Control of the Concurrency and Consistency Problem in Readable/Writable Virtual Machine Introspection

Please enable javascript in your browser.

Aghamir Mohammad Ali, Mohammad | 2017

559 Viewed

Type of Document: M.Sc. Thesis
Language: Farsi
Document No: 50896 (19)
University: Sharif University of Technology
Department: Computer Engineering
Advisor(s): Kharrazi, Mahdi
Abstract:
Over the last years, research about writable virtual machine introspection has been started. This approach has the benefits of readonly virtual machine introspection. Additionally, it has more applications, such as automated defense against malware programs, than the read-only approach. In the read-only VMI, data is gathered from virtual machine hardware states and then analysis in virtual machine monitor. In writable one, hypervisor can modify virtual machine kernel state. Consistency issue is an essential challenge for out-vm writable VMI. In the best of our knowledge, only one implementation try to solve this consistency issue. However it cannot resolve this issue completely. Other VMI implementations with write ability either present in-vm solution or do not even consider consistency issue. In this thesis, we present the CIRWI framework which provides consistent read/write introspection API by finding a proper time to execute read/write instructions into kernel memory of guest VM. It achieved 100% accuracy when evaluated in a variety of scenarios of kernel memory modification. In average case, observed overhead is as low as 10.96% in our evaluation scenarios
Keywords:
Virtual Machine Introspection ; Hypervisor ; Virtual Machine ; Readable/Writeable ; Consistent Read/Write