skip to main content
10.1145/2731186.2731196acmconferencesArticle/Chapter ViewAbstractPublication PagesveeConference Proceedingsconference-collections
research-article

Exploring VM Introspection: Techniques and Trade-offs

Published: 14 March 2015 Publication History

Abstract

While there are a variety of existing virtual machine introspection (VMI) techniques, their latency, overhead, complexity and consistency trade-offs are not clear. In this work, we address this gap by first organizing the various existing VMI techniques into a taxonomy based upon their operational principles, so that they can be put into context. Next we perform a thorough exploration of their trade-offs both qualitatively and quantitatively. We present a comprehensive set of observations and best practices for efficient, accurate and consistent VMI operation based on our experiences with these techniques. Our results show the stunning range of variations in performance, complexity and overhead with different VMI techniques.We further present a deep dive on VMI consistency aspects to understand the sources of inconsistency in observed VM state and show that, contrary to common expectation, pause-and-introspect based VMI techniques achieve very little to improve consistency despite their substantial performance impact.

References

[1]
Adam Boileau. Hit by a Bus: Physical Access Attacks with Firewire. RuxCon 2006. www.security-assessment.com/files/presentations/ab firewire rux2k6-final.pdf.
[2]
Adam Litke. Use the Qemu guest agent with MOM. http://https://aglitke.wordpress.com/2011/08/26/use-the-qemu-guest-agent-with-memoryovercommitment-manager/.
[3]
F. Aderholdt, F. Han, S. L. Scott, and T. Naughton. Efficient checkpointing of virtual machines using virtual machine introspection. In Cluster, Cloud and Grid Computing (CC-Grid), 2014 14th IEEE/ACM International Symposium on, pages 414--423, May 2014.
[4]
Alexey Kopytov. SysBench Manual. http://sysbench.sourceforge.net/docs/#database mode.
[5]
Anthony Desnos. Draugr - Live memory forensics on Linux. http://code.google.com/p/draugr/.
[6]
M. Auty, A. Case, M. Cohen, B. Dolan-Gavitt, M. H. Ligh, J. Levy, and A. Walters. Volatility - An advanced memory forensics framework. http://code.google.com/p/volatility.
[7]
A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky. Hypersentry: Enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pages 38--49, New York, NY, USA, 2010. ACM.
[8]
M. B. Baig, C. Fitzsimons, S. Balasubramanian, R. Sion, and D. Porter. CloudFlow: Cloud-wide policy enforcement using fast VM introspection. In IEEE Conference on Cloud Engineering IC2E 2014, 2014.
[9]
A. Baliga, V. Ganapathy, and L. Iftode. Detecting kernellevel rootkits using data structure invariants. IEEE Trans. Dependable Secur. Comput., 8(5):670--684, Sept. 2011.
[10]
A. Bianchi, Y. Shoshitaishvili, C. Kruegel, and G. Vigna. Blacksheep: Detecting compromised hosts in homogeneous crowds. In Proceedings of the 2012 ACMConference on Computer and Communications Security, CCS '12, pages 341--352, New York, NY, USA, 2012. ACM.
[11]
Bryan Payne. LibVMI Introduction: Vmitools, An introduction to LibVMI. http://code.google.com/p/vmitools/wiki/LibVMI Introduction.
[12]
B. D. Carrier and J. Grand. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation, 1(1):50--60, 2004.
[13]
A. Case, A. Cristina, L.Marziale, G. G. Richard, and V. Roussev. Face: Automated digital evidence discovery and correlation. Digit. Investig., 5:S65--S75, Sept. 2008.
[14]
A. Case, L. Marziale, and G. G. RichardIII. Dynamic recreation of kernel data structures for live forensics. Digital Investigation, 7, Supplement(0):S32--S40, 2010.
[15]
J.-H. Chiang, H.-L. Li, and T.-c. Chiueh. Introspection-based memory de-duplication and migration. In Proceedings of the 9th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE '13, pages 51--62, New York, NY, USA, 2013. ACM.
[16]
T.-c. Chiueh, M. Conover, and B. Montague. Surreptitious deployment and execution of kernel agents in windows guests. In Proceedings of the 2012 12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (Ccgrid 2012), CCGRID '12, pages 507--514, Washington, DC, USA, 2012. IEEE Computer Society.
[17]
