Virtual machine introspection

Last updated

In computing, virtual machine introspection (VMI) is a technique "for monitoring the runtime state of a system-level virtual machine (VM)", which is helpful for debugging or forensic analysis. [1] [2]

Contents

The term introspection in application to the virtual machines was introduced by Garfinkel and Rosenblum. [3] They invented an approach for "protecting a security application from attack by malicious software" and called it VMI. Now VMI is a common term for different virtual machine forensics and analysis methods. VMI-based approaches are widely used for security applications, software debugging, and systems management. [1]

VMI tools may be located inside or outside the virtual machine and act by tracking the events (interrupts, memory writes, and so on) or sending the requests to the virtual machine. Virtual machine monitor usually provides low-level information like raw bytes of the memory. Converting this low-level view into something meaningful for the user is known as the semantic gap problem. Solving this problem requires analysis and understanding of the systems being monitored.

VMI within the virtual machine

Programs running inside VM may provide information about other processes. This information may be sent through network interface or some virtual devices like serial port. The examples of in vivo introspection programs are WinDbg [4] or GDB [5] servers that interact with the remote debugger.

The drawback of this approach is that it requires functioning OS within the VM. If OS hangs or isn't loaded yet, the introspection agent couldn't work.

VMI outside the virtual machine

VMI tools may be implemented within the virtual machine monitor [6] [7] or as a separate programs [8] that capture information (e.g., contents of the memory) from the virtual machine monitor. Then this data has to be interpreted to understand the processes in the system. One of the popular tools for such interpretation is Volatility framework. [9] This framework contains profiles for many popular operating systems and may extract different information like process tree or list of the kernel objects.

Related Research Articles

<span class="mw-page-title-main">GNU Debugger</span> Source-level debugger

The GNU Debugger (GDB) is a portable debugger that runs on many Unix-like systems and works for many programming languages, including Ada, Assembly, C, C++, D, Fortran, Go, Objective-C, OpenCL C, Modula-2, Pascal, Rust, and partially others.

In computing, a virtual machine (VM) is the virtualization or emulation of a computer system. Virtual machines are based on computer architectures and provide the functionality of a physical computer. Their implementations may involve specialized hardware, software, or a combination of the two. Virtual machines differ and are organized by their function, shown here:

In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise terminated abnormally. In practice, other key pieces of program state are usually dumped at the same time, including the processor registers, which may include the program counter and stack pointer, memory management information, and other processor and operating system flags and information. A snapshot dump is a memory dump requested by the computer operator or by the running program, after which the program is able to continue. Core dumps are often used to assist in diagnosing and debugging errors in computer programs.

<span class="mw-page-title-main">Debugger</span> Computer program used to test and debug other programs

A debugger or debugging tool is a computer program used to test and debug other programs. The main use of a debugger is to run the target program under controlled conditions that permit the programmer to track its execution and monitor changes in computer resources that may indicate malfunctioning code. Typical debugging facilities include the ability to run or halt the target program at specific points, display the contents of memory, CPU registers or storage devices, and modify memory or register contents in order to enter selected test data that might be a cause of faulty program execution.

SoftICE is a kernel mode debugger for DOS and Windows up to Windows XP. It is designed to run underneath Windows, so that the operating system is unaware of its presence. Unlike an application debugger, SoftICE is capable of suspending all operations in Windows when instructed. Because of its low-level capabilities, SoftICE is also popular as a software cracking tool.

<span class="mw-page-title-main">Valgrind</span> Programming tool for profiling, memory debugging and memory leak detection

Valgrind is a programming tool for memory debugging, memory leak detection, and profiling.

WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode.

<span class="mw-page-title-main">VMware ESXi</span> Enterprise-class, type-1 hypervisor for deploying and serving virtual computers

VMware ESXi is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers. As a type-1 hypervisor, ESXi is not a software application that is installed on an operating system (OS); instead, it includes and integrates vital OS components, such as a kernel.

