Exploiting the x86 Architecture to Derive Virtual Machine State Information

Virtual machine introspection (VMI) describes the method of monitoring and analyzing the state of a virtual machine from the hypervisor level. Using knowledge of the virtual hardware architecture, it is possible to derive information about a guest operating system's state from the virtual machine state. We argue that by deriving this information it is possible to build VMI applications which are more robust against circumvention techniques than applications that do not rely on hardware knowledge. In this paper, we present various ways to leverage Intel's x86 architecture as well as the virtualization extensions from both Intel (VT-x) and AMD (SVM) to derive such information. Additionally, we describe how this derived information may be used in VMI-based security applications and against which threats they are most applicable.

[1]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[2]  David Lie,et al.  Hypervisor Support for Identifying Covertly Executing Binaries , 2008, USENIX Security Symposium.

[3]  Tao Liu,et al.  Reuse Partitioning Based Frequency Planning for Cellular Network with two-HOP Fixed Relay Nodes , 2006, 2006 IEEE 17th International Symposium on Personal, Indoor and Mobile Radio Communications.

[4]  Tao Liu,et al.  Reuse partitioning in fixed two-hop cellular relaying network , 2006, IEEE Wireless Communications and Networking Conference, 2006. WCNC 2006..

[5]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[6]  Ping Li,et al.  Reuse One Frequency Planning for Two-hop Cellular System with Fixed Relay Nodes , 2007, 2007 IEEE Wireless Communications and Networking Conference.

[7]  Greg Kroah-Hartman,et al.  Linux Device Drivers , 1998 .

[8]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[9]  Wenyi Wang,et al.  Capacity Maximization for OFDM Two-Hop Relay System With Separate Power Constraints , 2009, IEEE Transactions on Vehicular Technology.

[10]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[11]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[12]  David Lie,et al.  Manitou: a layer-below approach to fighting malware , 2006, ASID '06.

[13]  Andrea C. Arpaci-Dusseau,et al.  VMM-based hidden process detection and identification using Lycosid , 2008, VEE '08.

[14]  Steven A. Hofmeyr,et al.  Intrusion Detection via System Call Traces , 1997, IEEE Softw..

[15]  Abhinav Srivastava,et al.  Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections , 2008, RAID.

[16]  Brian Hay,et al.  Forensics examination of volatile system data using virtual introspection , 2008, OPSR.

[17]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[18]  Claudia Eckert,et al.  A formal model for virtual machine introspection , 2009, VMSec '09.

[19]  Bernhard Walke,et al.  Analytical Estimation of Packet Delays in Relay-Based IMT-Advanced Networks , 2008, VTC Spring 2008 - IEEE Vehicular Technology Conference.

[20]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.