Citrix. Citrix XenServer 6.2.0 Virtual Machine User's Guide. http://support.citrix.com/servlet/KbServlet/download/34971--102--704221/guest.pdf.
[18]
Citrix Systems Inc. XenServer Windows PV Tools Guest Agent Service. https://github.com/xenserver/win-xenguestagent.
[19]
P. Colp, C. Matthews, B. Aiello, and A. Warfield. Vm snapshots. In Xen Summit, 2009.
[20]
L. Cui, B. Li, Y. Zhang, and J. Li. Hotsnap: A hot distributed snapshot system for virtual machine cluster. In LISA, 2013.
[21]
David Anderson. White Paper: Red Hat Crash Utility. people.redhat.com/anderson/crash_whitepaper/.
[22]
Dell Quest/VKernel. Foglight for Virtualization. quest.com/foglight-for-virtualization-enterprise-edition/.
[23]
B. Dolan-Gavitt, B. Payne, and W. Lee. Leveraging forensic tools for virtual machine introspection. Technical Report GTCS-11-05, Georgia Institute of Technology, 2011.
[24]
J. Dykstra and A. T. Sherman. Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Digital Investigation, 9:S90--S98, 2012.
[25]
Emilien Girault. Volatilitux- Memory forensics framework to help analyzing Linux physical memory dumps. http://code.google.com/p/volatilitux/.
[26]
Y. Fu and Z. Lin. Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection. In IEEE Security & Privacy'12.
[27]
L. Garber. The challenges of securing the virtualized environment. Computer, 45(1):17--20, 2012.
[28]
T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS, pages 191--206, 2003.
[29]
Z. Gu, Z. Deng, D. Xu, and X. Jiang. Process implanting: A new active introspection framework for virtualization. In Reliable Distributed Systems (SRDS), 2011 30th IEEE Symposium on, pages 147--156. IEEE, 2011.
[30]
B. Hay,M. Bishop, and K. Nance. Live analysis: Progress and challenges. Security & Privacy, IEEE, 7(2):30--37, 2009.
[31]
B. Hay and K. Nance. Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev., 42(3):74--82, 2008.
[32]
J. Hizver and T.-c. Chiueh. Real-time deep virtual machine introspection and its applications. In Proceedings of the 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE '14, pages 3--14, New York, NY, USA, 2014. ACM.
[33]
J. Hizver and T. cker Chiueh. Automated discovery of credit card data flow for pci dss compliance. In Reliable Distributed Systems (SRDS), 2011 30th IEEE Symposium on, pages 51--58, Oct 2011.
[34]
O. S. Hofmann, A. M. Dunn, S. Kim, I. Roy, and E. Witchel. Ensuring operating system kernel integrity with OSck. In ASPLOS, pages 279--290, 2011.
[35]
K.-Y. Hou,M. Uysal, A.Merchant, K. G. Shin, and S. Singhal. Hydravm: Low-cost, transparent high availability for virtual machines. Technical report, HP Laboratories, Tech. Rep, 2011.
[36]
A. S. Ibrahim, J. H. Hamlyn-Harris, J. Grundy, and M. Almorsy. CloudSec: A security monitoring appliance for Virtual Machines in IaaS cloud model. In NSS '11, pages 113--120.
[37]
B. Jain,M. B. Baig, D. Zhang, D. E. Porter, and R. Sion. SoK: Introspections on Trust and the Semantic Gap. In 35th IEEE Symposium on Security and Privacy S&P, 2014.
[38]
X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In CCS '07, pages 128--138.
[39]
John D. McCalpin. Memory Bandwidth: Stream Benchmark. http://www.cs.virginia.edu/stream/.
[40]
N. L. P. Jr., A. Walters, T. Fraser, and W. A. Arbaugh. Fatkit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3(4):197--210, 2006.
[41]
I. Kollar. Forensic RAM dump image analyser. Master's Thesis, Charles University in Prague, 2010. hysteria.sk/~niekt0/fmem/doc/foriana.pdf.
[42]
H. A. Lagar-Cavilla, J. A.Whitney, A.M. Scannell, P. Patchin, S. M. Rumble, E. de Lara, M. Brudno, and M. Satyanarayanan. Snowflock: Rapid virtual machine cloning for cloud computing. In EuroSys, 2009.
[43]
H. Lee, H. Moon, D. Jang, K. Kim, J. Lee, Y. Paek, and B. B. Kang. Ki-mon: A hardware-assisted event-triggered monitoring platform for mutable kernel object. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, pages 511--526, Berkeley, CA, USA, 2013. USENIX Association.
[44]
Y. Liu, Y. Xia, H. Guan, B. Zang, and H. Chen. Concurrent and consistent virtual machine introspection with hardware transactional memory. In HPCA 2014, 2014.
[45]
Marco Batista. VMInjector: DLL Injection tool to unlock guest VMs. https://github.com/batistam/VMInjector.
[46]
Mariusz Burdach. Digital forensics of the physical memory. 2005. http://forensic.seccure.net/pdf/mburdach digital forensics of physical memory.pdf.
