Difference between revisions of "Virtual Machine Introspection"

You can find an excellent introduction on the topic here.

In Xen 4.5, VM introspection using Intel EPT / AMD RVI hardware virtualization functionality was added building on Xen Project Hypervisors Memory Inspection APIs introduced in 2011. In Xen 4.6 a number of significant improvements to Xen’s Virtual Machine Introspection (VMI) subsystems make it the best hypervisor for security applications. Hardware support for VM Functions (VMFunc) available on Intel’s 4th generation Haswell CPUs and Atom Silvermont CPUs decreases overheads. Support for Virtualization Exceptions is now available on Intel’s 5th generation Broadwell CPUs and Atom Goldmont CPUs has significantly reduced latency. VMI support for ARM CPUs has also been added.

VMI addresses a number of security issues from outside the guest OS without relying on functionality that can be rendered unreliable by advanced malware. The approach works by auditing access of sensitive memory areas using HW support in guests in an unobtrusive way (or maybe better: with minimal overhead) and allows control software running within a dedicated VM to allow or deny attempts to access sensitive memory based on policy and security heuristics.

Also see:

• Virtual Machine Introspection with Xen
• VM Introspection: Practical Applications
• YouTube video (presentation)
• DRAKVUF - Dynamic Malware Analysis (contains a number of demos)
• vmidbg Enables debuggers to remotely access and manipulate VM memory, utilizing the virtual machine introspection capabilities of LibVMI
• LibVMI on GitHub
• LibVMI Home Page