Hardware assisted hypervisor introspection
نویسندگان
چکیده
In this paper, we introduce hypervisor introspection, an out-of-box way to monitor the execution of hypervisors. Similar to virtual machine introspection which has been proposed to protect virtual machines in an out-of-box way over the past decade, hypervisor introspection can be used to protect hypervisors which are the basis of cloud security. Virtual machine introspection tools are usually deployed either in hypervisor or in privileged virtual machines, which might also be compromised. By utilizing hardware support including nested virtualization, EPT protection and #BP, we are able to monitor all hypercalls belongs to the virtual machines of one hypervisor, include that of privileged virtual machine and even when the hypervisor is compromised. What's more, hypercall injection method is used to simulate hypercall-based attacks and evaluate the performance of our method. Experiment results show that our method can effectively detect hypercall-based attacks with some performance cost. Lastly, we discuss our furture approaches of reducing the performance cost and preventing the compromised hypervisor from detecting the existence of our introspector, in addition with some new scenarios to apply our hypervisor introspection system.
منابع مشابه
SystemWall: An Isolated Firewall Using Hardware-Based Memory Introspection
Memory introspection can be a powerful tool for analyzing contents of a system’s memory for any malicious code. Current approaches based on memory introspection have focused on Virtual Machines and using a privileged software entity, such as a hypervisor, to perform the introspection. Such software-based introspection, however, is susceptible to variety of attacks that may compromise the hyperv...
متن کاملVirtual Machine Introspection with Xen on ARM
In the recent years, virtual machine introspection (VMI) has become a valuable technique for developing security applications for virtualized environments. With the increasing popularity of the ARM architecture, and the recent addition of hardware virtualization extensions, there is a growing need for porting existing VMI tools. Porting these applications requires proper hypervisor support, whi...
متن کاملDepartment of Informatics
To approach the ever growing complexity of modern malware, security applications increasingly leverage virtualization technology to perform Virtual Machine Introspection (VMI). VMI constitutes techniques that allow the observation, analysis, and control of guest Virtual Machines (VMs) from the outside. This lends VMI-based applications an omniscient character gaining a complete and untainted vi...
متن کاملBogdan Carbunar
Introspections on the Semantic Gap Report Title An essential goal of virtual machine introspection (VMI) is security policy enforcement in the presence of an untrustworthy OS. One obstacle to this goal is the difficulty in accurately extracting semantic meaning from the hypervisor’s hardware-level view of a guest OS.
متن کاملHypervisor Introspection: A Technique for Evading Passive Virtual Machine Monitoring
Security requirements in the cloud have led to the development of new monitoring techniques that can be broadly categorized as virtual machine introspection (VMI) techniques. VMI monitoring aims to provide high-fidelity monitoring while keeping the monitor secure by leveraging the isolation provided by virtualization. This work shows that not all hypervisor activity is hidden from the guest vir...
متن کامل