VisualVM is a tool that provides a visual interface for viewing detailed information about Java applications while they are running on a Java Virtual Machine (JVM). VisualVM organizes JVM data that is retrieved by the Java Development Kit (JDK) tools and presents the information in a way that allows data on multiple Java applications to be quickly viewed—both local applications and applications that are running on remote hosts. Programmers can also capture data about the JVM software and save the data to the local system, and then view the data later or share it with others. VisualVM is built on the NetBeans Platform; its architecture is modular and easy to extend with plugins.

ptrace is a system call found in Unix and several Unix-like operating systems. By using ptrace one process can control another, enabling the controller to inspect and manipulate the internal state of its target. ptrace is used by debuggers and other code-analysis tools, mostly as aids to software development.

The Java Development Kit (JDK) is a distribution of Java Technology by Oracle Corporation. It implements the Java Language Specification (JLS) and the Java Virtual Machine Specification (JVMS) and provides the Standard Edition (SE) of the Java Application Programming Interface (API). It is derivative of the community driven OpenJDK which Oracle stewards. It provides software for working with Java applications. Examples of included software are the virtual machine, a compiler, performance monitoring tools, a debugger, and other utilities that Oracle considers useful for a Java programmer.

In computer programming and software development, debugging is the process of finding and resolving bugs within computer programs, software, or systems.

Memory forensics is forensic analysis of a computer's memory dump. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.

<span class="mw-page-title-main">DynamoRIO</span> Software framework

DynamoRIO is a BSD-licensed dynamic binary instrumentation framework for the development of dynamic program analysis tools. DynamoRIO targets user space applications under the Android, Linux, and Windows operating systems running on the AArch32, IA-32, and x86-64 instruction set architectures.

OVPsim is a multiprocessor platform emulator used to run unchanged production binaries of the target hardware. It has public APIs allowing users to create their own processor, peripheral and platform models. Various models are available as open source. OVPsim is a key component of the Open Virtual Platforms initiative (OVP), an organization created to promote the use of open virtual platforms for embedded software development. OVPsim requires OVP registration to download.

<span class="mw-page-title-main">GraalVM</span>

GraalVM is a Java Development Kit (JDK), written in Java. The open-source distribution of GraalVM is based on OpenJDK, and the enterprise distribution is based on Oracle JDK. As well as just-in-time (JIT) compilation, GraalVM can compile a Java application ahead-of-time so that it starts instantly, provides peak performance with no warmup, and uses fewer resources. It provides additional programming languages and execution modes. The first production-ready release, GraalVM 19.0, was distributed in May 2019. The most recent release is GraalVM for JDK 21, made available in September 2023.

<span class="mw-page-title-main">Radare2</span>

Radare2 is a complete framework for reverse-engineering and analyzing binaries; composed of a set of small utilities that can be used together or independently from the command line. Built around a disassembler for computer software which generates assembly language source code from machine-executable code, it supports a variety of executable formats for different processor architectures and operating systems.

References

  1. 1 2 Payne, Bryan D. (2011), "Virtual Machine Introspection", in van Tilborg, Henk C. A.; Jajodia, Sushil (eds.), Encyclopedia of Cryptography and Security, Boston, MA: Springer US, pp. 1360–1362, doi:10.1007/978-1-4419-5906-5_647, ISBN   978-1-4419-5906-5 , retrieved 2023-10-13
  2. LibVMI: Simplified Virtual Machine Introspection, libvmi, 2023-10-10, retrieved 2023-10-13
  3. https://suif.stanford.edu/papers/vmi-ndss03.pdf A Virtual Machine Introspection Based Architecture for Intrusion Detection
  4. "Remote Debugging Using WinDbg - Windows drivers". learn.microsoft.com. 2021-12-15. Retrieved 2023-10-13.
  5. https://sourceware.org/gdb/onlinedocs/gdb/Server.html Using the gdbserver Program
  6. "Virtual Machine Introspection - Xen". wiki.xenproject.org. Retrieved 2023-10-13.
  7. Dovgalyuk, Pavel; Fursova, Natalia; Vasiliev, Ivan; Makarov, Vladimir (2017-08-21). "QEMU-based framework for non-intrusive virtual machine instrumentation and introspection". Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. ESEC/FSE 2017. New York, NY, USA: Association for Computing Machinery. pp. 944–948. doi:10.1145/3106237.3122817. ISBN   978-1-4503-5105-8. S2CID   43470460.
  8. Cisco-Talos/pyrebox, Cisco Talos, 2023-10-12, retrieved 2023-10-13
  9. https://github.com/volatilityfoundation/volatility Volatile memory extraction utility framework
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.