Difference between revisions of "Virtual Machine Introspection"

From Xen
(Chronology)
 
(36 intermediate revisions by 3 users not shown)
Line 1: Line 1:
  +
In Xen 4.5, VM introspection using Intel EPT / AMD RVI hardware virtualization functionality was added building on Xen Project Hypervisors Memory Inspection APIs introduced in 2011. In Xen 4.6 a number of significant improvements to Xen’s Virtual Machine Introspection (VMI) subsystems make it the best hypervisor for security applications. Hardware support for VM Functions (VMFunc) available on Intel’s 4th generation Haswell CPUs and Atom Silvermont CPUs decreases overheads. Support for Virtualization Exceptions is now available on Intel’s 5th generation Broadwell CPUs and Atom Goldmont CPUs has significantly reduced latency. VMI support for ARM CPUs has also been added. Further improvements were made in Xen 4.7 and 4.8.
You can find an [https://www.youtube.com/watch?v=ElggombHA8E excellent introduction] on the topic here.
 
   
In Xen 4.5, VM introspection using Intel EPT / AMD RVI hardware virtualization functionality was added building on Xen Project Hypervisors Memory Inspection APIs introduced in 2011. This addresses a number of security issues from outside the guest OS without relying on functionality that can be rendered unreliable by advanced malware. The approach works by auditing access of sensitive memory areas using HW support in guests in an unobtrusive way (or maybe better: with minimal overhead) and allows control software running within a dedicated VM to allow or deny attempts to access sensitive memory based on policy and security heuristics.
+
VMI addresses a number of security issues from outside the guest OS without relying on functionality that can be rendered unreliable by advanced malware. The approach works by auditing access of sensitive memory areas using HW support in guests in an unobtrusive way (or maybe better: with minimal overhead) and allows control software running within a dedicated VM to allow or deny attempts to access sensitive memory based on policy and security heuristics.
   
  +
Key contributors in alphabetical order: Bitdefender, Intel, Novetta, Zentific
Also see:
 
  +
* [https://www.youtube.com/watch?v=GGjPU6jHi_w YouTube video] ([http://events.linuxfoundation.org/sites/events/files/slides/Zero-Footprint%20Guest%20Memory%20Introspection%20from%20Xen%20_%20draft11.pdf presentation])
 
  +
== Chronology ==
* [http://xenproject.org/directory/directory/products/237-drakvuf-dynamic-malware-analysis.html DRAKVUF - Dynamic Maklare Analysis]
 
  +
* 2009: First patches for the mem_event API
* [https://github.com/Zentific/vmidbg nables debuggers to remotely access and manipulate VM memory, utilizing the virtual machine introspection capabilities of LibVMI]
 
  +
* 2011: Xen 4.1: First memory introspection API upstream
* [https://github.com/Zentific/libvmi LibVMI]
 
  +
* 2015: Xen 4.5: VM introspection using Intel EPT / AMD RVI hardware virtualization
* [https://code.google.com/p/vmitools/ LibVMI home page]
 
