Matthew Conover

Secure and robust monitoring of virtual machines through guest-assisted introspection

Current monitoring solutions for virtual machines do not incorporate both security and robustness. Out-of-guest applications achieve security by using virtual machine introspection and not relying on in-guest components, but do not achieve robustness due to the semantic gap. In-guest applications achieve robustness by utilizing guest OS code for monitoring, but not security, since an attacker can tamper with this code and the application itself. In this paper we propose SYRINGE, a secure and robust infrastructure for monitoring virtual machines. SYRINGE protects the monitoring application by placing it in a separate virtual machine (as with the out-of-guest approach) but at the same time allowing it to invoke guest functions (as with the in-guest approach), using a technique known as function-call injection. SYRINGE verifies the secure execution of the invoked guest OS code by using another technique, localized shepherding. The combination of these two techniques allows SYRINGE to incorporate the best of out-of-guest monitoring with that of in-guest monitoring. We implemented a prototype of SYRINGE as a Linux application to monitor a guest running Windows XP and have evaluated its performance and security. We also implemented a monitoring application built on top of SYRINGE to demonstrate its usefulness. Our results show that for a calling period of 1 second, the performance overhead created in the guest by this application is 8%.

Surreptitious Deployment and Execution of Kernel Agents in Windows Guests

As more and more virtual machines (VM) are packed into a physical machine, refactoring common kernel components shared by the virtual machines running on the same physical machine significantly reduces the overall resource consumption. A refactored kernel component typically runs on a special VM called a virtual appliance. Because of the semantics gap in Hardware Abstraction Layer (HAL)-based virtualization, a physical machines virtual appliance requires the support of per-VM in-guest agents to perform VM-specific operations such as kernel data structure access and modification. To simplify deployment, these agents must be injected into guest virtual machines without requiring any manual installation. Moreover, it is essential to protect the integrity of in-guest agents at run time, especially when the underlying refactored kernel service is security-related. This paper describes the design, implementation and evaluation of a surreptitious kernel agent deployment and execution mechanism called SADE that requires zero installation effort and effectively hides the execution of agent code. To demonstrate the efficacy of SADE, we describe a signature-based memory scanning virtual appliance that uses SADE to inject its in-guest kernel agents without any support from the injected virtual machine, and show that both the start-up overhead and the run-time performance penalty of SADE are quite modest in practice.