TUM Logo

Full Virtual Machine State Reconstruction for Security Applications

This work explores the possibilities and implications of bridging the semantic gap between the hypervisor and its virtual machines to support security applications using a technique called virtual machine introspection (VMI). We define a formal model for VMI to describe and compare such approaches. We then propose, implement and evaluate a novel VMI framework that applies knowledge of the operating system and derived through a source code analysis to reconstruct the kernel state from physical memory.

Full Virtual Machine State Reconstruction for Security Applications

Authors: Christian Schneider
Year/month: 2013/4
School: Technische Universität München
Type: Dissertation
Fulltext: phd_schneider2013.pdf

Abstract

This work explores the possibilities and implications of bridging the semantic gap between the hypervisor and its virtual machines to support security applications using a technique called virtual machine introspection (VMI). We define a formal model for VMI to describe and compare such approaches. We then propose, implement and evaluate a novel VMI framework that applies knowledge of the operating system and derived through a source code analysis to reconstruct the kernel state from physical memory.

Bibtex:

@phdthesis { SchneiderPhd2013,
author = { Christian Schneider},
title = { Full Virtual Machine State Reconstruction for Security Applications },
year = { 2013 },
school = { Technische Universität München },
month = { April },
url = {https://www.sec.in.tum.de/i20/publications/full-virtual-machine-state-reconstruction-for-security-applications/@@download/file/phd_schneider2013.pdf},
type = { Dissertation },
}