  +
* 2015: Xen 4.6:
  +
** mem_event becomes vm_event to support all kinds of hardware events (interrupts, registers, etc...)
  +
** x86 and ARM introspection support
  +
** hardware support for VMFUNC
  +
** altp2m
  +
* 2017: Xen 4.10
  +
** Significant improvements to the VMI subsystem
  +
** altp2m support for Arm
  +
* 2019: Xen 4.12
  +
** Significant improvements to #VE/VMFUNC support and alt2pm
  +
  +
== Background Information, papers, presentations ==
  +
* [https://www.linux.com/news/virtual-machine-introspection-security-innovation-new-commercial-applications Virtual Machine Introspection: A Security Innovation With New Commercial Applications (2016)]
  +
* [http://www.wesrch.com/electronics/paper-details/pdf-EL11TZ000PYAA-hypervisor-extensions-for-virtual-machine-memory-introspection Hypervisor Extensions for Virtual Machine Memory Introspection (2016)]
  +
* [http://www.sciencedirect.com/science/article/pii/S1742287616300081 TLSkex: Harnessing virtual machine introspection for decrypting TLS communication (2016)]
  +
* [https://blog.xenproject.org/2016/04/13/stealthy-monitoring-with-xen-altp2m/ Stealthy Monitoring with alt2pm (2016)]
  +
* [http://www.slideshare.net/tklengyel/stealthy-hypervisorbased-malware-analysis Stealthy, Hypervisor-based Malware Analysis (2016)]
  +
* [https://www.youtube.com/watch?v=k0BVFyyuvRA Virtual Machine Introspection with Xen (2015)]
  +
* [https://www.youtube.com/watch?v=nKrfsGvZgvo VM Introspection: Practical Applications (2015)]
  +
* [https://www.youtube.com/watch?v=GGjPU6jHi_w YouTube video] ([http://events.linuxfoundation.org/sites/events/files/slides/Zero-Footprint%20Guest%20Memory%20Introspection%20from%20Xen%20_%20draft11.pdf presentation]) (2014)
  +
  +
== Related Projects ==
  +
* Malware analysis
  +
** [http://tklengyel.github.io/drakvuf/ DRAKVUF - Dynamic Malware Analysis] (contains a number of demos)
  +
* Hypervisor-level debugger
  +
** [https://github.com/Zentific/vmidbg vmidbg Enable s debuggers to remotely access and manipulate VM memory, utilizing the virtual machine introspection capabilities of LibVMI]
  +
** [https://github.com/Wenzel/r2vmi Hypervisor-Level Debugger based on Radare2/LibVMI]
  +
** [https://github.com/Wenzel/pyvmidbg pyvmidbg: LibVMI based GDB stub, a flexible hypervisor-level debugger]
  +
** [https://github.com/nccgroup/xendbg xendbg: Xen VMI Debugger: Debug Xen PV and HVM guests]
  +
* VMI libraries
  +
** [https://github.com/libvmi/libvmi LibVMI on GitHub]
  +
** [http://libvmi.com/ LibVMI Home Page]
  +
** [https://blog.xenproject.org/2015/08/04/the-bitdefender-virtual-machine-introspection-library-is-now-on-github/ The Bitdefender virtual machine introspection library is now on GitHub]
  +
  +
== Commercial Applications (in alphabetical order) ==
  +
* AIS IntroVirt (XenServer)
  +
** [https://www.ainfosec.com/innovative-products/#introvirt IntroVirt]
  +
* BitDefender Hypervisor Introspection (for XenServer)
  +
** [http://xenserver.org/blog/entry/xenserver-dundee-released.html XenServer 7.0 with Direct Inspect API set (which essentially is VMI)]
  +
** [https://www.bitdefender.com/business/hypervisor-introspection.html Bitdefender Hypervisor Introspection]
  +
** [https://www.youtube.com/watch?v=qUsqKoGX-U0 Video: The XenServer Direct Inspect API and Bitdefender Hypervisor Introspection]
  +
** [https://www.youtube.com/watch?v=5j0_cpxra7A Video: (Bitdefender Hypervisor Introspection Demo)]
  +
  +
* Zentific Zazen (for Xen Project and XenServer)
  +
** [https://www.zentific.com/zazen/ Zazen Product page]
   
 
[[Category:Xen 4.5]]
 
[[Category:Xen 4.5]]
  +
[[Category:Xen 4.6]]
  +
[[Category:Xen 4.7]]
  +
[[Category:Xen 4.8]]
 
[[Category:Security]]
 
[[Category:Security]]

Latest revision as of 13:51, 22 February 2019

In Xen 4.5, VM introspection using Intel EPT / AMD RVI hardware virtualization functionality was added building on Xen Project Hypervisors Memory Inspection APIs introduced in 2011. In Xen 4.6 a number of significant improvements to Xen’s Virtual Machine Introspection (VMI) subsystems make it the best hypervisor for security applications. Hardware support for VM Functions (VMFunc) available on Intel’s 4th generation Haswell CPUs and Atom Silvermont CPUs decreases overheads. Support for Virtualization Exceptions is now available on Intel’s 5th generation Broadwell CPUs and Atom Goldmont CPUs has significantly reduced latency. VMI support for ARM CPUs has also been added. Further improvements were made in Xen 4.7 and 4.8.

VMI addresses a number of security issues from outside the guest OS without relying on functionality that can be rendered unreliable by advanced malware. The approach works by auditing access of sensitive memory areas using HW support in guests in an unobtrusive way (or maybe better: with minimal overhead) and allows control software running within a dedicated VM to allow or deny attempts to access sensitive memory based on policy and security heuristics.

Key contributors in alphabetical order: Bitdefender, Intel, Novetta, Zentific

Chronology

  • 2009: First patches for the mem_event API
  • 2011: Xen 4.1: First memory introspection API upstream
  • 2015: Xen 4.5: VM introspection using Intel EPT / AMD RVI hardware virtualization
  • 2015: Xen 4.6:
    • mem_event becomes vm_event to support all kinds of hardware events (interrupts, registers, etc...)
    • x86 and ARM introspection support
    • hardware support for VMFUNC
    • altp2m
  • 2017: Xen 4.10
    • Significant improvements to the VMI subsystem
    • altp2m support for Arm
  • 2019: Xen 4.12
    • Significant improvements to #VE/VMFUNC support and alt2pm

Background Information, papers, presentations

Related Projects

Commercial Applications (in alphabetical order)