skip to main content
research-article

Exploring VM Introspection: Techniques and Trade-offs

Published:14 March 2015Publication History
Skip Abstract Section

Abstract

While there are a variety of existing virtual machine introspection (VMI) techniques, their latency, overhead, complexity and consistency trade-offs are not clear. In this work, we address this gap by first organizing the various existing VMI techniques into a taxonomy based upon their operational principles, so that they can be put into context. Next we perform a thorough exploration of their trade-offs both qualitatively and quantitatively. We present a comprehensive set of observations and best practices for efficient, accurate and consistent VMI operation based on our experiences with these techniques. Our results show the stunning range of variations in performance, complexity and overhead with different VMI techniques.We further present a deep dive on VMI consistency aspects to understand the sources of inconsistency in observed VM state and show that, contrary to common expectation, pause-and-introspect based VMI techniques achieve very little to improve consistency despite their substantial performance impact.

References

  1. Adam Boileau. Hit by a Bus: Physical Access Attacks with Firewire. RuxCon 2006. www.security-assessment.com/files/presentations/ab firewire rux2k6-final.pdf.Google ScholarGoogle Scholar
  2. Adam Litke. Use the Qemu guest agent with MOM. http://https://aglitke.wordpress.com/2011/08/26/use-the-qemu-guest-agent-with-memoryovercommitment-manager/.Google ScholarGoogle Scholar
  3. F. Aderholdt, F. Han, S. L. Scott, and T. Naughton. Efficient checkpointing of virtual machines using virtual machine introspection. In Cluster, Cloud and Grid Computing (CC-Grid), 2014 14th IEEE/ACM International Symposium on, pages 414--423, May 2014.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Alexey Kopytov. SysBench Manual. http://sysbench.sourceforge.net/docs/#database mode.Google ScholarGoogle Scholar
  5. Anthony Desnos. Draugr - Live memory forensics on Linux. http://code.google.com/p/draugr/.Google ScholarGoogle Scholar
  6. M. Auty, A. Case, M. Cohen, B. Dolan-Gavitt, M. H. Ligh, J. Levy, and A. Walters. Volatility - An advanced memory forensics framework. http://code.google.com/p/volatility.Google ScholarGoogle Scholar
  7. A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky. Hypersentry: Enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pages 38--49, New York, NY, USA, 2010. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. M. B. Baig, C. Fitzsimons, S. Balasubramanian, R. Sion, and D. Porter. CloudFlow: Cloud-wide policy enforcement using fast VM introspection. In IEEE Conference on Cloud Engineering IC2E 2014, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. A. Baliga, V. Ganapathy, and L. Iftode. Detecting kernellevel rootkits using data structure invariants. IEEE Trans. Dependable Secur. Comput., 8(5):670--684, Sept. 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. A. Bianchi, Y. Shoshitaishvili, C. Kruegel, and G. Vigna. Blacksheep: Detecting compromised hosts in homogeneous crowds. In Proceedings of the 2012 ACMConference on Computer and Communications Security, CCS '12, pages 341--352, New York, NY, USA, 2012. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Bryan Payne. LibVMI Introduction: Vmitools, An introduction to LibVMI. http://code.google.com/p/vmitools/wiki/LibVMI Introduction.Google ScholarGoogle Scholar
  12. B. D. Carrier and J. Grand. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation, 1(1):50--60, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. A. Case, A. Cristina, L.Marziale, G. G. Richard, and V. Roussev. Face: Automated digital evidence discovery and correlation. Digit. Investig., 5:S65--S75, Sept. 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. A. Case, L. Marziale, and G. G. RichardIII. Dynamic recreation of kernel data structures for live forensics. Digital Investigation, 7, Supplement(0):S32--S40, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. J.-H. Chiang, H.-L. Li, and T.-c. Chiueh. Introspection-based memory de-duplication and migration. In Proceedings of the 9th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE '13, pages 51--62, New York, NY, USA, 2013. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. T.-c. Chiueh, M. Conover, and B. Montague. Surreptitious deployment and execution of kernel agents in windows guests. In Proceedings of the 2012 12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (Ccgrid 2012), CCGRID '12, pages 507--514, Washington, DC, USA, 2012. IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Citrix. Citrix XenServer 6.2.0 Virtual Machine User's Guide. http://support.citrix.com/servlet/KbServlet/download/34971--102--704221/guest.pdf.Google ScholarGoogle Scholar
  18. Citrix Systems Inc. XenServer Windows PV Tools Guest Agent Service. https://github.com/xenserver/win-xenguestagent.Google ScholarGoogle Scholar
  19. P. Colp, C. Matthews, B. Aiello, and A. Warfield. Vm snapshots. In Xen Summit, 2009.Google ScholarGoogle Scholar
  20. L. Cui, B. Li, Y. Zhang, and J. Li. Hotsnap: A hot distributed snapshot system for virtual machine cluster. In LISA, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. David Anderson. White Paper: Red Hat Crash Utility. people.redhat.com/anderson/crash_whitepaper/.Google ScholarGoogle Scholar
