Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection

Q Engineering

ACM Transactions on Information and System Security Pub Date : 2013-09-01 DOI:10.1145/2505124

Yangchun Fu, Zhiqiang Lin

{"title":"Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection","authors":"Yangchun Fu, Zhiqiang Lin","doi":"10.1145/2505124","DOIUrl":null,"url":null,"abstract":"It is generally believed to be a tedious, time-consuming, and error-prone process to develop a virtual machine introspection (VMI) tool because of the semantic gap. Recent advance shows that the semantic-gap can be largely narrowed by reusing the executed code from a trusted OS kernel. However, the limitation for such an approach is that it only reuses the exercised code through a training process, which suffers the code coverage issues. Thus, in this article, we present Vmst, a new technique that can seamlessly bridge the semantic gap and automatically generate the VMI tools. The key idea is that, through system wide instruction monitoring, Vmst automatically identifies the introspection related data from a secure-VM and online redirects these data accesses to the kernel memory of a product-VM, without any training. Vmst offers a number of new features and capabilities. Particularly, it enables an in-VM inspection program (e.g., ps) to automatically become an out-of-VM introspection program. We have tested Vmst with over 25 commonly used utilities on top of a number of different OS kernels including Linux and Microsoft Windows. The experimental results show that our technique is general (largely OS-independent), and it introduces 9.3X overhead for Linux utilities and 19.6X overhead for Windows utilities on average for the introspected program compared to the native in-VM execution without data redirection.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2013-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"204","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Information and System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2505124","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q","JCRName":"Engineering","Score":null,"Total":0}

引用次数: 204

Abstract

It is generally believed to be a tedious, time-consuming, and error-prone process to develop a virtual machine introspection (VMI) tool because of the semantic gap. Recent advance shows that the semantic-gap can be largely narrowed by reusing the executed code from a trusted OS kernel. However, the limitation for such an approach is that it only reuses the exercised code through a training process, which suffers the code coverage issues. Thus, in this article, we present Vmst, a new technique that can seamlessly bridge the semantic gap and automatically generate the VMI tools. The key idea is that, through system wide instruction monitoring, Vmst automatically identifies the introspection related data from a secure-VM and online redirects these data accesses to the kernel memory of a product-VM, without any training. Vmst offers a number of new features and capabilities. Particularly, it enables an in-VM inspection program (e.g., ps) to automatically become an out-of-VM introspection program. We have tested Vmst with over 25 commonly used utilities on top of a number of different OS kernels including Linux and Microsoft Windows. The experimental results show that our technique is general (largely OS-independent), and it introduces 9.3X overhead for Linux utilities and 19.6X overhead for Windows utilities on average for the introspected program compared to the native in-VM execution without data redirection.

查看原文本刊更多论文

通过在线内核数据重定向弥合虚拟机自省中的语义差距

由于语义差距，通常认为开发虚拟机自省(VMI)工具是一个冗长、耗时且容易出错的过程。最近的进展表明，语义差距可以通过重用来自可信操作系统内核的已执行代码来大大缩小。然而，这种方法的局限性在于，它只能通过一个训练过程来重用经过练习的代码，这将导致代码覆盖问题。因此，在本文中，我们将介绍Vmst，这是一种可以无缝地弥合语义差距并自动生成VMI工具的新技术。其关键思想是，通过系统范围的指令监视，Vmst自动识别来自安全vm的内省相关数据，并在线将这些数据访问重定向到产品vm的内核内存，而无需任何训练。Vmst提供了许多新的特性和功能。特别是，它使虚拟机内的检查程序(例如ps)自动成为虚拟机外的内省程序。我们在许多不同的操作系统内核(包括Linux和Microsoft Windows)上对Vmst进行了超过25种常用实用程序的测试。实验结果表明，我们的技术是通用的(很大程度上与操作系统无关)，与没有数据重定向的本机vm内执行相比，内省程序为Linux实用程序带来9.3倍的平均开销，为Windows实用程序带来19.6倍的平均开销。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Information and System Security 工程技术-计算机：信息系统

CiteScore

4.50

自引率

0.00%

发文量

审稿时长

3.3 months

期刊介绍： ISSEC is a scholarly, scientific journal that publishes original research papers in all areas of information and system security, including technologies, systems, applications, and policies.