Abstract
While there are a variety of existing virtual machine introspection (VMI) techniques, their latency, overhead, complexity and consistency trade-offs are not clear. In this work, we address this gap by first organizing the various existing VMI techniques into a taxonomy based upon their operational principles, so that they can be put into context. Next we perform a thorough exploration of their trade-offs both qualitatively and quantitatively. We present a comprehensive set of observations and best practices for efficient, accurate and consistent VMI operation based on our experiences with these techniques. Our results show the stunning range of variations in performance, complexity and overhead with different VMI techniques.We further present a deep dive on VMI consistency aspects to understand the sources of inconsistency in observed VM state and show that, contrary to common expectation, pause-and-introspect based VMI techniques achieve very little to improve consistency despite their substantial performance impact.
- Adam Boileau. Hit by a Bus: Physical Access Attacks with Firewire. RuxCon 2006. www.security-assessment.com/files/presentations/ab firewire rux2k6-final.pdf.Google Scholar
- Adam Litke. Use the Qemu guest agent with MOM. http://https://aglitke.wordpress.com/2011/08/26/use-the-qemu-guest-agent-with-memoryovercommitment-manager/.Google Scholar
- F. Aderholdt, F. Han, S. L. Scott, and T. Naughton. Efficient checkpointing of virtual machines using virtual machine introspection. In Cluster, Cloud and Grid Computing (CC-Grid), 2014 14th IEEE/ACM International Symposium on, pages 414--423, May 2014.Google Scholar
Digital Library
- Alexey Kopytov. SysBench Manual. http://sysbench.sourceforge.net/docs/#database mode.Google Scholar
- Anthony Desnos. Draugr - Live memory forensics on Linux. http://code.google.com/p/draugr/.Google Scholar
- M. Auty, A. Case, M. Cohen, B. Dolan-Gavitt, M. H. Ligh, J. Levy, and A. Walters. Volatility - An advanced memory forensics framework. http://code.google.com/p/volatility.Google Scholar
- A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky. Hypersentry: Enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pages 38--49, New York, NY, USA, 2010. ACM. Google Scholar
Digital Library
- M. B. Baig, C. Fitzsimons, S. Balasubramanian, R. Sion, and D. Porter. CloudFlow: Cloud-wide policy enforcement using fast VM introspection. In IEEE Conference on Cloud Engineering IC2E 2014, 2014. Google Scholar
Digital Library
- A. Baliga, V. Ganapathy, and L. Iftode. Detecting kernellevel rootkits using data structure invariants. IEEE Trans. Dependable Secur. Comput., 8(5):670--684, Sept. 2011. Google Scholar
Digital Library
- A. Bianchi, Y. Shoshitaishvili, C. Kruegel, and G. Vigna. Blacksheep: Detecting compromised hosts in homogeneous crowds. In Proceedings of the 2012 ACMConference on Computer and Communications Security, CCS '12, pages 341--352, New York, NY, USA, 2012. ACM. Google Scholar
Digital Library
- Bryan Payne. LibVMI Introduction: Vmitools, An introduction to LibVMI. http://code.google.com/p/vmitools/wiki/LibVMI Introduction.Google Scholar
- B. D. Carrier and J. Grand. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation, 1(1):50--60, 2004. Google Scholar
Digital Library
- A. Case, A. Cristina, L.Marziale, G. G. Richard, and V. Roussev. Face: Automated digital evidence discovery and correlation. Digit. Investig., 5:S65--S75, Sept. 2008. Google Scholar
Digital Library
- A. Case, L. Marziale, and G. G. RichardIII. Dynamic recreation of kernel data structures for live forensics. Digital Investigation, 7, Supplement(0):S32--S40, 2010. Google Scholar
Digital Library
- J.-H. Chiang, H.-L. Li, and T.-c. Chiueh. Introspection-based memory de-duplication and migration. In Proceedings of the 9th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE '13, pages 51--62, New York, NY, USA, 2013. ACM. Google Scholar
