Secure and robust monitoring of virtual machines through guest-assisted introspection

Abstract

Current monitoring solutions for virtual machines do not incorporate both security and robustness. Out-of-guest applications achieve security by using virtual machine introspection and not relying on in-guest components, but do not achieve robustness due to the semantic gap. In-guest applications achieve robustness by utilizing guest OS code for monitoring, but not security, since an attacker can tamper with this code and the application itself. In this paper we propose SYRINGE, a secure and robust infrastructure for monitoring virtual machines. SYRINGE protects the monitoring application by placing it in a separate virtual machine (as with the out-of-guest approach) but at the same time allowing it to invoke guest functions (as with the in-guest approach), using a technique known as function-call injection. SYRINGE verifies the secure execution of the invoked guest OS code by using another technique, localized shepherding. The combination of these two techniques allows SYRINGE to incorporate the best of out-of-guest monitoring with that of in-guest monitoring. We implemented a prototype of SYRINGE as a Linux application to monitor a guest running Windows XP and have evaluated its performance and security. We also implemented a monitoring application built on top of SYRINGE to demonstrate its usefulness. Our results show that for a calling period of 1 second, the performance overhead created in the guest by this application is 8%. © 2012 Springer-Verlag.