Abstract
VMI technology is proposed to protect virtual machine and prevent it from attacking by malware. Although VMI technology can provide out-of-VM isolation to ensure the security of monitors, the overhead of context switching between the guest VMs and the hypervisor for each monitor point makes this approach wasteful in many application scenarios. On the other hand, semantic gap of extracting meaningful information from the guest is a problem need to be optimized for the VMI technology. In this paper, we present None-Exit Monitoring (NEM), a framework that can do the monitoring inside the guest to avoid overhead of VM-exit and VM-entry switching, and it can also provide strong isolation between the guest and the monitor tools. In NEM, we use two new hardware virtualization assistant features: Intel VT VMFUNC and #VE. NEM can provide isolated memory views and strict limits of privileges while using EPTP-switching to realize world-switches instead of root/non-root switching, which can reduce overhead of invocation of the monitor. On the other hand, IN-VM monitoring can achieve richer information on a virtual machine, which can enhance the capability of the monitor. To support EPTP-switching function of VMFUNC and #VE exception, we patch the open source KVM. We also implement NEM in KVM and evaluate its functionality and efficiency. Experimental result has shown that NEM can satisfy the security requirement of a virtual machine monitor and can greatly improve the efficiency.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS, vol. 3, pp. 191–206, February 2003
Payne, B.D., Martim, D.D.A., Lee, W.: Secure and flexible monitoring of virtual machines. In: Twenty-Third Annual Computer Security Applications Conference, ACSAC 2007, pp. 385–397. IEEE, December 2007
Srinivasan, D., Wang, Z., Jiang, X., Xu, D.: Process out-grafting: an efficient out-of-vm approach for fine-grained process execution monitoring. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 363–374. ACM, October 2011
Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: an architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security and Privacy, SP 2008, pp. 233–247. IEEE, May 2008
Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: 2011 IEEE Symposium on Security and Privacy (SP), pp. 297–312. IEEE, May 2011
Inoue, H., Adelstein, F., Donovan, M., Brueckner, S.: Automatically bridging the semantic gap using C interpreter. In: 6th Annual Symposium on Information Assurance (ASIA11), p. 51, June 2011
DRAKVUF Malware Analysis System. https://drakvuf.com/
Liu, Y., Zhou, T., Chen, K., Chen, H., Xia, Y.: Thwarting memory disclosure with efficient hypervisor-enforced intra-domain isolation. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1607–1619. ACM, October 2015
McVoy, L.W., Staelin, C.: lmbench: portable tools for performance analysis. In: USENIX Annual Technical Conference, pp. 279–294, January 1996
Guide, P.: Intel\(^{\textregistered }\) 64 and IA-32 Architectures Software Developers Manual, vol. 3B. System programming Guide, Part 2 (2011)
Lu, K., Song, C., Lee, B., Chung, S.P., Kim, T., Lee, W.: ASLR-Guard: stopping address space leakage for code reuse attacks. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 280–291. ACM, October 2015
Morris, J., Smalley, S., Kroah-Hartman, G.: General security support for the linux kernel. In: USENIX Security Symposium, Linux Security Modules, August 2002
Xen altp2m. https://blog.xenproject.org/2016/04/13/stealthy-monitoring-with-xen-altp2m/
Acknowledgements
This work is supported by the 863 project 2015AA01A202.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Qin, J., Shi, B., Li, B. (2018). NEM: A NEW In-VM Monitoring with High Efficiency and Strong Isolation. In: Qiu, M. (eds) Smart Computing and Communication. SmartCom 2017. Lecture Notes in Computer Science(), vol 10699. Springer, Cham. https://doi.org/10.1007/978-3-319-73830-7_39
Download citation
DOI: https://doi.org/10.1007/978-3-319-73830-7_39
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-73829-1
Online ISBN: 978-3-319-73830-7
eBook Packages: Computer ScienceComputer Science (R0)