TUM Logo

Pitfalls of virtual machine introspection on modern hardware

Over the last few years there has been immense progress in developing powerful security tools based on Virtual Ma- chine Introspection (VMI). VMI offers unique capabilities which can be used to check and enforce security policies in the presence of a potentially compromised guest. With the introduction of new hardware virtualization extensions, VMI can be further enhanced to provide lightweight, in-band control over the execution of virtual machines. In publica- tions released before the extensions were available, security researchers issued warnings that these new extensions may be used to subvert VMI. Since hardware supporting these extensions is now available, in this paper, we aim to dis- cuss and re-evaluate claims made in prior-art. We further continue the discussion by highlighting critical limitations of the virtualization extensions. We go on to show that thorough consideration and understanding of these limita- tions is necessary when developing VMI based security ap- plications. Otherwise, improper handling will inadvertently expose these applications to subversion attacks. Finally, we take a look at Intel’s normal and dual-monitor System Man- agement Mode and discuss how they can be used to both implement and subvert VMI based security applications.

Pitfalls of virtual machine introspection on modern hardware

1st Workshop on Malware Memory Forensics (MMF)

Authors: Tamas Lengyel, Thomas Kittel, George Webster, and Jacob Torrey
Year/month: 2014/12
Booktitle: 1st Workshop on Malware Memory Forensics (MMF)
Fulltext: pitfalls-virtual-machine.pdf

Abstract

Over the last few years there has been immense progress in developing powerful security tools based on Virtual Ma- chine Introspection (VMI). VMI offers unique capabilities which can be used to check and enforce security policies in the presence of a potentially compromised guest. With the introduction of new hardware virtualization extensions, VMI can be further enhanced to provide lightweight, in-band control over the execution of virtual machines. In publica- tions released before the extensions were available, security researchers issued warnings that these new extensions may be used to subvert VMI. Since hardware supporting these extensions is now available, in this paper, we aim to dis- cuss and re-evaluate claims made in prior-art. We further continue the discussion by highlighting critical limitations of the virtualization extensions. We go on to show that thorough consideration and understanding of these limita- tions is necessary when developing VMI based security ap- plications. Otherwise, improper handling will inadvertently expose these applications to subversion attacks. Finally, we take a look at Intel’s normal and dual-monitor System Man- agement Mode and discuss how they can be used to both implement and subvert VMI based security applications.

Bibtex:

@inproceedings { lengyel2014mmf,
author = { Tamas Lengyel and Thomas Kittel and George Webster and Jacob Torrey},
title = { Pitfalls of virtual machine introspection on modern hardware },
year = { 2014 },
month = { December },
booktitle = { 1st Workshop on Malware Memory Forensics (MMF) },
url = {https://www.sec.in.tum.de/i20/publications/pitfalls-of-virtual-machine-introspection-on-modern-hardware/@@download/file/pitfalls-virtual-machine.pdf}
}