  22. Dell Quest/VKernel. Foglight for Virtualization. quest.com/foglight-for-virtualization-enterprise-edition/.Google ScholarGoogle Scholar
  23. B. Dolan-Gavitt, B. Payne, and W. Lee. Leveraging forensic tools for virtual machine introspection. Technical Report GTCS-11-05, Georgia Institute of Technology, 2011.Google ScholarGoogle Scholar
  24. J. Dykstra and A. T. Sherman. Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Digital Investigation, 9:S90--S98, 2012.Google ScholarGoogle ScholarCross RefCross Ref
  25. Emilien Girault. Volatilitux- Memory forensics framework to help analyzing Linux physical memory dumps. http://code.google.com/p/volatilitux/.Google ScholarGoogle Scholar
  26. Y. Fu and Z. Lin. Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection. In IEEE Security & Privacy'12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. L. Garber. The challenges of securing the virtualized environment. Computer, 45(1):17--20, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS, pages 191--206, 2003.Google ScholarGoogle Scholar
  29. Z. Gu, Z. Deng, D. Xu, and X. Jiang. Process implanting: A new active introspection framework for virtualization. In Reliable Distributed Systems (SRDS), 2011 30th IEEE Symposium on, pages 147--156. IEEE, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. B. Hay,M. Bishop, and K. Nance. Live analysis: Progress and challenges. Security & Privacy, IEEE, 7(2):30--37, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. B. Hay and K. Nance. Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev., 42(3):74--82, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. J. Hizver and T.-c. Chiueh. Real-time deep virtual machine introspection and its applications. In Proceedings of the 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE '14, pages 3--14, New York, NY, USA, 2014. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. J. Hizver and T. cker Chiueh. Automated discovery of credit card data flow for pci dss compliance. In Reliable Distributed Systems (SRDS), 2011 30th IEEE Symposium on, pages 51--58, Oct 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. O. S. Hofmann, A. M. Dunn, S. Kim, I. Roy, and E. Witchel. Ensuring operating system kernel integrity with OSck. In ASPLOS, pages 279--290, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. K.-Y. Hou,M. Uysal, A.Merchant, K. G. Shin, and S. Singhal. Hydravm: Low-cost, transparent high availability for virtual machines. Technical report, HP Laboratories, Tech. Rep, 2011.Google ScholarGoogle Scholar
  36. A. S. Ibrahim, J. H. Hamlyn-Harris, J. Grundy, and M. Almorsy. CloudSec: A security monitoring appliance for Virtual Machines in IaaS cloud model. In NSS '11, pages 113--120.Google ScholarGoogle Scholar
  37. B. Jain,M. B. Baig, D. Zhang, D. E. Porter, and R. Sion. SoK: Introspections on Trust and the Semantic Gap. In 35th IEEE Symposium on Security and Privacy S&P, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In CCS '07, pages 128--138. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. John D. McCalpin. Memory Bandwidth: Stream Benchmark. http://www.cs.virginia.edu/stream/.Google ScholarGoogle Scholar
  40. N. L. P. Jr., A. Walters, T. Fraser, and W. A. Arbaugh. Fatkit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3(4):197--210, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. I. Kollar. Forensic RAM dump image analyser. Master's Thesis, Charles University in Prague, 2010. hysteria.sk/~niekt0/fmem/doc/foriana.pdf.Google ScholarGoogle Scholar
  42. H. A. Lagar-Cavilla, J. A.Whitney, A.M. Scannell, P. Patchin, S. M. Rumble, E. de Lara, M. Brudno, and M. Satyanarayanan. Snowflock: Rapid virtual machine cloning for cloud computing. In EuroSys, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. H. Lee, H. Moon, D. Jang, K. Kim, J. Lee, Y. Paek, and B. B. Kang. Ki-mon: A hardware-assisted event-triggered monitoring platform for mutable kernel object. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, pages 511--526, Berkeley, CA, USA, 2013. USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Y. Liu, Y. Xia, H. Guan, B. Zang, and H. Chen. Concurrent and consistent virtual machine introspection with hardware transactional memory. In HPCA 2014, 2014.Google ScholarGoogle ScholarCross RefCross Ref
  45. Marco Batista. VMInjector: DLL Injection tool to unlock guest VMs. https://github.com/batistam/VMInjector.Google ScholarGoogle Scholar
  46. Mariusz Burdach. Digital forensics of the physical memory. 2005. http://forensic.seccure.net/pdf/mburdach digital forensics of physical memory.pdf.Google ScholarGoogle Scholar
  47. Maximillian Dornseif. 0wned by an iPod. PacSec Applied Security Conference 2004. md.hudora.de/presentations/firewire/PacSec2004.pdf.Google ScholarGoogle Scholar
  48. H. Moon, H. Lee, J. Lee, K. Kim, Y. Paek, and B. B. Kang. Vigilare: Toward snoop-based kernel integrity monitor. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 28--37, New York, NY, USA, 2012. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. D. Mosberger and T. Jin. httperf - a tool for measuring web server performance. SIGMETRICS Perform. Eval. Rev., 26(3):31--37, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. OpenBenchmarking/Phoronix. x264 Test Profile. http://openbenchmarking.org/test/pts/x264--1.7.0.Google ScholarGoogle Scholar
  51. Oracle's Linux Blog. Performance Issues with Transparent Huge Pages. https://blogs.oracle.com/linux/entry/performance issues with transparent huge.Google ScholarGoogle Scholar
