RapidVMI: Fast and multi-core aware active virtual machine introspection

Proceedings of the 16th International Conference on Availability, Reliability and Security Pub Date : 2021-08-16 DOI:10.1145/3465481.3465752

Thomas Dangl, Benjamin Taubmann, Hans P. Reiser

{"title":"RapidVMI: Fast and multi-core aware active virtual machine introspection","authors":"Thomas Dangl, Benjamin Taubmann, Hans P. Reiser","doi":"10.1145/3465481.3465752","DOIUrl":null,"url":null,"abstract":"Virtual machine introspection (VMI) is a technique for the external monitoring of virtual machines. Through previous work, it became apparent that VMI can contribute to the security of distributed systems and cloud architectures by facilitating stealthy intrusion detection, malware analysis, and digital forensics. The main shortcomings of active VMI-based approaches such as program tracing or process injection in production environments result from the side effects of writing to virtual address spaces and the parallel execution of shared main memory on multiple processor cores. In this paper, we present RapidVMI, a framework for active virtual machine introspection that enables fine-grained, multi-core aware VMI-based memory access on virtual address spaces. It was built to overcome the outlined shortcomings of existing VMI solutions and facilitate the development of introspection applications as if they run in the monitored virtual machine itself. Furthermore, we demonstrate that hypervisor support for this concept improves introspection performance in prevalent virtual machine tracing applications considerably up to 98 times.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 16th International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3465481.3465752","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

Virtual machine introspection (VMI) is a technique for the external monitoring of virtual machines. Through previous work, it became apparent that VMI can contribute to the security of distributed systems and cloud architectures by facilitating stealthy intrusion detection, malware analysis, and digital forensics. The main shortcomings of active VMI-based approaches such as program tracing or process injection in production environments result from the side effects of writing to virtual address spaces and the parallel execution of shared main memory on multiple processor cores. In this paper, we present RapidVMI, a framework for active virtual machine introspection that enables fine-grained, multi-core aware VMI-based memory access on virtual address spaces. It was built to overcome the outlined shortcomings of existing VMI solutions and facilitate the development of introspection applications as if they run in the monitored virtual machine itself. Furthermore, we demonstrate that hypervisor support for this concept improves introspection performance in prevalent virtual machine tracing applications considerably up to 98 times.

查看原文本刊更多论文

RapidVMI:快速和多核感知的主动虚拟机自省

虚拟机自省(VMI)是一种用于外部监视虚拟机的技术。通过之前的工作，VMI可以通过促进隐形入侵检测、恶意软件分析和数字取证，为分布式系统和云架构的安全性做出贡献。基于主动vmi的方法(如生产环境中的程序跟踪或进程注入)的主要缺点是，写入虚拟地址空间和在多个处理器内核上并行执行共享主存的副作用。在本文中，我们提出了RapidVMI，一个用于主动虚拟机自省的框架，它支持对虚拟地址空间进行细粒度、多核感知的基于vmi的内存访问。它的构建是为了克服现有VMI解决方案的缺点，并促进内省应用程序的开发，就好像它们在被监视的虚拟机本身中运行一样。此外，我们还证明，在流行的虚拟机跟踪应用程序中，管理程序对这一概念的支持将自省性能提高了98倍。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 16th International Conference on Availability, Reliability and Security

自引率

0.00%

发文量