Digital Library
- T.-c. Chiueh, M. Conover, and B. Montague. Surreptitious deployment and execution of kernel agents in windows guests. In Proceedings of the 2012 12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (Ccgrid 2012), CCGRID '12, pages 507--514, Washington, DC, USA, 2012. IEEE Computer Society. Google Scholar
Digital Library
- Citrix. Citrix XenServer 6.2.0 Virtual Machine User's Guide. http://support.citrix.com/servlet/KbServlet/download/34971--102--704221/guest.pdf.Google Scholar
- Citrix Systems Inc. XenServer Windows PV Tools Guest Agent Service. https://github.com/xenserver/win-xenguestagent.Google Scholar
- P. Colp, C. Matthews, B. Aiello, and A. Warfield. Vm snapshots. In Xen Summit, 2009.Google Scholar
- L. Cui, B. Li, Y. Zhang, and J. Li. Hotsnap: A hot distributed snapshot system for virtual machine cluster. In LISA, 2013. Google Scholar
Digital Library
- David Anderson. White Paper: Red Hat Crash Utility. people.redhat.com/anderson/crash_whitepaper/.Google Scholar
- Dell Quest/VKernel. Foglight for Virtualization. quest.com/foglight-for-virtualization-enterprise-edition/.Google Scholar
- B. Dolan-Gavitt, B. Payne, and W. Lee. Leveraging forensic tools for virtual machine introspection. Technical Report GTCS-11-05, Georgia Institute of Technology, 2011.Google Scholar
- J. Dykstra and A. T. Sherman. Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Digital Investigation, 9:S90--S98, 2012.Google Scholar
Cross Ref
- Emilien Girault. Volatilitux- Memory forensics framework to help analyzing Linux physical memory dumps. http://code.google.com/p/volatilitux/.Google Scholar
- Y. Fu and Z. Lin. Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection. In IEEE Security & Privacy'12. Google Scholar
Digital Library
- L. Garber. The challenges of securing the virtualized environment. Computer, 45(1):17--20, 2012. Google Scholar
Digital Library
- T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS, pages 191--206, 2003.Google Scholar
- Z. Gu, Z. Deng, D. Xu, and X. Jiang. Process implanting: A new active introspection framework for virtualization. In Reliable Distributed Systems (SRDS), 2011 30th IEEE Symposium on, pages 147--156. IEEE, 2011. Google Scholar
Digital Library
- B. Hay,M. Bishop, and K. Nance. Live analysis: Progress and challenges. Security & Privacy, IEEE, 7(2):30--37, 2009. Google Scholar
Digital Library
- B. Hay and K. Nance. Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev., 42(3):74--82, 2008. Google Scholar
Digital Library
- J. Hizver and T.-c. Chiueh. Real-time deep virtual machine introspection and its applications. In Proceedings of the 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE '14, pages 3--14, New York, NY, USA, 2014. ACM. Google Scholar
Digital Library
- J. Hizver and T. cker Chiueh. Automated discovery of credit card data flow for pci dss compliance. In Reliable Distributed Systems (SRDS), 2011 30th IEEE Symposium on, pages 51--58, Oct 2011. Google Scholar
Digital Library
- O. S. Hofmann, A. M. Dunn, S. Kim, I. Roy, and E. Witchel. Ensuring operating system kernel integrity with OSck. In ASPLOS, pages 279--290, 2011. Google Scholar
Digital Library
- K.-Y. Hou,M. Uysal, A.Merchant, K. G. Shin, and S. Singhal. Hydravm: Low-cost, transparent high availability for virtual machines. Technical report, HP Laboratories, Tech. Rep, 2011.Google Scholar
- A. S. Ibrahim, J. H. Hamlyn-Harris, J. Grundy, and M. Almorsy. CloudSec: A security monitoring appliance for Virtual Machines in IaaS cloud model. In NSS '11, pages 113--120.Google Scholar
- B. Jain,M. B. Baig, D. Zhang, D. E. Porter, and R. Sion. SoK: Introspections on Trust and the Semantic Gap. In 35th IEEE Symposium on Security and Privacy S&P, 2014. Google Scholar
