Secure and Flexible Monitoring of Virtual Machines

938bca9547ba1cac3e69d80efd67fe6b?s=47 Bryan Payne
December 14, 2007

Secure and Flexible Monitoring of Virtual Machines

ACSAC 2007. The monitoring of virtual machines has many applications in areas such as security and systems management. A monitoring technique known as introspection has received significant discussion in the research literature, but these prior works have focused on the applications of introspection rather than how to properly build a monitoring architecture. In this paper we propose a set of requirements that should guide the development of virtual machine monitoring solutions. To illustrate the viability of these requirements, we describe the design of XenAccess, a monitoring library for operating systems running on Xen. XenAccess incorporates virtual memory introspection and virtual disk monitoring capabilities, allowing monitor applications to safely and efficiently access the memory state and disk activity of a target operating system. XenAccess’ efficiency and functionality are illustrated through a series of performance tests and practical examples. http://www.acsac.org/2007/papers/138.pdf

938bca9547ba1cac3e69d80efd67fe6b?s=128

Bryan Payne

December 14, 2007
Tweet

Transcript

  1. Secure and Flexible Monitoring of Virtual Machines Bryan D. Payne

    - Martim D. P. de A. Carbone - Wenke Lee School of Computer Science Georgia Institute of Technology
  2. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Protecting

    Software Monitors Kernel User User OS Kernel User Kernel User User VM Monitoring VM Virtual Machine Monitor Moving monitors to a different virtual machine provides protection through isolation and reduced dependency on untrusted software.
  3. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Related

    Research Intrusion Detection Systems Livewire, Garfinkel et al, NDSS 2003 Hyperspector, Kourai et al, VEE 2005 IntroVirt, Joshi et al, SOSP 2005 Workload Isolation NetTop, Meushaw et al, US DoD research Terra, Garfinkel et al, SOSP 2003 Forensics & Debugging ReVirt, Dunlap et al, OSDI 2002 System Monitoring Antfarm, Jones et al, USENIX 2006 Honeypot Monitoring, Asrigo et al, VEE 2006
  4. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Our

    Contributions Previous research focused on the applications, but creating a secure and flexible monitoring architecture is non-trivial • Six requirements for secure and flexible monitoring using introspection in a virtualized environment • The XenAccess architecture that shows these requirements are obtainable • Our implementation of XenAccess, which is freely available for other researchers to use
  5. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Our

    Contributions & Related Research Xen Background Information Architecture & Implementation Example Applications Performance Analysis Conclusions
  6. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Background:

    Xen VMM • One control domain + Multiple user domains • Xen provides m2p and p2m tables to convert between physical and machine addresses Kernel User PV Domain (User VM) Kernel User Domain 0 (Monitoring VM) Kernel User HVM Domain (User VM) ... XenoLinux XenoLinux Windows or Linux Machine address Physical address Virtual address (kernel) Virtual address (user) Front-End Driver Back-End Driver Device Driver Xen Virtual Machine Monitor I/O Device
  7. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Xen

    Blktap I/O Model • Split driver model sends I/O through domain 0 • Blktap provides user space access to block level read and write information to/from disk
  8. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Our

    Contributions & Related Research Xen Background Information Architecture & Implementation Example Applications Performance Analysis Conclusions
  9. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Six

    criteria for a useful monitoring architecture: 1. No superfluous modifications to the VMM 2. No modifications to the VM or the target OS 3. Small performance impact 4. Rapid development of new monitors 5. Ability to monitor any data on target OS 6. Target OS cannot tamper with monitors Monitoring Criteria
  10. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 XenAccess

    Architecture Xen VMM Monitor VM User VM User Kernel User Kernel XenAccess Blktap BE Driver FE Driver Disk Driver XenCtrl XenAccess Library XenControl Library BlkTap Arch XenStore Library Domain 0 Kernel + Drivers Xen VMM Monitor App #1 Monitor App #2 Monitor App #3 BlkTap
  11. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Memory

    Introspection xa_init(), xa_destroy() xa_access_kernel_symbol() xa_access_virtual_address() xa_access_user_virtual_address()
  12. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Memory

    Introspection Details • HVM Support - Different m2p mapping; otherwise same as PV - XenAccess works with both PV and HVM - Recent versions of XenAccess support Windows • Improving Performance - Walking another domain’s page table is costly - LRU cache provides acceptable performance - Frequent cache hits expected in most apps • Bridging the Semantic Gap
  13. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Disk

    Monitoring xadisk_init(), xadisk_destroy() xadisk_set_watch() xadisk_unset_watch() xadisk_activate() xadisk_deactivate()
  14. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Disk

    Monitoring Details • Asynchronous operation - Disk events queued for processing by monitor - Data sent to disk device driver • Inference Engine - Changes inferred; current versus previous state - Requires knowledge of filesystem • Limitations - Only file/direction creation/deletion - File read/write, object renaming, file truncating, and more possible using this architecture
  15. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Our

    Contributions & Related Research Xen Background Information Architecture & Implementation Example Applications Performance Analysis Conclusions
  16. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Memory

    Monitor Example XenAccess Process List Example Output in dom0 Process Explorer Output inside Windows XP
  17. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Memory

    Monitor Example XenAccess Process List Example Output in dom0 Process Explorer Output inside Windows XP
  18. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Disk

    Monitor Example XenAccess Disk Monitor Example Output in dom0 Disk Activity Generated in User VM
  19. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Disk

    Monitor Example XenAccess Disk Monitor Example Output in dom0 Disk Activity Generated in User VM
  20. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Our

    Contributions & Related Research Xen Background Information Architecture & Implementation Example Applications Performance Analysis Conclusions
  21. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Memory

    Monitor Performance 0 10 20 30 40 50 60 70 80 90 Virtual Address Kernel Symbol User Address Time in microseconds 21213 6881 541 PV-M PV-H HVM-M HVM-H 0 1 2 3 4 5 4000 3000 2000 1000 500 100 Time in microseconds Data size in bytes fc6-pv fc6-hvm Time To Access Memory • Acceptable for most apps • Caching very useful Time To Read Memory • Very small, page is mapped into local address space • Similar for PV and HVM
  22. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Disk

    Monitor Performance 0 500 1000 1500 2000 10 50 100 200 500 1000 2000 Time in milliseconds Number of Files Created Mode 1 Mode 2 Mode 3 Mode 1: Monitoring with watch points enabled Mode 2: Monitoring with watch points disabled Mode 3: Tapdisk driver with no monitoring
  23. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Our

    Contributions & Related Research Xen Background Information Architecture & Implementation Example Applications Performance Analysis Conclusions
  24. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 No

    superfluous modifications to the VMM No modifications to the VM or the target OS Small performance impact Rapid development of new monitors Ability to monitor any data on target OS Target OS cannot tamper with monitors Monitoring Criteria Revisited
  25. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 •

    Code discussed in the paper available online • Memory introspection has more features - Support for Windows VMs - Improved support for HVM domains - Improved cache utilization - Expanded API with better documentation • Disk introspection available as proof of concept • Available at http://xenaccess.sourceforge.net XenAccess Today
  26. Secure and Flexible Monitoring of Virtual Machines, ACSAC 2007 Summary

    • Prior work focused on the applications of introspection; not how to implement it • We proposed six requirements for secure and flexible monitoring using introspection • Our XenAccess architecture demonstrated that these requirements are obtainable • Our implementation of XenAccess is freely available for other researchers to use
  27. Questions? http://xenaccess.sourceforge.net