Haskell Library for Safer Virtual Machine Introspection (Experience Report)

Abstract

Virtual machine introspection (VMI) is a technique for inspecting a virtual machine from the outside, typically to analyze the operating system (guest OS) running on it. LibVMI is a C library for VMI and provides APIs for accessing guest OS's memory. However, in using LibVMI APIs directly in C, the programmer must compute target addresses in the kernel memory and then access them with their exact bit widths and types. This is an enormous burden for the programmer and is prone to introducing statically undetected but fatal errors. We create HaVMI, a Haskell library that facilitates VMI programming. HaVMI provides meta-functions for compile-time code generation by Template Haskell. These meta-functions make it easy to write safer VMI programs. HaVMI uses Haskell language features to detect the programmer's errors statically.