Difference between revisions of "Virtual Machine Introspection"

From Xen
(Chronology)
 
(3 intermediate revisions by one other user not shown)
Line 12: Line 12:
 
** mem_event becomes vm_event to support all kinds of hardware events (interrupts, registers, etc...)
 
** mem_event becomes vm_event to support all kinds of hardware events (interrupts, registers, etc...)
 
** x86 and ARM introspection support
 
** x86 and ARM introspection support
** hardware support or VMFUNC
+
** hardware support for VMFUNC
 
** altp2m
 
** altp2m
  +
* 2017: Xen 4.10
 
  +
** Significant improvements to the VMI subsystem
  +
** altp2m support for Arm
  +
* 2019: Xen 4.12
  +
** Significant improvements to #VE/VMFUNC support and alt2pm
   
 
== Background Information, papers, presentations ==
 
== Background Information, papers, presentations ==
Line 27: Line 31:
   
 
== Related Projects ==
 
== Related Projects ==
  +
* Malware analysis
* [http://tklengyel.github.io/drakvuf/ DRAKVUF - Dynamic Malware Analysis] (contains a number of demos)
 
  +
** [http://tklengyel.github.io/drakvuf/ DRAKVUF - Dynamic Malware Analysis] (contains a number of demos)
* [https://github.com/Zentific/vmidbg vmidbg Enables debuggers to remotely access and manipulate VM memory, utilizing the virtual machine introspection capabilities of LibVMI]
 
  +
* Hypervisor-level debugger
* [https://github.com/Wenzel/r2vmi Hypervisor-Level Debugger based on Radare2/LibVMI]
 
  +
** [https://github.com/Zentific/vmidbg vmidbg Enable s debuggers to remotely access and manipulate VM memory, utilizing the virtual machine introspection capabilities of LibVMI]
* [https://github.com/Wenzel/pyvmidbg pyvmidbg: LibVMI based GDB stub, a flexible hypervisor-level debugger]
 
* [https://github.com/libvmi/libvmi LibVMI on GitHub]
+
** [https://github.com/Wenzel/r2vmi Hypervisor-Level Debugger based on Radare2/LibVMI]
  +
** [https://github.com/Wenzel/pyvmidbg pyvmidbg: LibVMI based GDB stub, a flexible hypervisor-level debugger]
* [http://libvmi.com/ LibVMI Home Page]
 
  +
** [https://github.com/nccgroup/xendbg xendbg: Xen VMI Debugger: Debug Xen PV and HVM guests]
* [https://blog.xenproject.org/2015/08/04/the-bitdefender-virtual-machine-introspection-library-is-now-on-github/ The Bitdefender virtual machine introspection library is now on GitHub]
 
  +
* VMI libraries
  +
** [https://github.com/libvmi/libvmi LibVMI on GitHub]
  +
** [http://libvmi.com/ LibVMI Home Page]
  +
** [https://blog.xenproject.org/2015/08/04/the-bitdefender-virtual-machine-introspection-library-is-now-on-github/ The Bitdefender virtual machine introspection library is now on GitHub]
   
 
== Commercial Applications (in alphabetical order) ==
 
== Commercial Applications (in alphabetical order) ==

Latest revision as of 13:51, 22 February 2019

In Xen 4.5, VM introspection using Intel EPT / AMD RVI hardware virtualization functionality was added building on Xen Project Hypervisors Memory Inspection APIs introduced in 2011. In Xen 4.6 a number of significant improvements to Xen’s Virtual Machine Introspection (VMI) subsystems make it the best hypervisor for security applications. Hardware support for VM Functions (VMFunc) available on Intel’s 4th generation Haswell CPUs and Atom Silvermont CPUs decreases overheads. Support for Virtualization Exceptions is now available on Intel’s 5th generation Broadwell CPUs and Atom Goldmont CPUs has significantly reduced latency. VMI support for ARM CPUs has also been added. Further improvements were made in Xen 4.7 and 4.8.

VMI addresses a number of security issues from outside the guest OS without relying on functionality that can be rendered unreliable by advanced malware. The approach works by auditing access of sensitive memory areas using HW support in guests in an unobtrusive way (or maybe better: with minimal overhead) and allows control software running within a dedicated VM to allow or deny attempts to access sensitive memory based on policy and security heuristics.

Key contributors in alphabetical order: Bitdefender, Intel, Novetta, Zentific

Chronology

  • 2009: First patches for the mem_event API
  • 2011: Xen 4.1: First memory introspection API upstream
  • 2015: Xen 4.5: VM introspection using Intel EPT / AMD RVI hardware virtualization
  • 2015: Xen 4.6:
    • mem_event becomes vm_event to support all kinds of hardware events (interrupts, registers, etc...)
    • x86 and ARM introspection support
    • hardware support for VMFUNC
    • altp2m
  • 2017: Xen 4.10
    • Significant improvements to the VMI subsystem
    • altp2m support for Arm
  • 2019: Xen 4.12
    • Significant improvements to #VE/VMFUNC support and alt2pm

Background Information, papers, presentations

Related Projects

Commercial Applications (in alphabetical order)