Abstract
A method for the introspection of virtual machines is proposed. The main distinctive feature of this method is that it makes it possible to obtain information about the system operation using the minimum knowledge about its internal organization. The proposed approach uses rarely changing parts of the application binary interface, such as identifiers and parameters of system calls, calling conventions, and the formats of executable files. The lightweight property of the introspection method is due to the minimization of the knowledge about the system and by its high performance. The introspection infrastructure is based on the QEMU emulator, version 2.8. Presently, monitoring the file operations, processes, and API function calls are implemented. The available introspection tools (RTKDSM, Panda, and DECAF) get data for the analysis using kernel structures. All the data obtained (addresses of structures, etc.) is written to special profiles. Since the addresses and offsets strongly depend not only on the version of the operating system but also on the parameters of its assembly, these tools have to store a large number of profiles. We propose to use parts of the application binary interface because they are rarely modified and it is often possible to use one profile for a family of OSs. The main idea underlying the proposed method is to intercept the system and library function calls and read parameters and returned values. The processor provides special instructions for calling system and user defined functions. The capabilities of QEMU are extended by an instrumentation mechanism to enable one to track each executed instruction and find the instructions of interest among them. When a system call occurs, the control is passed to the system call detector that checks the number of the call and decides to which module the job should be forwarded. In the case of an API function call, the situation is similar, but the API function detector checks the function address. An introspection tool consisting of a set of modules is developed. These modules are dynamic libraries that are plugged in QEMU. The modules can interact by exchanging data.
Similar content being viewed by others
References
Microprocessor Development Tools, http://www.lauterbach.com/frames.html?home.html.
Dovgalyuk, P., Deterministic replay of system’s execution with multi-target QEMU simulator for dynamic analysis and reverse debugging, in Proc. of the 16th European Conference on Software Maintenance and Reengineering, CSMR’12, Washington, 2012, IEEE Computer Society, 2012, pp. 553–556.
Hizver, J. and Chiueh, T.-C., Real-time deep virtual machine introspection and its applications, in Proc. of the 10th ACM SIGPLAN/SIGOPS Int. Conference on Virtual Execution Environments, VEE’14, NewYork, 2014, ACM, pp. 3–14.
Xu, M., Malyuigin, V., Sheldon, J., Venkitachalam, G., and Weissman, B., ReTrace: Collecting execution trace with virtual machine deterministic replay,, in Proc. of the Fourth ACM SIGPLAN/SIGOPS Int. Conference on Virtual Execution Environments, New York, 2008, ACM, pp. 121–130.
Oliveira D., Navarro J., Wetzel N., Bucci M. Ianus: Secure and holistic coexistence with kernel extensions — a immune system-inspired approach, in Proc. of the 29th Annual ACM Symposium on Applied Computing, SAC’14, New York, 2014, ACM, pp. 1672–1679.
Bakulin, M.G., Klimushenkova, M.A., Padaryan, V.A., Dovgalyuk, P.M., Fursova, N.I., and Vasil’ev, I.A., On the limitations of the full system analysis of tainted data, Trudy Inst. Syst. Programm. Ross Akad Nauk, 2016, vol. 28, no. 6, pp. 11–26.
Portokalidis, G., Slowinska, A., and Bos, H., Argos: An emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation, in Proc. of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006, EuroSys’06, New York, 2006, ACM, pp. 15–27.
Padaryan, V.A., Get’man, A.I., Solov’ev, M.A., Bakulin, M.G., Borzilov, A.I., Kaushan, V.V., Ledovskikh, I.N., Markin, Yu.V., and Panasenko, S.S., Methods and software tools that support the combined analysis of binary codes Trudy Inst. Syst. Programm. Ross Akad Nauk, 2014, vol. 26, no. 1, pp. 251–276.
Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., and Whelan, R., Repeatable reverse engineering with PANDA, in Proc. of the 5th Program Protection and Reverse Engineering Workshop, New York, 2015, ACM, pp. 1–11.
Henderson, A., Prakash, A., Yan, L.K., Hu, X., Wang, X., Zhou, R., and Yin, H., Make it work, make it right, make it fast: Building a platform-neutral whole-system dynamic binary analysis platform, in Proc. of the 2014 Int. Symposium on Software Testing and Analysis, ISSTA 2014, New York, 2014, ACM, pp. 248–258.
Fursova, N.I., Dovgalyuk, P.M., and Vasil’ev, I.A., The use of ABI for the virtual machine introspection, Trudy Inst. Syst. Programm. Ross Akad Nauk, 2015, vol. 27, no. 6, pp. 159–168.
Author information
Authors and Affiliations
Corresponding author
Additional information
Original Russian Text © N.I. Fursova, P.M. Dovgalyuk, I.A. Vasil’ev, V.A. Makarov, 2017, published in Programmirovanie, 2017, Vol. 43, No. 5.
Rights and permissions
About this article
Cite this article
Fursova, N.I., Dovgalyuk, P.M., Vasil’ev, I.A. et al. A lightweight method for virtual machine introspection. Program Comput Soft 43, 307–313 (2017). https://doi.org/10.1134/S0361768817050036
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1134/S0361768817050036