Exploring Efficient and Robust Virtual Machine Introspection Techniques

  • Chonghua Wang
  • Xiaochun Yun
  • Zhiyu HaoEmail author
  • Lei Cui
  • Yandong Han
  • Qingxin Zou
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9530)


Upon practical implementation of virtual machine introspection (VMI), administrators may be overwhelmed by dozens of research works. Specifically, the adopted introspection mechanism perform differently with regard to various performance and security requirements. Besides, most of previous works do not clarify the boundary between Trusted Computing Base (TCB) and attacks towards introspection. This paper aims to help administrators to determine the appropriate introspection approach. Firstly, we summarize current VMI technologies, and present a classification method mainly depending on whether hardware assistance is required, how it solves the semantic gap problem and how introspection is triggered. Secondly, we discuss how to achieve a good trade-off between the two metrics of performance and security. Thirdly, we propose a TCB threat model to employ VMI along with other enhancing mechanism to tackle attacks in different levels of TCB. Finally, we discuss some future trends related to VMI for further improving security.


Cloud security Virtualization VM introspection Interception Snapshot 



We would like to thank the anonymous reviewers for their valuable comments and help in improving this paper. This work is supported by China National Key Technology Support Program (2012BAH46B02).


  1. 1.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS 2003, pp.191–206 (2003)Google Scholar
  2. 2.
    Payne, B., Carbone, M., Lee, W.: Secure and flexible monitoring of virtual machines. In: ACSAC 2007, pp. 385–397 (2007)Google Scholar
  3. 3.
  4. 4.
  5. 5.
    Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based “out-of-the-box” semantic view reconstruction. In: CCS 2007, pp. 128–138 (2007)Google Scholar
  6. 6.
  7. 7.
    Jiang, X., Wang, X.: “Out-of-the-Box” monitoring of VM-based high-interaction honeypots. In: RAID 2007, pp. 198–218 (2007)Google Scholar
  8. 8.
    Xiang, G., Jin, H., Zou, D., Zhang, X., Wen, S., Zhao, F.: VMDriver: a driver-based monitoring mechanism for virtualization. In: SRDS 2010, pp. 72–81 (2010)Google Scholar
  9. 9.
    Andersen, L.O.: Program analysis and specialization for the C programming language. Ph.D. thesis, DIKU, University of Copenhagen (1994)Google Scholar
  10. 10.
    Heintze, N., Tardieu, O.: Ultra-fast aliasing analysis using CLA: a million lines of C code in a second. In: PLDI 2001, pp. 254–263 (2001)Google Scholar
  11. 11.
    Lin, Z., Rhee, J., Zhang, X., Xu, D., Jiang, X.: SigGraph: brute force scanning of kernel data structureinstances using graph-based signatures. In: NDSS 2011 (2011)Google Scholar
  12. 12.
    Cui, W., Peinado, M., Xu, Z., Chan, E.: Tracking rootkit footprints with a practical memory analysis system. In: USENIX Security 2012, p. 42 (2012)Google Scholar
  13. 13.
    Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: CCS 2009, pp. 555–565 (2009)Google Scholar
  14. 14.
    Xu, Z., Zhang, J., Gu, G., Lin, Z.: SigPath: a memory graph based approach for program data introspection and modification. In: Vaidya, J., Kutyłowski, M. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 237–256. Springer, Heidelberg (2014) Google Scholar
  15. 15.
    Liang, B., You, W., Shi, W., Liang, Z.: Detecting stealthy malware with inter-structure and imported signatures. In: ASICCS 2011, pp. 217–227 (2011)Google Scholar
  16. 16.
    Schneider, C., Pfoh, J., Eckert, C.: Bridging the semantic gap through static code analysis. In: EuroSec 2012 (2012)Google Scholar
  17. 17.
    Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.: Robust signatures for kernel data structures. In: CCS 2009, pp. 566–577 (2009)Google Scholar
  18. 18.
