Aquarius: A Tiny Hypervisor to Introspect Commodity OSes in a Non-bypassable Way

In this paper, we propose a novel tiny hardware assisted hypervisor, called Aquarius, to introspect the commodity OSes in a non-bypassable way. Compared to previous hypervisor-based approaches, Aquarius offers three distinct advantages: preinstalled commodity OS compatibility, implicit introspection of OS resources (e.g., memory, I/O device accesses, processes, files, network connections) and non-bypassable information exposing interface. Unlike typical hypervisors, Aquarius can migrate a preinstalled OS onto it. By tracking the low-level interactions between the OS and the hardware, Aquarius is decoupled with the explicit OS implementation information which it is subvertable for the privileged malware. Our functionality evaluation shows Aquarius can accurately reconstruct the OS resources at hypervisor layer while the performance evaluation shows desktop-oriented workloads achieve 92.68% of native speed on average.