[47]
Maximillian Dornseif. 0wned by an iPod. PacSec Applied Security Conference 2004. md.hudora.de/presentations/firewire/PacSec2004.pdf.
[48]
H. Moon, H. Lee, J. Lee, K. Kim, Y. Paek, and B. B. Kang. Vigilare: Toward snoop-based kernel integrity monitor. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 28--37, New York, NY, USA, 2012. ACM.
[49]
D. Mosberger and T. Jin. httperf - a tool for measuring web server performance. SIGMETRICS Perform. Eval. Rev., 26(3):31--37, 1998.
[50]
OpenBenchmarking/Phoronix. x264 Test Profile. http://openbenchmarking.org/test/pts/x264--1.7.0.
[51]
Oracle's Linux Blog. Performance Issues with Transparent Huge Pages. https://blogs.oracle.com/linux/entry/performance issues with transparent huge.
[52]
oVirt. oVirt guest agent. http://www.ovirt.org/Category:Ovirt guest agent.
[53]
B. Payne, M. de Carbone, and W. Lee. Secure and Flexible Monitoring of Virtual Machines. In Twenty-Third Annual Computer Security Applications Conference, pages 385--397, 2007.
[54]
B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP '08, pages 233--247, 2008.
[55]
N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - a coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13, SSYM'04, pages 13--13, Berkeley, CA, USA, 2004. USENIX Association.
[56]
J. Pfoh, C. Schneider, and C. Eckert. A formal model for virtual machine introspection. In Proceedings of the 1st ACM workshop on Virtual machine security, 2009.
[57]
QEMU. Features/QAPI/GuestAgent. http://wiki.qemu.org/Features/QAPI/GuestAgent.
[58]
A. Ranadive, A. Gavrilovska, and K. Schwan. Ibmon: monitoring vmm-bypass capable infiniband devices using memory introspection. In HPCVirt, pages 25--32, 2009.
[59]
Rick Jones. Netperf Homepage. http://www.netperf.org/netperf/.
[60]
A. Roberts, R. McClatchey, S. Liaquat, N. Edwards, and M. Wray. Poster: Introducing pathogen: a real-time virtual machine introspection framework. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, CCS '13, pages 1429--1432, New York, NY, USA, 2013. ACM.
[61]
Russell Coker. Bonnie++. http://www.coker.com.au/bonnie++/.
[62]
J. Schiffman, H. Vijayakumar, and T. Jaeger. Verifying system integrity by proxy. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing, TRUST'12, pages 179--200, Berlin, Heidelberg, 2012. Springer-Verlag.
[63]
A. Schuster. Searching for processes and threads in Microsoft windows memory dumps. Digit. Investig., 3:10--16, Sept. 2006.
[64]
A. Srivastava and J. Giffin. Tamper-Resistant, Application- Aware Blocking ofMalicious Network Connections. In RAID, pages 39--58, 2008.
[65]
Structured Data. Transparent Huge Pages and Hadoop Workloads. http://structureddata.org/2012/06/18/linux-6-transparent-huge-pages-and-hadoop-workloads/.
[66]
M. H. Sun and D. M. Blough. Fast, lightweight virtual machine checkpointing. Technical report, Georgia Institute of Technology, 2010.
[67]
S. Suneja, C. Isci, V. Bala, E. de Lara, and T. Mummert. Nonintrusive, out-of-band and out-of-the-box systems monitoring in the cloud. In The 2014 ACM International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS '14, pages 249--261, New York, NY, USA, 2014. ACM.
[68]
Toby Opferman. Sharing Memory with the Virtual Machine. http://www.drdobbs.com/sharing-memory-with-the-virtual-machine/184402033.
[69]
VMware. VIX API Documentation. www.vmware.com/support/developer/vix-api/.
[70]
VMware. VMCI Sockets Documentation. www.vmware.com/support/developer/vmci-sdk/.
[71]
VMware. vShield Endpoint. vmware.com/products/vsphere/features-endpoint.
[72]
VMWare Inc. VMWare VMSafe security technology. http://www.vmware.com/company/news/releases/vmsafe vmworld.html.
[73]
M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity, and containment in the potemkin virtual honeyfarm. In SOSP, 2005.
[74]
J.Wang, A. Stavrou, and A. Ghosh. Hypercheck: A hardware assisted integrity monitor. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection, RAID'10, pages 158--177, Berlin, Heidelberg, 2010. Springer-Verlag.
[75]
Wikibooks. QEMU/Monitor. http://en.wikibooks.org/wiki/QEMU/Monitor.
[76]
T.Wood, P. Shenoy, A. Venkataramani, andM. Yousif. Blackbox and gray-box strategies for virtual machine migration. In NSDI, 2007.

