Virtual machine introspection

Last updated

In computing, virtual machine introspection (VMI) is a technique "for monitoring the runtime state of a system-level virtual machine (VM)", which is helpful for debugging or forensic analysis. [1] [2]

Contents

The term introspection in application to the virtual machines was introduced by Garfinkel and Rosenblum. [3] They invented an approach for "protecting a security application from attack by malicious software" and called it VMI. Now VMI is a common term for different virtual machine forensics and analysis methods. VMI-based approaches are widely used for security applications, software debugging, and systems management. [1]

VMI tools may be located inside or outside the virtual machine and act by tracking the events (interrupts, memory writes, and so on) or sending the requests to the virtual machine. Virtual machine monitor usually provides low-level information like raw bytes of the memory. Converting this low-level view into something meaningful for the user is known as the semantic gap problem. Solving this problem requires analysis and understanding of the systems being monitored.

VMI within the virtual machine

Programs running inside VM may provide information about other processes. This information may be sent through network interface or some virtual devices like serial port. The examples of in vivo introspection programs are WinDbg [4] or GDB [5] servers that interact with the remote debugger.

The drawback of this approach is that it requires functioning OS within the VM. If OS hangs or isn't loaded yet, the introspection agent couldn't work.

VMI outside the virtual machine

VMI tools may be implemented within the virtual machine monitor [6] [7] or as a separate programs [8] that capture information (e.g., contents of the memory) from the virtual machine monitor. Then this data has to be interpreted to understand the processes in the system. One of the popular tools for such interpretation is Volatility framework. [9] This framework contains profiles for many popular operating systems and may extract different information like process tree or list of the kernel objects.

Related Research Articles

<span class="mw-page-title-main">GNU Debugger</span> Source-level debugger

The GNU Debugger (GDB) is a portable debugger that runs on many Unix-like systems and works for many programming languages, including Ada, Assembly, C, C++, D, Fortran, Haskell, Go, Objective-C, OpenCL C, Modula-2, Pascal, Rust, and partially others.

<span class="mw-page-title-main">Core dump</span> Snapshot of computer memory data

In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise terminated abnormally. In practice, other key pieces of program state are usually dumped at the same time, including the processor registers, which may include the program counter and stack pointer, memory management information, and other processor and operating system flags and information. A snapshot dump is a memory dump requested by the computer operator or by the running program, after which the program is able to continue. Core dumps are often used to assist in diagnosing and debugging errors in computer programs.

<span class="mw-page-title-main">Debugger</span> Computer program used to test and debug other programs

A debugger is a computer program used to test and debug other programs. Common features of debuggers include the ability to run or halt the target program using breakpoints, step through code line by line, and display or modify the contents of memory, CPU registers, and stack frames.

SoftICE is a kernel mode debugger for DOS and Windows up to Windows XP. It is designed to run underneath Windows, so that the operating system is unaware of its presence. Unlike an application debugger, SoftICE is capable of suspending all operations in Windows when instructed. Due to its low-level capabilities, SoftICE is also popular as a software cracking tool.

<span class="mw-page-title-main">Valgrind</span> Programming tool for profiling, memory debugging and memory leak detection

Valgrind is a programming tool for memory debugging, memory leak detection, and profiling.

JTAG is an industry standard for verifying designs of and testing printed circuit boards after manufacture.

<span class="mw-page-title-main">Breakpoint</span> Debugging method used in software development

In software development, a breakpoint is an intentional stopping or pausing place in a program, put in place for debugging purposes. It is also sometimes simply referred to as a pause.

WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode.

<span class="mw-page-title-main">VMware ESXi</span> Enterprise-class, type-1 hypervisor for deploying and serving virtual computers

VMware ESXi is an enterprise-class, type-1 hypervisor developed by VMware, a subsidiary of Broadcom, for deploying and serving virtual computers. As a type-1 hypervisor, ESXi is not a software application that is installed on an operating system (OS); instead, it includes and integrates vital OS components, such as a kernel.

