Virtual machine introspection

From HandWiki
Revision as of 15:37, 6 February 2024 by S.Timg (talk | contribs) (correction)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

In computing, virtual machine introspection (VMI) is a technique "for monitoring the runtime state of a system-level virtual machine (VM)", which is helpful for debugging or forensic analysis.[1][2] The term introspection in application to the virtual machines was introduced by Garfinkel and Rosenblum.[3] They invented an approach for "protecting a security application from attack by malicious software" and called it VMI. Now VMI is a common term for different virtual machine forensics and analysis methods. VMI-based approaches are widely used for security applications, software debugging, and systems management.[1]

VMI tools may be located inside or outside the virtual machine and act by tracking the events (interrupts, memory writes, and so on) or sending the requests to the virtual machine. Virtual machine monitor usually provides low-level information like raw bytes of the memory. Converting this low-level view into something meaningful for the user is known as the semantic gap problem. Solving this problem requires analysis and understanding of the systems being monitored.

VMI within the virtual machine

Programs running inside VM may provide information about other processes. This information may be sent through network interface or some virtual devices like serial port. The examples of in vivo introspection programs are WinDbg[4] or GDB[5] servers that interact with the remote debugger.

The drawback of this approach is that it requires functioning OS within the VM. If OS hangs or isn't loaded yet, the introspection agent couldn't work.

VMI outside the virtual machine

VMI tools may be implemented within the virtual machine monitor[6][7] or as a separate programs[8] that capture information (e.g., contents of the memory) from the virtual machine monitor. Then this data has to be interpreted to understand the processes in the system. One of the popular tools for such interpretation is Volatility framework.[9] This framework contains profiles for many popular operating systems and may extract different information like process tree or list of the kernel objects.

References

  1. 1.0 1.1 Payne, Bryan D. (2011), van Tilborg, Henk C. A.; Jajodia, Sushil, eds. (in en), Virtual Machine Introspection, Boston, MA: Springer US, pp. 1360–1362, doi:10.1007/978-1-4419-5906-5_647, ISBN 978-1-4419-5906-5, https://doi.org/10.1007/978-1-4419-5906-5_647, retrieved 2023-10-13 
  2. LibVMI: Simplified Virtual Machine Introspection, libvmi, 2023-10-10, https://github.com/libvmi/libvmi, retrieved 2023-10-13 
  3. https://suif.stanford.edu/papers/vmi-ndss03.pdf A Virtual Machine Introspection Based Architecture for Intrusion Detection
  4. "Remote Debugging Using WinDbg - Windows drivers" (in en-us). 2021-12-15. https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-debugging-using-windbg. 
  5. https://sourceware.org/gdb/onlinedocs/gdb/Server.html Using the gdbserver Program
  6. "Virtual Machine Introspection - Xen". https://wiki.xenproject.org/wiki/Virtual_Machine_Introspection. 
  7. Dovgalyuk, Pavel; Fursova, Natalia; Vasiliev, Ivan; Makarov, Vladimir (2017-08-21). "QEMU-based framework for non-intrusive virtual machine instrumentation and introspection". Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. ESEC/FSE 2017. New York, NY, USA: Association for Computing Machinery. pp. 944–948. doi:10.1145/3106237.3122817. ISBN 978-1-4503-5105-8. https://doi.org/10.1145/3106237.3122817. 
  8. Cisco-Talos/pyrebox, Cisco Talos, 2023-10-12, https://github.com/Cisco-Talos/pyrebox, retrieved 2023-10-13 
  9. https://github.com/volatilityfoundation/volatility Volatile memory extraction utility framework