Difference between revisions of "Virtual Machine Introspection"

From Xen
Line 13: Line 13:
 
* [https://github.com/libvmi/libvmi LibVMI on GitHub]
 
* [https://github.com/libvmi/libvmi LibVMI on GitHub]
 
* [http://libvmi.com/ LibVMI Home Page]
 
* [http://libvmi.com/ LibVMI Home Page]
  +
* [https://blog.xenproject.org/2016/04/13/stealthy-monitoring-with-xen-altp2m/ Stealthy Monitoring with alt2pm]
   
 
[[Category:Xen 4.5]]
 
[[Category:Xen 4.5]]

Revision as of 16:34, 13 April 2016

You can find an excellent introduction on the topic here.

In Xen 4.5, VM introspection using Intel EPT / AMD RVI hardware virtualization functionality was added building on Xen Project Hypervisors Memory Inspection APIs introduced in 2011. In Xen 4.6 a number of significant improvements to Xen’s Virtual Machine Introspection (VMI) subsystems make it the best hypervisor for security applications. Hardware support for VM Functions (VMFunc) available on Intel’s 4th generation Haswell CPUs and Atom Silvermont CPUs decreases overheads. Support for Virtualization Exceptions is now available on Intel’s 5th generation Broadwell CPUs and Atom Goldmont CPUs has significantly reduced latency. VMI support for ARM CPUs has also been added.

VMI addresses a number of security issues from outside the guest OS without relying on functionality that can be rendered unreliable by advanced malware. The approach works by auditing access of sensitive memory areas using HW support in guests in an unobtrusive way (or maybe better: with minimal overhead) and allows control software running within a dedicated VM to allow or deny attempts to access sensitive memory based on policy and security heuristics.

Also see: