Exploiting the x86 Architecture to Derive Virtual Machine State Information
Virtual machine introspection (VMI) describes the method of monitoring and analyzing the state of a virtual machine from the hypervisor level. Using knowledge of the virtual hardware architecture, it is possible to derive information about a guest operating system's state from the virtual machine state. We argue that by deriving this information it is possible to build VMI applications which are more robust against circumvention techniques than applications that do not rely on hardware knowledge. In this paper, we present various ways to leverage Intel's x86 architecture as well as the virtualization extensions from both Intel (VT-x) and AMD (SVM) to derive such information. Additionally, we describe how this derived information may be used in VMI-based security applications and against which threats they are most applicable.
Exploiting the x86 Architecture to Derive Virtual Machine State Information
Proceedings of the Fourth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2010)
Authors: | Jonas Pfoh, Christian Schneider, and Claudia Eckert |
Year/month: | 2010/7 |
Booktitle: | Proceedings of the Fourth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2010) |
Pages: | 166--175 |
Address: | Venice, Italy |
Publisher: | IEEE Computer Society |
Note: | Best Paper Award |
Fulltext: | securware2010.pdf |
Abstract |
|
Virtual machine introspection (VMI) describes the method of monitoring and analyzing the state of a virtual machine from the hypervisor level. Using knowledge of the virtual hardware architecture, it is possible to derive information about a guest operating system's state from the virtual machine state. We argue that by deriving this information it is possible to build VMI applications which are more robust against circumvention techniques than applications that do not rely on hardware knowledge. In this paper, we present various ways to leverage Intel's x86 architecture as well as the virtualization extensions from both Intel (VT-x) and AMD (SVM) to derive such information. Additionally, we describe how this derived information may be used in VMI-based security applications and against which threats they are most applicable. |
Bibtex:
@inproceedings { pfoh2010a,author = { Jonas Pfoh and Christian Schneider and Claudia Eckert},
title = { Exploiting the x86 Architecture to Derive Virtual Machine State Information },
year = { 2010 },
month = { July },
booktitle = { Proceedings of the Fourth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2010) },
address = { Venice, Italy },
note = { Best Paper Award },
pages = { 166--175 },
publisher = { IEEE Computer Society },
url = {https://www.sec.in.tum.de/i20/publications/exploiting-the-x86-architecture-to-derive-virtual-machine-state-information/@@download/file/securware2010.pdf}
}