Encyclopedia of Cryptography and Security

2011 Edition
| Editors: Henk C. A. van Tilborg, Sushil Jajodia

Virtual Machine Introspection

  • Bryan D. Payne
Reference work entry
DOI: https://doi.org/10.1007/978-1-4419-5906-5_647

Related Concepts


Virtual machine introspection (VMI) is a technique for externally monitoring the runtime state of a system-level virtual machine. Monitors can be placed in another virtual machine, within the hypervisor, or within any other part of the virtualization architecture. For virtual machine introspection, the runtime state can be defined broadly to include processor registers, memory, disk, network, and any other hardware-level events.


Virtual machine introspection was originally introduced by Garfinkel and Rosenblum [1] as a way to protect a security application from attack by malicious software. The reasoning behind this claim of protection is that the software interface between a virtual machine and a hypervisor is relatively small, making it easier to implement correctly and verify than the relatively larger interface...

This is a preview of subscription content, log in to check access.

Recommended Reading

  1. 1.
    Garfinkel T, Rosenblum M (2003) A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the network and distributed systems security symposium, February 2003Google Scholar
  2. 2.
    Payne BD, Carbone M, Lee W (2007) Secure and flexible monitoring of virtual machines. In: Proceedings of the annual computer security applications conference, December 2007Google Scholar
  3. 3.
    Payne BD, Carbone M, Sharif M, Lee W (2008) Lares: an architecture for secure active monitoring using virtualization. In: Proceedings of the IEEE symposium on security and privacy, May 2008Google Scholar
  4. 4.
    Jones ST, Arpaci-Dusseau AC, Arpaci-Dusseau RH (2006) Antfarm: tracking processes in a virtual machine environment. In: Proceedings of the USENIX annual technical conference, June 2006Google Scholar
  5. 5.
    Litty L, Lagar-Cavilla HA, Lie D (2008) Hypervisor support for identifying covertly executing binaries. In: Proceedings of the USENIX security symposium, August 2008Google Scholar
  6. 6.
    Petroni NL, Hicks M (2007) Automated detection of persistent kernel control-flow attacks. In: Proceedings of the ACM conference on computer and communications security, October 2007Google Scholar
  7. 7.
    King ST, Chen PM (2005) Backtracking intrusions. ACM Trans Comp Syst 23:51–76CrossRefGoogle Scholar
  8. 8.
    Cozzie A, Stratton F, Xue H, King ST (2008) Digging for data structures. In: Proceedings of the USENIX symposium on operating systems design and implementation, December 2008Google Scholar
  9. 9.
    Dolan-Gavitt B, Srivastava A, Traynor P, Giffin J (2009) Robust signatures for kernel data structures. In: Proceedings of the ACM conference on computer and communications security, November 2009Google Scholar
  10. 10.
    The XenAccess virtual machine introspection library for Xen. http://www.xenaccess.org
  11. 11.
    The VMsafe virtual machine introspection library for VMware. http://www.vmware.com/go/vmsafe

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  • Bryan D. Payne
    • 1
  1. 1.Information Systems AnalysisSandia National LaboratoriesAlbuquerqueUSA