    Pham, C., Estrada, Z., Cao, P., et al.: Reliability and security monitoring of virtual machines using hardware architectural invariants. In: DSN 2014, pp. 13–24 (2014)Google Scholar
  19. 19.
    Quynh, N.A., Suzaki, K.: Xenprobe: a lightweight user-space probing framework for xen virtual machine. In: USENIX ATC 2007 (2007)Google Scholar
  20. 20.
    Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: CCS 2008, pp. 51–62 (2008)Google Scholar
  21. 21.
    Nguyen, A.M., Schear, N., Jung, H., Godiyal, A., King, S.T., Nguyen, H.D.: MAVMM: lightweight and purpose built VMM for malware analysis. In: ACSAC 2009, pp. 441–450 (2009)Google Scholar
  22. 22.
    Vogl, S., Eckert, C.: Using hardware performance events for instruction-level monitoring on the x86 architecture. In: EuroSec 2012 (2012)Google Scholar
  23. 23.
    Willems, C., et al.: Down to the bare metal: using processor features for binary analysis. In: ACSAC 2012, pp. 189–198 (2012)Google Scholar
  24. 24.
    Yan, L., Jayachandra, M., Zhang, M., Heng, Y.: V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis. In: ACM SIGPLAN Notices, pp. 227–238 (2012)Google Scholar
  25. 25.
    Deng, Z., Zhang, X., Xu, D.: SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization. In: ACSAC 2013, pp. 289–298 (2013)Google Scholar
  26. 26.
    Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.:. Antfarm: tracking processes in a virtual machine environment. In: USENIX ATC 2006, pp. 1–14 (2006)Google Scholar
  27. 27.
    Jones, S.T., Arpaci-Dusseau, A.C., ArpaciDusseau, R.H.: VMM-based hidden process detection and identification using lycosid. In: VEE 2008, pp. 91–100 (2008)Google Scholar
  28. 28.
    Forrest, S., Hofmeyr, S., Somayaji, A.: The evolution of system-call monitoring. In: ACSAC 2008, pp. 418–430 (2008)Google Scholar
  29. 29.
    Intel corp. Intel 64 and IA-32 Architectures Developer’s Manual, vol. 3B (2013)Google Scholar
  30. 30.
    AMD64 Architecture Programmer’s Manual. Volume 2: System Programming. AMD Inc. (2013)Google Scholar
  31. 31.
    Li, B., et al.: A VMM-based system call interposition framework for program monitoring. In: ICPADS 2010, pp. 706–711 (2010)Google Scholar
  32. 32.
    Payne, B., Carbone, M., Sharif, M., Lee, W.: Lares: anarchitecture for secure active monitoring using virtualization. In: SP 2008, pp. 233–247 (2008)Google Scholar
  33. 33.
    Pfoh, J., Schneider, C., Eckert, C.: Nitro: hardware-based system call tracing for virtual machines. In: AICS 2011, pp. 96–112 (2011)Google Scholar
  34. 34.
    Martignoni, L., Fattori, A., Paleari, R., Cavallaro, L.: Live and trustworthy forensic analysis of commodity production systems. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 297–316. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  35. 35.
  36. 36.
    Lin, Z., Zhang, X., Xu, D.: Automatic reverse engineering of data structures from binary execution. In: NDSS 2010 (2010)Google Scholar
  37. 37.
    Deng, Z., Xu, D., Zhang, X., Jiang, X.: Introlib: efficient and transparent library call introspection for malware forensics. In: DFRW 2012, pp.13–23 (2012)Google Scholar
  38. 38.
    Shinagawa, T., et al.: BitVisor: a thin hypervisor for enforcing I/O device security. In: VEE 2009, pp. 121–130 (2009)Google Scholar
  39. 39.
    Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: USENIX Security 2014, pp. 287–301 (2014)Google Scholar
  40. 40.
    Srivastava, A., Giffin, J.: Efficient monitoring of untrusted kernel-mode execution. In: NDSS 2011 (2011)Google Scholar
  41. 41.
    Srinivasan, D., Wang, Z., Jiang, X., Xu, D.: Process out-grafting: an efficient “out-of-VM” approach for fine-grained process execution monitoring. In: CCS 2011, pp. 363–374 (2011)Google Scholar
  42. 42.
    Wu, R., Chen, P., Liu, P., Andmao, B.: System call redirection: a practical approach to meeting real-world VMI needs. In: DSN 2014, pp. 574–585 (2014)Google Scholar
  43. 43.
    Gu, Z., Deng, Z., Xu, D., Jiang, X.: Process implanting: a new active introspection framework for virtualization. In: SRDS 2011, pp. 147–156 (2011)Google Scholar
