Project Details
ARADIA: Cross-platform architecture for user-centric static and dynamic virtual machine introspection
Applicant
Professor Dr. Hans P. Reiser
Subject Area
Security and Dependability, Operating-, Communication- and Distributed Systems
Term
from 2017 to 2022
Project identifier
Deutsche Forschungsgemeinschaft (DFG) - Project number 361891819
Virtual machine introspection (VMI) is a technique to analyze the internal state of a target virtual machine from the outside. It is well-established for tasks such as intrusion detection, malware analysis, and forensics. Compared to approaches that analyze the internal state from inside the target, VMI-based data acquisition benefits from the strong isolation provided by the hypervisor and is significantly more stealthy and tamper-proof. This project will significantly advance the state of the art of VMI. The main objectives are as follows:First, we aim at investigating novel approaches for in-depth memory introspection. The expected results are efficient algorithms for the introspection of guests that execute a nested hypervisor or virtual containers, for efficient fine-grained semantic interpretation, including resolving variables and function names within a target process, and for accurately controlling memory introspection in time.Second, we address efficient VMI-based event tracing. In contrast to existing systems that use a single tracing source (such as system calls), our goal is to integrate multiple event sources, enable the correlation of events from these sources, and support flexible on-demand orchestration of mechanisms, which helps to minimize the run-time overhead while acquiring highly detailed information.Third, we plan to investigate the problem of secure and efficient deployment of VMI applicationson real-world environments, such as private and public cloud infrastructures and mobile platforms. The lack of such deployment support is the most severe limitation of most existing VMI-based systems. Part of this objective is also to support monitoring target VMs while they migrate in cloud environments and to investigate the feasibility of harnessing novel hardwaremechanisms such as Intel SGX.Fourth, we target making VMI more accessible for human system operators. The crucial step of any form of VMI-based analysis is the extraction of actionable information from low-level data. The expected results are an architecture for storing and post-processing VMI data to make it easily accessible, novel concepts for visualizing the combined data from multiple memory introspection and tracing sources, and mechanisms to dynamically control VMI-based data acquisition.In summary, the over-all goal of this project is to enable VMI on systems on which introspection is not feasible with today's tools and libraries, to enable the acquisition of significantly more detailed information using in-depth memory introspection and a variety of VMI-based tracing mechanisms, and to enable a human operator to better control these mechanisms and visualize the resulting data. We plan to integrate our innovative algorithms and strategies into an open-source prototype for enhanced virtual machine introspection, which also supports the development of high-level tools for attack detection, analysis and prevention.
DFG Programme
Research Grants