A forensic hypervisor for process tracking and exploit discovery

Real-time forensic reconstruction of a processes memory and interaction history is impractical in modern computing environments because the volume of data processed by a typical server is immense. Having this information would speed the search for zero-day exploits and designate precisely which system components could have been affected by an intrusion. Unfortunately, it may be several months after the infection before any latent effect is observed and there is no way to attest which, if any, of the affected processes are related to the original exploit. In addition, the system under observation cannot be trusted to record the necessary forensic information as the infection may deliberately hide its presence. These problems subsequently hamper system recovery and data verification efforts. This paper describes a novel forensic hypervisor design that provides coarse-grained process tracking and utilizes next generation Intel virtualization technology, leveraging extended page tables and enforcing MULTICS style protection techniques. Custom forensic introspection techniques are used to walk the extended page tables to inspect a virtual machines state and track the associated processes. A description of the steps necessary to perform tracking are presented; the real-time performance impact is quantified at less than 11μs for each system call.