholar 

  18. Jiang, X., Wang, X.: “Out-of-the-box” monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  19. Joshi, A., King, S.T., Dunlap, G.W., Chen, P.M.: Detecting past and present intrusions through vulnerability-specific predicates. In: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles (SOSP 2005), pp. 91–104. ACM, New York (2005)

    Google Scholar 

  20. Lampson, B.: Accountability and freedom (2005)

    Google Scholar 

  21. Lampson, B.: Privacy and security: usable security: how to get it. Commun. ACM 52(11), 25–27 (2009)

    Article  Google Scholar 

  22. Lengyel, T., Kittel, T., Webster, G., Torrey, J.: Pitfalls of virtual machine introspection on modern hardware. In: 1st Workshop on Malware Memory Forensics (MMF) (2014)

    Google Scholar 

  23. Lengyel, T.K., Neumann, J., Maresca, S.: Virtual machine introspection in a hybrid honeypot architecture. In: Presented as part of the 5th Workshop on Cyber Security Experimentation and Test. USENIX, Berkeley (2012)

    Google Scholar 

  24. LibVMI: Virtual machine introspection tools. http://libvmi.com/. Accessed on 20–06-2015

  25. Ligh, M.H., Case, A., Levy, J., Walters, A.: The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, 1st edn. Wiley, New York (2014)

    Google Scholar 

  26. Luţaş, A., Lukács, S., Luţaş, D., Coleşa, A.: U-HIPE: hypervisor-based protection of user-mode processes in windows. J. Comput. Virol. Hacking Tech. 9(1), 1–14 (2015)

    Google Scholar 

  27. McAfee: A New Paradigm Shift: Comprehensive Security Beyond the Operating System (2012)

    Google Scholar 

  28. McAfee: McAfee DeepSAFE and Deep Defender (2013)

    Google Scholar 

  29. Mohandas, R., Sahita, R.: Detecting Evasive Malware in Sandbox. In: Focus Security Conference (2014)

    Google Scholar 

  30. Rutkowska, J., Wojtczuk, R.: Qubes OS. http://www.qubes-os.org/. Accessed on 24–11–2014

  31. Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), pp. 477–487. ACM (2009)

    Google Scholar 

  32. Srinivasan, D., Wang, Z., Jiang, X., Xu, D.: Process out-grafting: an efficient “out-of-VM” approach for fine-grained process execution monitoring. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS 2011), pp. 363–374. ACM, New York (2011)

    Google Scholar 

  33. Vasudevan, A., Chaki, S., Jia, L., McCune, J., Newsome, J., Datta, A.: Design, implementation and verification of an eXtensible and modular hypervisor framework. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP 2013), pp. 430–444. IEEE Computer Society, Washington, DC (2013)

    Google Scholar 

  34. Vasudevan, A., McCune, J., Newsome, J., Perrig, A., van Doorn, L.: CARMA: a hardware tamper-resistant isolated execution environment on commodity x86 platforms. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2012), pp. 48–49. ACM, New York (2012)

    Google Scholar 

  35. Vasudevan, A., McCune, J.M., Qu, N., van Doorn, L., Perrig, A.: Requirements for an integrity-protected hypervisor on the x86 hardware virtualized architecture. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 141–165. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  36. Zhang, F., Chen, J., Chen, H., Zang, B.: CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (SOSP 2011), pp. 203–216. ACM, New York (2011)

    Google Scholar 

Download references

Acknowledgments

Adrian Colesa’s work on this paper was supported by the Post-Doctoral Programme POSDRU/159/1.5/S/137516, project co-funded from European Social Fund through the Human Resources Sectorial Operational Program 2007-2013.

Author information

Authors and Affiliations

  1. Bitdefender, Cluj-Napoca, Romania

    Andrei Luţaş, Sándor Lukács & Dan Luţaş

  2. Technical University of Cluj-Napoca, Cluj-Napoca, Romania

    Andrei Luţaş, Sándor Lukács, Adrian Coleşa & Dan Luţaş

Authors
  1. Andrei Luţaş
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sándor Lukács
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Adrian Coleşa
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dan Luţaş
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sándor Lukács .

Editor information

Editors and Affiliations

  1. University of Padua, Padua, Italy

    Mauro Conti

  2. Intel Labs, Darmstadt, Germany

    Matthias Schunter

  3. - Hellas (FORTH), Crete, Institute of Computer Science (ICS), Foundation for Research & Technology, Heraklion, Greece

    Ioannis Askoxylakis

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Luţaş, A., Lukács, S., Coleşa, A., Luţaş, D. (2015). Proposed Processor Extensions for Significant Speedup of Hypervisor Memory Introspection. In: Conti, M., Schunter, M., Askoxylakis, I. (eds) Trust and Trustworthy Computing. Trust 2015. Lecture Notes in Computer Science(), vol 9229. Springer, Cham. https://doi.org/10.1007/978-3-319-22846-4_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-22846-4_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-22845-7

  • Online ISBN: 978-3-319-22846-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation