Invariant Evaluation through Introspection for Proving Security Properties

Semantics-driven monitoring discovers attacks against a process by evaluating invariants on the process state. To increase the robustness and the transparency of semantics-driven monitoring, we propose an approach that introduces two virtual machines (VMs) running on the same platform. One VM runs the monitored process, i.e. the process to be protected, while the other one evaluates invariants on the process state each time a process invokes a system call. The evaluation of invariant exploits an Introspection Library that enables the monitoring VM to access the memory and the processor registers of the monitored VM. After describing the overall architecture of the proposed approach, we focus on the Introspection Library and the problems posed by the introspection of variables in the memory of a program running in a distinct VM to evaluate invariants. A first prototype implementation is also presented together with a set of performance results.