Digital Library
- X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In CCS '07, pages 128--138. Google Scholar
Digital Library
- John D. McCalpin. Memory Bandwidth: Stream Benchmark. http://www.cs.virginia.edu/stream/.Google Scholar
- N. L. P. Jr., A. Walters, T. Fraser, and W. A. Arbaugh. Fatkit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3(4):197--210, 2006. Google Scholar
Digital Library
- I. Kollar. Forensic RAM dump image analyser. Master's Thesis, Charles University in Prague, 2010. hysteria.sk/~niekt0/fmem/doc/foriana.pdf.Google Scholar
- H. A. Lagar-Cavilla, J. A.Whitney, A.M. Scannell, P. Patchin, S. M. Rumble, E. de Lara, M. Brudno, and M. Satyanarayanan. Snowflock: Rapid virtual machine cloning for cloud computing. In EuroSys, 2009. Google Scholar
Digital Library
- H. Lee, H. Moon, D. Jang, K. Kim, J. Lee, Y. Paek, and B. B. Kang. Ki-mon: A hardware-assisted event-triggered monitoring platform for mutable kernel object. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, pages 511--526, Berkeley, CA, USA, 2013. USENIX Association. Google Scholar
Digital Library
- Y. Liu, Y. Xia, H. Guan, B. Zang, and H. Chen. Concurrent and consistent virtual machine introspection with hardware transactional memory. In HPCA 2014, 2014.Google Scholar
Cross Ref
- Marco Batista. VMInjector: DLL Injection tool to unlock guest VMs. https://github.com/batistam/VMInjector.Google Scholar
- Mariusz Burdach. Digital forensics of the physical memory. 2005. http://forensic.seccure.net/pdf/mburdach digital forensics of physical memory.pdf.Google Scholar
- Maximillian Dornseif. 0wned by an iPod. PacSec Applied Security Conference 2004. md.hudora.de/presentations/firewire/PacSec2004.pdf.Google Scholar
- H. Moon, H. Lee, J. Lee, K. Kim, Y. Paek, and B. B. Kang. Vigilare: Toward snoop-based kernel integrity monitor. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 28--37, New York, NY, USA, 2012. ACM. Google Scholar
Digital Library
- D. Mosberger and T. Jin. httperf - a tool for measuring web server performance. SIGMETRICS Perform. Eval. Rev., 26(3):31--37, 1998. Google Scholar
Digital Library
- OpenBenchmarking/Phoronix. x264 Test Profile. http://openbenchmarking.org/test/pts/x264--1.7.0.Google Scholar
- Oracle's Linux Blog. Performance Issues with Transparent Huge Pages. https://blogs.oracle.com/linux/entry/performance issues with transparent huge.Google Scholar
- oVirt. oVirt guest agent. http://www.ovirt.org/Category:Ovirt guest agent.Google Scholar
- B. Payne, M. de Carbone, and W. Lee. Secure and Flexible Monitoring of Virtual Machines. In Twenty-Third Annual Computer Security Applications Conference, pages 385--397, 2007.Google Scholar
- B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP '08, pages 233--247, 2008. Google Scholar
Digital Library
- N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - a coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13, SSYM'04, pages 13--13, Berkeley, CA, USA, 2004. USENIX Association. Google Scholar
Digital Library
- J. Pfoh, C. Schneider, and C. Eckert. A formal model for virtual machine introspection. In Proceedings of the 1st ACM workshop on Virtual machine security, 2009. Google Scholar
Digital Library
- QEMU. Features/QAPI/GuestAgent. http://wiki.qemu.org/Features/QAPI/GuestAgent.Google Scholar
- A. Ranadive, A. Gavrilovska, and K. Schwan. Ibmon: monitoring vmm-bypass capable infiniband devices using memory introspection. In HPCVirt, pages 25--32, 2009. Google Scholar
Digital Library
- Rick Jones. Netperf Homepage. http://www.netperf.org/netperf/.Google Scholar
- A. Roberts, R. McClatchey, S. Liaquat, N. Edwards, and M. Wray. Poster: Introducing pathogen: a real-time virtual machine introspection framework. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, CCS '13, pages 1429--1432, New York, NY, USA, 2013. ACM. Google Scholar
