ARADIA

Local project leader

Prof. Hans P. Reiser

Research team members

Stewart Sentanoe
Benjamin Taubmann
Noëlle Rakotondravony

Summary

Virtual machine introspection (VMI) is a technique to analyze the internal state of a target virtual machine from the outside. It is well-established for tasks such as intrusion detection, malware analysis, and forensics. Compared to approaches that analyze the internal state from inside the target, VMI-based data acquisition benefits from the strong isolation provided by the hypervisor and is significantly more stealthy and tamper-proof.

This project will significantly advance the state of the art of VMI. The main objectives are as follows:

Investigation of novel approaches for in-depth memory introspection: Efficient algorithms shall enable the introspection of guests that execute a nested hypervisor or virtual containers, the efficient fine-grained semantic interpretation, and the accurate control of memory introspection in time.
VMI-based event tracing: In contrast to existing systems that use a single tracing source (such as system calls), our goal is to integrate multiple event sources, enable the correlation of events from these sources, and support flexible on-demand orchestration of mechanisms, which helps to minimize the run-time overhead while acquiring highly detailed information.
Investigating the problem of secure and efficient deployment of VMI applications on real-world environments, such as private and public cloud infrastructures and mobile platforms. The lack of such deployment support is the most severe limitation of most existing VMI-based systems.
Making VMI more accessible for human system operators: The crucial step of any form of VMI-based analysis is the extraction of actionable information from low-level data. The expected results are an architecture for storing and post-processing VMI data to make it easily accessible, novel concepts for visualizing the combined data from multiple memory introspection and tracing sources, and mechanisms to dynamically control VMI-based data acquisition.

In summary, the over-all goal of this project is to enable VMI on systems on which introspection is not feasible with today's tools and libraries, to enable the acquisition of significantly more detailed information using in-depth memory introspection and a variety of VMI-based tracing mechanisms, and to enable a human operator to better control these mechanisms and visualize the resulting data.

We plan to integrate our innovative algorithms and strategies into an open-source prototype for enhanced virtual machine introspection, which also supports the development of high-level tools for attack detection, analysis and prevention.

Funding

Deutsche Forschungsgemeinschaft

2022

KVMIveggur: Flexible, secure, and efficient support for self-service virtual machine introspection

S. Sentanoe, T. Dangl and H. P. Reiser, "KVMIveggur: Flexible, secure, and efficient support for self-service virtual machine introspection" , Forensic Science International: Digital Investigation , vol. Volume 42 S, 2022. Elsevier.

SSHkex: Leveraging virtual machine introspection for extracting SSH keys and decrypting SSH network traffic

S. Sentanoe and H. P. Reiser, "SSHkex: Leveraging virtual machine introspection for extracting SSH keys and decrypting SSH network traffic" , Forensic Science International: Digital Investigation , vol. 40, 2022.

DOI: https://doi.org/10.1016/j.fsidi.2022.301337

File: https://www.sciencedirect.com/science/article/pii/S2666281722000063

VMIFresh: Efficient and Fresh Caches for Virtual Machine Introspection

T. Dangl, S. Sentanoe and H. P. Reiser, "VMIFresh: Efficient and Fresh Caches for Virtual Machine Introspection" in Proceedings of the 17th International Conference on Availability, Reliability and Security , New York, NY, USA: Association for Computing Machinery, 2022.

DOI: 10.1145/3538969.3539002

ISBN: 9781450396707

File: https://doi.org/10.1145/3538969.3539002

2021

Introspect Virtual Machines Like It Is the Linux Kernel!

A. Abdelraoof, H. P. Reiser and B. Taubmann, "Introspect Virtual Machines Like It Is the Linux Kernel!" in 18th Int. Conf. on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'2021) , 2021.

RapidVMI: Fast and multi-core aware active virtual machine introspection

T. Dangl, B. Taubmann and H. P. Reiser, "RapidVMI: Fast and multi-core aware active virtual machine introspection" in Proc. of the 16th International Conference on Availability, Reliability and Security (ARES 2021) , 2021.

2020

Agent-based file extraction using virtual machine introspection

T. Dangl, B. Taubmann and H. P. Reiser, "Agent-based file extraction using virtual machine introspection" in Proc. of the 25th Nordic Conference on Secure IT Systems (NordSec) , 2020.

Towards Hypervisor Support for Enhancing the Performance of Virtual Machine Introspection

B. Taubmann and H. P. Reiser, "Towards Hypervisor Support for Enhancing the Performance of Virtual Machine Introspection" in Proc. of the 20th Int. Conf. on Distributed Applications and Interoperable Systems (DAIS) , Cham: Springer International Publishing, 2020. pp. 41--54.

DOI: 10.1007/978-3-030-50323-9_3

ISBN: 978-3-030-50323-9

2019

Poster: Reconfigurable monitoring and performance awareness in VMI-based SIEM systems

N. Rakotondravony, B. Taubmann, S. Sentanoe and H. P. Reiser, "Poster: Reconfigurable monitoring and performance awareness in VMI-based SIEM systems" in 2019 {IEEE} Security and Privacy Poster, San Francisco, CA, USA, May 20-22 , 2019.

TwinPorter - An Architecture For Enabling the Live Migration of VMI-based Monitored Virtual Machines

B. Taubmann, A. Böhm and H. P. Reiser, "TwinPorter - An Architecture For Enabling the Live Migration of VMI-based Monitored Virtual Machines" in The 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom'19) , 2019.

VMIGuard: Detecting and Preventing Service Integrity Violations by Malicious Insiders Using Virtual Machine Introspection

S. Sentanoe, B. Taubmann and H. P. Reiser, "VMIGuard: Detecting and Preventing Service Integrity Violations by Malicious Insiders Using Virtual Machine Introspection" in Proc. of the 24th Nordic Conference on Secure IT Systems (NordSec) , 2019. pp. 271--282.

2018

Introspection for ARM TrustZone with the ITZ Library

M. Guerra, B. Taubmann, H. P. Reiser, S. Yalew and M. Correia, "Introspection for ARM TrustZone with the ITZ Library" in Proc. of the 18th IEEE Int. Conf. on Software Quality, Reliability, and Security , 2018.

Sarracenia: Enhancing the Performance and Stealthiness of SSH Honeypots using Virtual Machine Introspection

S. Sentanoe, B. Taubmann and H. P. Reiser, "Sarracenia: Enhancing the Performance and Stealthiness of SSH Honeypots using Virtual Machine Introspection" in Proc. of the 23. Nordic Conference on Secure IT Systems , 2018.

Information for...

Information for...

Current students

Prospective students

Academics

Early career researchers

Businesses

Alumni and friends

Staff

Media representatives

Faculties & facilities

Administration

Central facilities

Faculties

Faculty of Law

Faculty of Social and Educational Sciences

Faculty of Humanities and Cultural Studies

School of Business, Economics and Information Systems

Faculty of Computer Science and Mathematics