  52. oVirt. oVirt guest agent. http://www.ovirt.org/Category:Ovirt guest agent.Google ScholarGoogle Scholar
  53. B. Payne, M. de Carbone, and W. Lee. Secure and Flexible Monitoring of Virtual Machines. In Twenty-Third Annual Computer Security Applications Conference, pages 385--397, 2007.Google ScholarGoogle Scholar
  54. B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP '08, pages 233--247, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - a coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13, SSYM'04, pages 13--13, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. J. Pfoh, C. Schneider, and C. Eckert. A formal model for virtual machine introspection. In Proceedings of the 1st ACM workshop on Virtual machine security, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. QEMU. Features/QAPI/GuestAgent. http://wiki.qemu.org/Features/QAPI/GuestAgent.Google ScholarGoogle Scholar
  58. A. Ranadive, A. Gavrilovska, and K. Schwan. Ibmon: monitoring vmm-bypass capable infiniband devices using memory introspection. In HPCVirt, pages 25--32, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Rick Jones. Netperf Homepage. http://www.netperf.org/netperf/.Google ScholarGoogle Scholar
  60. A. Roberts, R. McClatchey, S. Liaquat, N. Edwards, and M. Wray. Poster: Introducing pathogen: a real-time virtual machine introspection framework. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, CCS '13, pages 1429--1432, New York, NY, USA, 2013. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. Russell Coker. Bonnie++. http://www.coker.com.au/bonnie++/.Google ScholarGoogle Scholar
  62. J. Schiffman, H. Vijayakumar, and T. Jaeger. Verifying system integrity by proxy. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing, TRUST'12, pages 179--200, Berlin, Heidelberg, 2012. Springer-Verlag. Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. A. Schuster. Searching for processes and threads in Microsoft windows memory dumps. Digit. Investig., 3:10--16, Sept. 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. A. Srivastava and J. Giffin. Tamper-Resistant, Application- Aware Blocking ofMalicious Network Connections. In RAID, pages 39--58, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. Structured Data. Transparent Huge Pages and Hadoop Workloads. http://structureddata.org/2012/06/18/linux-6-transparent-huge-pages-and-hadoop-workloads/.Google ScholarGoogle Scholar
  66. M. H. Sun and D. M. Blough. Fast, lightweight virtual machine checkpointing. Technical report, Georgia Institute of Technology, 2010.Google ScholarGoogle Scholar
  67. S. Suneja, C. Isci, V. Bala, E. de Lara, and T. Mummert. Nonintrusive, out-of-band and out-of-the-box systems monitoring in the cloud. In The 2014 ACM International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS '14, pages 249--261, New York, NY, USA, 2014. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  68. Toby Opferman. Sharing Memory with the Virtual Machine. http://www.drdobbs.com/sharing-memory-with-the-virtual-machine/184402033.Google ScholarGoogle Scholar
  69. VMware. VIX API Documentation. www.vmware.com/support/developer/vix-api/.Google ScholarGoogle Scholar
  70. VMware. VMCI Sockets Documentation. www.vmware.com/support/developer/vmci-sdk/.Google ScholarGoogle Scholar
  71. VMware. vShield Endpoint. vmware.com/products/vsphere/features-endpoint.Google ScholarGoogle Scholar
  72. VMWare Inc. VMWare VMSafe security technology. http://www.vmware.com/company/news/releases/vmsafe vmworld.html.Google ScholarGoogle Scholar
  73. M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity, and containment in the potemkin virtual honeyfarm. In SOSP, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  74. J.Wang, A. Stavrou, and A. Ghosh. Hypercheck: A hardware assisted integrity monitor. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection, RAID'10, pages 158--177, Berlin, Heidelberg, 2010. Springer-Verlag. Google ScholarGoogle ScholarDigital LibraryDigital Library
  75. Wikibooks. QEMU/Monitor. http://en.wikibooks.org/wiki/QEMU/Monitor.Google ScholarGoogle Scholar
  76. T.Wood, P. Shenoy, A. Venkataramani, andM. Yousif. Blackbox and gray-box strategies for virtual machine migration. In NSDI, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Exploring VM Introspection: Techniques and Trade-offs

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            • Published in

              cover image ACM SIGPLAN Notices
              ACM SIGPLAN Notices  Volume 50, Issue 7
              VEE '15
              July 2015
              221 pages
              ISSN:0362-1340
              EISSN:1558-1160
              DOI:10.1145/2817817
              • Editor:
              • Andy Gill
              Issue’s Table of Contents
              • cover image ACM Conferences
                VEE '15: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
                March 2015
                238 pages
                ISBN:9781450334501
                DOI:10.1145/2731186

              Copyright © 2015 ACM

              Publisher

              Association for Computing Machinery

              New York, NY, United States

              Publication History

              • Published: 14 March 2015

              Check for updates

              Qualifiers

              • research-article

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!