Digital Library
- Russell Coker. Bonnie++. http://www.coker.com.au/bonnie++/.Google Scholar
- J. Schiffman, H. Vijayakumar, and T. Jaeger. Verifying system integrity by proxy. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing, TRUST'12, pages 179--200, Berlin, Heidelberg, 2012. Springer-Verlag. Google Scholar
Digital Library
- A. Schuster. Searching for processes and threads in Microsoft windows memory dumps. Digit. Investig., 3:10--16, Sept. 2006. Google Scholar
Digital Library
- A. Srivastava and J. Giffin. Tamper-Resistant, Application- Aware Blocking ofMalicious Network Connections. In RAID, pages 39--58, 2008. Google Scholar
Digital Library
- Structured Data. Transparent Huge Pages and Hadoop Workloads. http://structureddata.org/2012/06/18/linux-6-transparent-huge-pages-and-hadoop-workloads/.Google Scholar
- M. H. Sun and D. M. Blough. Fast, lightweight virtual machine checkpointing. Technical report, Georgia Institute of Technology, 2010.Google Scholar
- S. Suneja, C. Isci, V. Bala, E. de Lara, and T. Mummert. Nonintrusive, out-of-band and out-of-the-box systems monitoring in the cloud. In The 2014 ACM International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS '14, pages 249--261, New York, NY, USA, 2014. ACM. Google Scholar
Digital Library
- Toby Opferman. Sharing Memory with the Virtual Machine. http://www.drdobbs.com/sharing-memory-with-the-virtual-machine/184402033.Google Scholar
- VMware. VIX API Documentation. www.vmware.com/support/developer/vix-api/.Google Scholar
- VMware. VMCI Sockets Documentation. www.vmware.com/support/developer/vmci-sdk/.Google Scholar
- VMware. vShield Endpoint. vmware.com/products/vsphere/features-endpoint.Google Scholar
- VMWare Inc. VMWare VMSafe security technology. http://www.vmware.com/company/news/releases/vmsafe vmworld.html.Google Scholar
- M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity, and containment in the potemkin virtual honeyfarm. In SOSP, 2005. Google Scholar
Digital Library
- J.Wang, A. Stavrou, and A. Ghosh. Hypercheck: A hardware assisted integrity monitor. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection, RAID'10, pages 158--177, Berlin, Heidelberg, 2010. Springer-Verlag. Google Scholar
Digital Library
- Wikibooks. QEMU/Monitor. http://en.wikibooks.org/wiki/QEMU/Monitor.Google Scholar
- T.Wood, P. Shenoy, A. Venkataramani, andM. Yousif. Blackbox and gray-box strategies for virtual machine migration. In NSDI, 2007. Google Scholar
Digital Library
Index Terms
Exploring VM Introspection: Techniques and Trade-offs
Recommendations
Exploring VM Introspection: Techniques and Trade-offs
VEE '15: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution EnvironmentsWhile there are a variety of existing virtual machine introspection (VMI) techniques, their latency, overhead, complexity and consistency trade-offs are not clear. In this work, we address this gap by first organizing the various existing VMI techniques ...
VM-based Architecture for Network Monitoring and Analysis
ICYCS '08: Proceedings of the 2008 The 9th International Conference for Young Computer ScientistsA single physical machine provides multiple network monitoring and analysis services (e.g., IDS, QoS) which are installed on the same operating system. Isolation between services is weak and it is difficult to decide the optimum allocation of resources ...
My VM is Lighter (and Safer) than your Container
SOSP '17: Proceedings of the 26th Symposium on Operating Systems PrinciplesContainers are in great demand because they are lightweight when compared to virtual machines. On the downside, containers offer weaker isolation than VMs, to the point where people run containers in virtual machines to achieve proper isolation. In this ...







Comments