Abstract
Dynamic analysis is an important technology for different phases of the software life cycle. Dynamic analysis is used for profiling, malware analysis, intrusion detection, protocol reverse engineering, software testing, and many other activities. This paper presents a lightweight approach for monitoring of systems using virtual machines. Our approach is based on non-intrusive virtual machine introspection, which provides system-wide analysis capabilities. We reuse ABI of the platform to be analyzed for creating introspection tools. We show how to recover the part of kernel-level information related to the system calls executed on the guest machine. The paper describes how to use this approach to create plugin-based analysis framework for simulator QEMU and evaluates performance overhead for these plugins.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
References
Azmandian, F., Moffie, M., Alshawabkeh, M., Dy, J., Aslam, J., Kaeli, D.: Virtual machine monitor-based lightweight intrusion detection. SIGOPS Oper. Syst. Rev. 45(2), 38–53 (2011). http://doi.acm.org/10.1145/2007183.2007189
Bellard, F.: Qemu, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC 2005, p. 41. USENIX Association, Berkeley (2005). http://dl.acm.org/citation.cfm?id=1247360.1247401
Bungale, P.P., Luk, C.K.: Pinos: a programmable framework for whole-system dynamic instrumentation. In: Proceedings of the 3rd International Conference on Virtual Execution Environments, VEE 2007, pp. 137–147. ACM, New York (2007). http://doi.acm.org/10.1145/1254810.1254830
Chen, P., Noble, B.: When virtual is better than real [operating system relocation to virtual machines]. In: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, 2001, pp. 133–138, May 2001
Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., Whelan, R.: Repeatable reverse engineering for the greater good with panda, October 2014
Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., Whelan, R.: Repeatable reverse engineering with panda. In: Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW-5, pp. 4:1–4:11. ACM, New York (2015). http://doi.acm.org/10.1145/2843859.2843867
Dolan-Gavitt, B., Leek, T., Hodosh, J., Lee, W.: Tappan zee (north) bridge: mining memory accesses for introspection. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & #38; Communications Security, CCS 2013, pp. 839–850. ACM, New York (2013). http://doi.acm.org/10.1145/2508859.2516697
Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP 2011, pp. 297–312. IEEE Computer Society, Washington, DC (2011). https://doi.org/10.1109/SP.2011.11
Dovgalyuk, P.: Deterministic replay of system’s execution with multi-target qemu simulator for dynamic analysis and reverse debugging. In: Proceedings of the 2012 16th European Conference on Software Maintenance and Reengineering, CSMR 2012, pp. 553–556. IEEE Computer Society, Washington, DC (2012)
Dovgalyuk, P., Dmitriev, D., Makarov, V.: Don’t panic: reverse debugging of kernel drivers. In: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2015, pp. 938–941. ACM, New York (2015). http://doi.acm.org/10.1145/2786805.2803179
Fu, Y., Lin, Z.: Space traveling across vm: automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 586–600, May 2012
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed Systems Security Symposium, pp. 191–206 (2003)
Guillon, C.: Program instrumentation with qemu. In: 1st International QEMU Users Forum, vol. 1, pp. 15–18 (2011)
Henderson, A., Prakash, A., Yan, L.K., Hu, X., Wang, X., Zhou, R., Yin, H.: Make it work, make it right, make it fast: Building a platform-neutral whole-system dynamic binary analysis platform. In: Proceedings of the 2014 International Symposium on Software Testing and Analysis, ISSTA 2014, pp. 248–258. ACM, New York (2014). http://doi.acm.org/10.1145/2610384.2610407
Hizver, J., Chiueh, T.c.: Real-time deep virtual machine introspection and its applications. In: Proceedings of the 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE 2014, pp. 3–14. ACM, New York (2014). http://doi.acm.org/10.1145/2576195.2576196
Julino, J.: Lightweight introspection for full system simulations. Diploma thesis, System Architecture Group, Karlsruhe Institute of Technology (KIT), Germany, 1 March 2014. http://os.itec.kit.edu/
Lawton, K.P.: Bochs: A portable pc emulator for unix/x. Linux J. 1996(29es) (1996). http://dl.acm.org/citation.cfm?id=326350.326357
Lefebvre, G., Cully, B., Head, C., Spear, M., Hutchinson, N., Feeley, M., Warfield, A.: Execution mining. SIGPLAN Not. 47(7), 145–158 (2012). http://doi.acm.org/10.1145/2365864.2151044
Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2005, pp. 190–200. ACM, New York (2005). http://doi.acm.org/10.1145/1065010.1065034
More, A., Tapaswi, S.: Virtual machine introspection: towards bridging the semantic gap. J. Cloud Comput. 3(1), 1–14 (2014). https://doi.org/10.1186/s13677-014-0016-2
Tong, X., Moshovos, A.: Qtrace: a framework for customizable full system instrumentation. In: 2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS), pp. 245–255, March 2015
Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 29. USENIX Association, Berkeley (2012). http://dl.acm.org/citation.cfm?id=2362793.2362822
Acknowledgment
The work was partially supported by the Ministry of Education and Science of Russia, research project No. 2.6146.2017/8.9.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Fursova, N., Dovgalyuk, P., Vasiliev, I., Makarov, V. (2018). Lightweight Non-intrusive Virtual Machine Introspection. In: Petrenko, A., Voronkov, A. (eds) Perspectives of System Informatics. PSI 2017. Lecture Notes in Computer Science(), vol 10742. Springer, Cham. https://doi.org/10.1007/978-3-319-74313-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-74313-4_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-74312-7
Online ISBN: 978-3-319-74313-4
eBook Packages: Computer ScienceComputer Science (R0)