Difference between revisions of "Virtual Machine Introspection"

From Xen
(Add Xendbg)
m (Related Projects)
Line 38: Line 38:
 
** [http://libvmi.com/ LibVMI Home Page]
 
** [http://libvmi.com/ LibVMI Home Page]
 
** [https://blog.xenproject.org/2015/08/04/the-bitdefender-virtual-machine-introspection-library-is-now-on-github/ The Bitdefender virtual machine introspection library is now on GitHub]
 
** [https://blog.xenproject.org/2015/08/04/the-bitdefender-virtual-machine-introspection-library-is-now-on-github/ The Bitdefender virtual machine introspection library is now on GitHub]
-virtual-machine-introspection-library-is-now-on-github/
 
   
 
== Commercial Applications (in alphabetical order) ==
 
== Commercial Applications (in alphabetical order) ==

Revision as of 10:24, 31 January 2019

In Xen 4.5, VM introspection using Intel EPT / AMD RVI hardware virtualization functionality was added building on Xen Project Hypervisors Memory Inspection APIs introduced in 2011. In Xen 4.6 a number of significant improvements to Xen’s Virtual Machine Introspection (VMI) subsystems make it the best hypervisor for security applications. Hardware support for VM Functions (VMFunc) available on Intel’s 4th generation Haswell CPUs and Atom Silvermont CPUs decreases overheads. Support for Virtualization Exceptions is now available on Intel’s 5th generation Broadwell CPUs and Atom Goldmont CPUs has significantly reduced latency. VMI support for ARM CPUs has also been added. Further improvements were made in Xen 4.7 and 4.8.

VMI addresses a number of security issues from outside the guest OS without relying on functionality that can be rendered unreliable by advanced malware. The approach works by auditing access of sensitive memory areas using HW support in guests in an unobtrusive way (or maybe better: with minimal overhead) and allows control software running within a dedicated VM to allow or deny attempts to access sensitive memory based on policy and security heuristics.

Key contributors in alphabetical order: Bitdefender, Intel, Novetta, Zentific

Chronology

  • 2009: First patches for the mem_event API
  • 2011: Xen 4.1: First memory introspection API upstream
  • 2015: Xen 4.5: VM introspection using Intel EPT / AMD RVI hardware virtualization
  • 2015: Xen 4.6:
    • mem_event becomes vm_event to support all kinds of hardware events (interrupts, registers, etc...)
    • x86 and ARM introspection support
    • hardware support or VMFUNC
    • altp2m


Background Information, papers, presentations

Related Projects

Commercial Applications (in alphabetical order)