A File Integrity Monitoring System Based on Virtual Machine

Abstract

This paper describes the design and implementation of a file integrity monitoring system, named FSGuard, based on the virtualization software Xen. Monitored system (DomU) runs in full virtualized mode on Xen, therefore it is unable to perceive the existence of the underlying VMM, but its system calls related to file operations are recorded in real time. User mode programs in DomU provide configuration and management interface, so that the administrator can assign a certain DomU to specify the access control policy and a list of files that need to be protected. These characters make FSGuard possible to monitor file operations in real time, and get feedback through the user mode program in DomU.