IVirt:Runtime Environment Integrity Measurement Mechanism Based on Virtual Machine Introspection

Integrity Measurement is an important method to detect compromised application,but under the virtualization environment traditional detection approaches have reflected some shortages.For example,the measurement software and measured objects are in the same operating system,so the measurement software is easily attacked.From the perspectives of security and performance,this paper proposes an integrity measurement mechanism based on virtual machine introspection—IVirt(Integrity for Virtualization).This mechanism obtains the needed memory data of virtual machine through address translation and content locating from outside of that virtual machine,thereby measuring the integrity of applications that are in the virtual machine is performed,so as to verify whether the applications are tampered with.The IVirt prototype was implemented in this paper adopting typical virtual machine monitor Xen.Compared with other work of the same kind,IVirt isolates the measurement software from the measured objects,preventing measurement software being attacked.On the other hand,address translation is employed to measure the runtime state,which is different from the method of using events intercepting,in order to reduce the performance overhead.The experimental results show thatthis method has the ability of detecting software modification,and it does not introduce high performance cost.