Secure Virtualization Environment Based on Advanced Memory Introspection

الملخص EN

Most existing virtual machine introspection (VMI) technologies analyze the status of a target virtual machine under the assumption that the operating system (OS) version and kernel structure information are known at the hypervisor level.

In this paper, we propose a model of virtual machine (VM) security monitoring based on memory introspection.

Using a hardware-based approach to acquire the physical memory of the host machine in real time, the security of the host machine and VM can be diagnosed.

Furthermore, a novel approach for VM memory forensics based on the virtual machine control structure (VMCS) is put forward.

By analyzing the memory of the host machine, the running VMs can be detected and their high-level semantic information can be reconstructed.

Then, malicious activity in the VMs can be identified in a timely manner.

Moreover, by mutually analyzing the memory content of the host machine and VMs, VM escape may be detected.

Compared with previous memory introspection technologies, our solution can automatically reconstruct the comprehensive running state of a target VM without any prior knowledge and is strongly resistant to attacks with high reliability.

We developed a prototype system called the VEDefender.

Experimental results indicate that our system can handle the VMs of mainstream Linux and Windows OS versions with high efficiency and does not influence the performance of the host machine and VMs.