  44. 44.
    Carbone, M., Conover, M., Montague, B., Lee, W.: Secure and robust monitoring of virtual machines through guest-assisted introspection. In: RAID 2012, pp. 22–41 (2012)Google Scholar
  45. 45.
    Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: S&P 2011, pp. 297–312 (2011)Google Scholar
  46. 46.
    Fu, Y., Lin, Z.: Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: S&P 2012, pp. 586–600 (2012)Google Scholar
  47. 47.
    Fu, Y., Lin, Z.: Exterior: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery. In: VEE 2013, pp. 97–110 (2013)Google Scholar
  48. 48.
    Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in VM monitoring using hardware virtualization. In: CCS 2009, pp. 477–487 (2009)Google Scholar
  49. 49.
    Liu, Y., Xia, Y., Guan, H., Zang, B., Chen, H.: Concurrent and consistent virtual machine introspection with hardware transactional memory. In: HPCA 2014, pp. 416–427 (2014)Google Scholar
  50. 50.
    Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: CCS 2012, pp. 28–37 (2012)Google Scholar
  51. 51.
    Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: CCS 2012, pp. 28–37 (2012)Google Scholar
  52. 52.
    Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy incontext measurement of hypervisor integrity. In: CCS 2010, pp. 38–49 (2010)Google Scholar
  53. 53.
    Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: SRDS 2010, pp. 82–91 (2010)Google Scholar
  54. 54.
    Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: USENIX Security 2009, pp. 383–398 (2009)Google Scholar
  55. 55.
    Butler, J., Hoglund, G.: Vice - catch the hookers!. In: Black Hat USA (2004)Google Scholar
  56. 56.
    Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: S&P 2010, pp. 380–395 (2010)Google Scholar
  57. 57.
    Wang, J., Stavrou, A., Ghosh, A.: Hypercheck: a hardware-assisted integrity monitor. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 158–177. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  58. 58.
    Wang, Z., Wu, C., Grace, M., Jiang, X.: Isolating commodity hosted hypervisors with hyperlock. In: EuroSys 2012, pp. 127–140 (2012)Google Scholar
  59. 59.
    Zhang, F., Chen, J., Chen, H., Zang, B.: CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: SOSP 2011, pp. 203–216 (2011)Google Scholar
  60. 60.
    Seshadri, A., Luk, M., Qu, N., Perring, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: SOSP 2007, pp. 335–350 (2007)Google Scholar
  61. 61.
    Litty, L., Lagar-Cavilla, H., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: USENIX Security 2008, pp. 243–258 (2008)Google Scholar
  62. 62.
    Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: RAID 2008, pp. 1–20 (2008)Google Scholar
  63. 63.
    Hofmann, O.S., Dunn, A.M., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with OSck. In: ASPLOS 2011, pp. 279–290 (2011)Google Scholar
  64. 64.
    Fu, Y., Zeng, J., Lin, Z.: HYPERSHELL: a practical hypervisor layer guest OS shell for automated in-VM management. In: USENIX ATC 2014, pp. 85–96 (2014)Google Scholar
  65. 65.
    Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: SoK: introspections on trust and the semantic gap. In: S&P 2014, pp. 605–620 (2014)Google Scholar
  66. 66.
    Zhang, F., Leach, K., Sun, K., Stavrou, A.: SPECTRE: a dependable introspection framework via system management mode. In: DSN 2013, pp. 1–12 (2013)Google Scholar
  67. 67.
    Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: CCS 2009, pp. 545–554 (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Chonghua Wang
    • 1
    • 2
  • Xiaochun Yun
    • 1
  • Zhiyu Hao
    • 1
    Email author
  • Lei Cui
    • 1
  • Yandong Han
    • 1
    • 2
  • Qingxin Zou
    • 1
  1. 1.Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.School of Computer and Control EngineeringUniversity of Chinese Academy of SciencesBeijingChina

Personalised recommendations