Tracing in software engineering refers to the process of capturing and recording information about the execution of a software program. This information is typically used by programmers for debugging purposes, and additionally, depending on the type and detail of information contained in a trace log, by experienced system administrators or technical-support personnel and by software monitoring tools to diagnose common problems with software. Tracing is a cross-cutting concern.

ptrace is a system call found in Unix and several Unix-like operating systems. By using ptrace one process can control another, enabling the controller to inspect and manipulate the internal state of its target. ptrace is used by debuggers and other code-analysis tools, mostly as aids to software development.

The Java Development Kit (JDK) is a distribution of Java technology by Oracle Corporation. It implements the Java Language Specification (JLS) and the Java Virtual Machine Specification (JVMS) and provides the Standard Edition (SE) of the Java Application Programming Interface (API). It is derivative of the community driven OpenJDK which Oracle stewards. It provides software for working with Java applications. Examples of included software are the Java virtual machine, a compiler, performance monitoring tools, a debugger, and other utilities that Oracle considers useful for Java programmers.

Memory forensics is forensic analysis of a computer's memory dump. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. Consequently, the memory must be analyzed for forensic information.

<span class="mw-page-title-main">DynamoRIO</span> Software framework

DynamoRIO is a BSD-licensed dynamic binary instrumentation framework for the development of dynamic program analysis tools. DynamoRIO targets user space applications under the Android, Linux, and Windows operating systems running on the AArch32, IA-32, and x86-64 instruction set architectures.

OVPsim is a multiprocessor platform emulator used to run unchanged production binaries of the target hardware. It has public APIs allowing users to create their own processor, peripheral and platform models. Various models are available as open source. OVPsim is a key component of the Open Virtual Platforms initiative (OVP), an organization created to promote the use of open virtual platforms for embedded software development. OVPsim requires OVP registration to download.

GraalVM is a Java Development Kit (JDK) written in Java. The open-source distribution of GraalVM is based on OpenJDK, and the enterprise distribution is based on Oracle JDK. As well as just-in-time (JIT) compilation, GraalVM can compile a Java application ahead of time. This allows for faster initialization, greater runtime performance, and decreased resource consumption, but the resulting executable can only run on the platform it was compiled for.

<span class="mw-page-title-main">Radare2</span> Free framework for reverse-engineering software

Radare2 is a complete framework for reverse-engineering and analyzing binaries; composed of a set of small utilities that can be used together or independently from the command line. Built around a disassembler for computer software which generates assembly language source code from machine-executable code, it supports a variety of executable formats for different processor architectures and operating systems.

References

  1. 1 2 Payne, Bryan D. (2011), "Virtual Machine Introspection", in van Tilborg, Henk C. A.; Jajodia, Sushil (eds.), Encyclopedia of Cryptography and Security, Boston, MA: Springer US, pp. 1360–1362, doi:10.1007/978-1-4419-5906-5_647, ISBN   978-1-4419-5906-5 , retrieved 2023-10-13
  2. LibVMI: Simplified Virtual Machine Introspection, libvmi, 2023-10-10, retrieved 2023-10-13
  3. https://suif.stanford.edu/papers/vmi-ndss03.pdf A Virtual Machine Introspection Based Architecture for Intrusion Detection
  4. "Remote Debugging Using WinDbg - Windows drivers". learn.microsoft.com. 2021-12-15. Retrieved 2023-10-13.
  5. https://sourceware.org/gdb/onlinedocs/gdb/Server.html Using the gdbserver Program
  6. "Virtual Machine Introspection - Xen". wiki.xenproject.org. Retrieved 2023-10-13.
  7. Dovgalyuk, Pavel; Fursova, Natalia; Vasiliev, Ivan; Makarov, Vladimir (2017-08-21). "QEMU-based framework for non-intrusive virtual machine instrumentation and introspection". Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. ESEC/FSE 2017. New York, NY, USA: Association for Computing Machinery. pp. 944–948. doi:10.1145/3106237.3122817. ISBN   978-1-4503-5105-8. S2CID   43470460.
  8. Cisco-Talos/pyrebox, Cisco Talos, 2023-10-12, retrieved 2023-10-13
  9. https://github.com/volatilityfoundation/volatility Volatile memory extraction utility framework
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.