Title :
Exploiting the x86 Architecture to Derive Virtual Machine State Information
Author :
Pfoh, Jonas ; Schneider, Christian ; Eckert, Claudia
Author_Institution :
Dept. of Comput. Sci., Univ. Munchen, Munich, Germany
Abstract :
Virtual machine introspection (VMI) describes the method of monitoring and analyzing the state of a virtual machine from the hypervisor level. Using knowledge of the virtual hardware architecture, it is possible to derive information about a guest operating system´s state from the virtual machine state. We argue that by deriving this information it is possible to build VMI applications which are more robust against circumvention techniques than applications that do not rely on hardware knowledge. In this paper, we present various ways to leverage Intel´s x86 architecture as well as the virtualization extensions from both Intel (VT-x) and AMD (SVM) to derive such information. Additionally, we describe how this derived information may be used in VMI-based security applications and against which threats they are most applicable.
Keywords :
computer architecture; operating systems (computers); virtual machines; Intel x86 architecture; VMI based security application; guest operating system; hypervisor level; virtual hardware architecture; virtual machine introspection; virtual machine state information; virtualization extensions; Hardware; Kernel; Monitoring; Registers; Semantics; Virtual machine monitors; Virtual machining; Anti-malware; Introspection; Intrusion Detection; Security; Virtualization;
Conference_Titel :
Emerging Security Information Systems and Technologies (SECURWARE), 2010 Fourth International Conference on
Conference_Location :
Venice
Print_ISBN :
978-1-4244-7517-9
Electronic_ISBN :
978-0-7695-4095-5
DOI :
10.1109/SECURWARE.2010.35
