Difference between revisions of "Virtual Machine Introspection"

From Xen
(Add Xendbg)
Line 27: Line 27:
   
 
== Related Projects ==
 
== Related Projects ==
  +
* Malware analysis
* [http://tklengyel.github.io/drakvuf/ DRAKVUF - Dynamic Malware Analysis] (contains a number of demos)
 
  +
** [http://tklengyel.github.io/drakvuf/ DRAKVUF - Dynamic Malware Analysis] (contains a number of demos)
* [https://github.com/Zentific/vmidbg vmidbg Enables debuggers to remotely access and manipulate VM memory, utilizing the virtual machine introspection capabilities of LibVMI]
 
  +
* Hypervisor-level debugger
* [https://github.com/Wenzel/r2vmi Hypervisor-Level Debugger based on Radare2/LibVMI]
 
  +
** [https://github.com/Zentific/vmidbg vmidbg Enable s debuggers to remotely access and manipulate VM memory, utilizing the virtual machine introspection capabilities of LibVMI]
* [https://github.com/Wenzel/pyvmidbg pyvmidbg: LibVMI based GDB stub, a flexible hypervisor-level debugger]
 
* [https://github.com/libvmi/libvmi LibVMI on GitHub]
+
** [https://github.com/Wenzel/r2vmi Hypervisor-Level Debugger based on Radare2/LibVMI]
  +
** [https://github.com/Wenzel/pyvmidbg pyvmidbg: LibVMI based GDB stub, a flexible hypervisor-level debugger]
* [http://libvmi.com/ LibVMI Home Page]
 
  +
** [https://github.com/nccgroup/xendbg xendbg: Xen VMI Debugger: Debug Xen PV and HVM guests]
* [https://blog.xenproject.org/2015/08/04/the-bitdefender-virtual-machine-introspection-library-is-now-on-github/ The Bitdefender virtual machine introspection library is now on GitHub]
 
  +
* VMI libraries
  +
** [https://github.com/libvmi/libvmi LibVMI on GitHub]
  +
** [http://libvmi.com/ LibVMI Home Page]
  +
** [https://blog.xenproject.org/2015/08/04/the-bitdefender-virtual-machine-introspection-library-is-now-on-github/ The Bitdefender virtual machine introspection library is now on GitHub]
  +
-virtual-machine-introspection-library-is-now-on-github/
   
 
== Commercial Applications (in alphabetical order) ==
 
== Commercial Applications (in alphabetical order) ==

Revision as of 10:23, 31 January 2019

In Xen 4.5, VM introspection using Intel EPT / AMD RVI hardware virtualization functionality was added building on Xen Project Hypervisors Memory Inspection APIs introduced in 2011. In Xen 4.6 a number of significant improvements to Xen’s Virtual Machine Introspection (VMI) subsystems make it the best hypervisor for security applications. Hardware support for VM Functions (VMFunc) available on Intel’s 4th generation Haswell CPUs and Atom Silvermont CPUs decreases overheads. Support for Virtualization Exceptions is now available on Intel’s 5th generation Broadwell CPUs and Atom Goldmont CPUs has significantly reduced latency. VMI support for ARM CPUs has also been added. Further improvements were made in Xen 4.7 and 4.8.

VMI addresses a number of security issues from outside the guest OS without relying on functionality that can be rendered unreliable by advanced malware. The approach works by auditing access of sensitive memory areas using HW support in guests in an unobtrusive way (or maybe better: with minimal overhead) and allows control software running within a dedicated VM to allow or deny attempts to access sensitive memory based on policy and security heuristics.

Key contributors in alphabetical order: Bitdefender, Intel, Novetta, Zentific

Chronology

  • 2009: First patches for the mem_event API
  • 2011: Xen 4.1: First memory introspection API upstream
  • 2015: Xen 4.5: VM introspection using Intel EPT / AMD RVI hardware virtualization
  • 2015: Xen 4.6:
    • mem_event becomes vm_event to support all kinds of hardware events (interrupts, registers, etc...)
    • x86 and ARM introspection support
    • hardware support or VMFUNC
    • altp2m


Background Information, papers, presentations

Related Projects

-virtual-machine-introspection-library-is-now-on-github/

Commercial Applications (in alphabetical order)