Cited By

View all
  • (2023)How to Resuscitate a Sick VM in the Cloud2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume (DSN-S)10.1109/DSN-S58398.2023.00030(89-93)Online publication date: Jun-2023
  • (2021)TRIGLAV: Remote Attestation of the Virtual Machine's Runtime Integrity in Public Clouds2021 IEEE 14th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD53861.2021.00013(1-12)Online publication date: Sep-2021
  • (2020)Malware Detection Based on Multi-level and Dynamic Multi-feature Using Ensemble Learning at HypervisorMobile Networks and Applications10.1007/s11036-019-01503-4Online publication date: 8-Jan-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
VEE '15: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
March 2015
238 pages
ISBN:9781450334501
DOI:10.1145/2731186
  • cover image ACM SIGPLAN Notices
    ACM SIGPLAN Notices  Volume 50, Issue 7
    VEE '15
    July 2015
    221 pages
    ISSN:0362-1340
    EISSN:1558-1160
    DOI:10.1145/2817817
    • Editor:
    • Andy Gill
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 March 2015

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. consistency
  2. taxonomy
  3. virtual machine
  4. virtualization
  5. vmi

Qualifiers

  • Research-article

Conference

VEE '15

Acceptance Rates

VEE '15 Paper Acceptance Rate 16 of 50 submissions, 32%;
Overall Acceptance Rate 80 of 235 submissions, 34%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)19
  • Downloads (Last 6 weeks)0
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2023)How to Resuscitate a Sick VM in the Cloud2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume (DSN-S)10.1109/DSN-S58398.2023.00030(89-93)Online publication date: Jun-2023
  • (2021)TRIGLAV: Remote Attestation of the Virtual Machine's Runtime Integrity in Public Clouds2021 IEEE 14th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD53861.2021.00013(1-12)Online publication date: Sep-2021
  • (2020)Malware Detection Based on Multi-level and Dynamic Multi-feature Using Ensemble Learning at HypervisorMobile Networks and Applications10.1007/s11036-019-01503-4Online publication date: 8-Jan-2020
  • (2019)High-Performance Memory Snapshotting for Real-Time, Consistent, Hypervisor-Based MonitorsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2018.2805904(1-1)Online publication date: 2019
  • (2019)Detecting Hang on the Virtual Machine using LibVMI2019 International Electronics Symposium (IES)10.1109/ELECSYM.2019.8901677(618-621)Online publication date: Sep-2019
  • (2018)FIMCEACM Transactions on Privacy and Security10.1145/319518121:3(1-30)Online publication date: 21-May-2018
  • (2018)NOR: Towards Non-intrusive, Real-Time and OS-agnostic Introspection for Virtual Machines in Cloud EnvironmentInformation Security and Cryptology10.1007/978-3-319-75160-3_29(500-517)Online publication date: 4-Feb-2018
  • (2018)Furnace: Self-service Tenant VMI for the CloudResearch in Attacks, Intrusions, and Defenses10.1007/978-3-030-00470-5_30(647-669)Online publication date: 7-Sep-2018
  • (2017)Safe Inspection of Live Virtual MachinesACM SIGPLAN Notices10.1145/3140607.305076652:7(97-111)Online publication date: 8-Apr-2017
  • (2017)Using OS Design Patterns to Provide Reliability and Security as-a-Service for VM-based CloudsACM SIGPLAN Notices10.1145/3140607.305075952:7(157-170)Online publication date: 8-Apr-2017
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media