ARADIA
Local project leader
Prof. Hans P. Reiser
Research team members
Stewart Sentanoe
Benjamin Taubmann
Noëlle Rakotondravony
Summary
Virtual machine introspection (VMI) is a technique to analyze the internal state of a target virtual machine from the outside. It is well-established for tasks such as intrusion detection, malware analysis, and forensics. Compared to approaches that analyze the internal state from inside the target, VMI-based data acquisition benefits from the strong isolation provided by the hypervisor and is significantly more stealthy and tamper-proof.
This project will significantly advance the state of the art of VMI. The main objectives are as follows:
- Investigation of novel approaches for in-depth memory introspection: Efficient algorithms shall enable the introspection of guests that execute a nested hypervisor or virtual containers, the efficient fine-grained semantic interpretation, and the accurate control of memory introspection in time.
- VMI-based event tracing: In contrast to existing systems that use a single tracing source (such as system calls), our goal is to integrate multiple event sources, enable the correlation of events from these sources, and support flexible on-demand orchestration of mechanisms, which helps to minimize the run-time overhead while acquiring highly detailed information.
- Investigating the problem of secure and efficient deployment of VMI applications on real-world environments, such as private and public cloud infrastructures and mobile platforms. The lack of such deployment support is the most severe limitation of most existing VMI-based systems.
- Making VMI more accessible for human system operators: The crucial step of any form of VMI-based analysis is the extraction of actionable information from low-level data. The expected results are an architecture for storing and post-processing VMI data to make it easily accessible, novel concepts for visualizing the combined data from multiple memory introspection and tracing sources, and mechanisms to dynamically control VMI-based data acquisition.
In summary, the over-all goal of this project is to enable VMI on systems on which introspection is not feasible with today's tools and libraries, to enable the acquisition of significantly more detailed information using in-depth memory introspection and a variety of VMI-based tracing mechanisms, and to enable a human operator to better control these mechanisms and visualize the resulting data.
We plan to integrate our innovative algorithms and strategies into an open-source prototype for enhanced virtual machine introspection, which also supports the development of high-level tools for attack detection, analysis and prevention.
Funding
Deutsche Forschungsgemeinschaft
2022
DOI: https://doi.org/10.1016/j.fsidi.2022.301337
https://www.sciencedirect.com/science/article/pii/S2666281722000063
DOI: 10.1145/3538969.3539002
https://doi.org/10.1145/3538969.3539002
2021
2020
DOI: 10.1007/978-3-030-50323-9_3