All You Ever Wanted to Know About Virtual Machine Introspection: Introduction · 2015-12-19 · All...

About Why VMI In-VM vs. Out-of-VM Hypervisor Definition

All You Ever Wanted to Know About Virtual Machine Introspection:

Introduction

Zhiqiang Lin

Department of Computer SciencesThe University of Texas at Dallas

August 24th, 2015

Outline

1 About

2 Why VMI

3 In-VM vs. Out-of-VM

4 Hypervisor Definition

Outline

1 About

2 Why VMI

About the Instructor

Assistant Professor at UTDallas

Founding Director of S3

Working with 6 PhDs, 4MS, 4 Undergraduate

Research is supported byDARPA, AFOSR, NSF,VMware

Building new systems and automatedtechniques to secure modern computersystems, including OS kernels and therunning software.

Research Interests

Software security (or binary codeanalysis)

Systems security, cloud computing(Virtualization, Introspection)

Memory or disk data analysis (forintrospection, digital forensics, andintrusion detection)

Research Interests

About This Lecture

This lecture aims to provide the students with the necessaryknowledge of VMI. It starts from the basic concept, to theprinciples behind, and the enabled applications.

In particular, based on years of experiences, the instructor willdiscuss how VMI works essentially, what the challenges are,and how to develop the practical VMI tools.

Hands on labs with pre built VM with the corresponding toolsets will also be provided in this lecture.

The Road Map

Guest-OS

CPU-Reg Phy-MEM H-Event Instruction

What hypervisor observes

…DISK

Guest-OSAssisted

Debug-Info Source-CodeData-structureAssisted

Binary-Code

With different constraints

Manual Debugging-Tool Compiler-AssistedThe Binary Analysis

Approaches

What we want

…Data-Type Interrupts ExceptionsObjects Sys-call Lib-callK-events

I i K l OSMalware Analysis

Intrusion Detection

Intrusion Prevention

Kernel Integrity

Memory Forensics

OSManagement

Applications

Deployment

Guest-OS, HypervisorHardwareHypervisor Hypervisor, Hardware Guest-OS, Hardware

Outline

1 About

2 Why VMI

Today’s Cyber

http://to-day2.blogspot.com/2013/08/cloud-mobile-social-big-data-monetizing.html

Today’s Cyber

http://to-day2.blogspot.com/2013/08/cloud-mobile-social-big-data-monetizing.html

About Virtualization

Hardware Layer

Virtualization Layer

Product‐VM Product‐VM Product‐VM

Linux Win‐7

..Windows XP

Virtualization (i.e.,hypervisor) [Popek and

Goldberg, 1974] has pushedour computing paradigmfrom multi-tasking tomulti-OS.

Multiplexing, Isolation,Migration, ...

Hardware Layer

Linux Win‐7

..Windows XP

Hardware Layer

Linux Win‐7

..Windows XP

Hardware Layer

Linux Win‐7

..Windows XP

On Anti-Virus Software Evolution

Operating Systems Linux Kernel

Virtual Machine Introspection (VMI) [Garfinkel et al, NDSS’03]

Hardware Layer

Product‐VM Product‐VM

Linux Win‐7

Introspection

Using a trusted,dedicated virtualizationlayer program to monitorthe running VMs

Intrusion DetectionMalware AnalysisMemory Forensics

Hardware Layer

Linux Win‐7

Introspection

Hardware Layer

Linux Win‐7

Introspection

Outline

1 About

2 Why VMI

Security monitoring system

M(S,P) → {True,False} (1)

where M denotes the security enforcing mechanism, S denotesthe current system state, and P denotes the predefined policy.

If the current state S satisfies the security policy P, then itis in a secure state (True)If M is an online mechanism, it can allow continuedexecution; Otherwise, snapshot based approach (e.g., forforensics).

Security monitoring system

M(S,P) → {True,False} (1)

where M denotes the security enforcing mechanism, S denotesthe current system state, and P denotes the predefined policy.

If the current state S satisfies the security policy P, then itis in a secure state (True)If M is an online mechanism, it can allow continuedexecution; Otherwise, snapshot based approach (e.g., forforensics).

In-VM Inspection

Operating Systems (In‐VM)

AdvantagesRich Abstractions. Plentyof abstractions for in-VMmonitors to extract the OSand process state.Fast Speed. In-VM statecan be directly accessed,and in-VM enforcement canbe instantly executedwithout any trapping intohypervisor.

DisadvantagesThe security monitoringsystem can be disabledFalse State can begenerated to mislead thedetection. Log files, procfilesThe Security Policy and TheSecurity EnforcingMechanism can betampered

In-VM Inspection

Out-of-VM Introspection

Operating Systems

Out‐of‐VMOut of VM

Advantages

Strong Isolation (TamperResilient)Transparent DeploymentComplete ViewHigh Cost-SavingLess Vulnerability

DisadvantagesNo Abstractions. No guestOS abstractions, no systemcalls, no file descriptor, novariables.Slow Speed. Additionaladdress translation, andworld switching.

Operating Systems

Advantages

Operating Systems

Advantages

Outline

1 About

2 Why VMI

Hypervisor Definition: Bare metal

Type 1 (bare metal) hypervisors, which run directly on thehost’s hardware to control the hardware and monitor the guestOS. Typical examples of such hypervisors include Xen,VMware ESX, and Microsoft Hyper-V.

Hypervisor Definition: Hosted

Type 2 (hosted) hypervisors, which run within a traditional OS.That is, a hosted hypervisor adds a distinct software layer atopthe host OS, and the guest OS becomes a third software layerabove the hardware. Well-known examples includeKVM/VMware Workstation/VirtualBox/QEMU.

Hypervisor Definition: Native

Native hypervisors that directly push the guest code toexecute natively on the hardware with hardware virtualization.

Hypervisor Definition: Emulation

Emulation hypervisors that translate each guest instructionfor an emulated execution with software virtualization.

All You Ever Wanted to Know About Virtual Machine Introspection: Introduction · 2015-12-19 · All...

Documents

Transcript of All You Ever Wanted to Know About Virtual Machine Introspection: Introduction · 2015-12-19 · All...