ARADIA: Cross-platform architecture for user-centric static and dynamic virtual machine introspection
Virtual machine introspection (VMI) is a technique to analyze the internal state of a target virtual machine from the outside. It is well-established for tasks such as intrusion detection, malware analysis, and forensics. Compared to approaches that analyze the internal state from inside the target, VMI-based data acquisition benefits from the strong isolation provided by the hypervisor and is significantly more stealthy and tamper-proof.
This project will significantly advance the state of the art of VMI. The main objectives are as follows:
- Investigation of novel approaches for in-depth memory introspection: Efficient algorithms shall enable the introspection of guests that execute a nested hypervisor or virtual containers, the efficient fine-grained semantic interpretation, and the accurate control of memory introspection in time.
- VMI-based event tracing: In contrast to existing systems that use a single tracing source (such as system calls), our goal is to integrate multiple event sources, enable the correlation of events from these sources, and support flexible on-demand orchestration of mechanisms, which helps to minimize the run-time overhead while acquiring highly detailed information.
- Investigating the problem of secure and efficient deployment of VMI applications on real-world environments, such as private and public cloud infrastructures and mobile platforms. The lack of such deployment support is the most severe limitation of most existing VMI-based systems.
- Making VMI more accessible for human system operators: The crucial step of any form of VMI-based analysis is the extraction of actionable information from low-level data. The expected results are an architecture for storing and post-processing VMI data to make it easily accessible, novel concepts for visualizing the combined data from multiple memory introspection and tracing sources, and mechanisms to dynamically control VMI-based data acquisition.
In summary, the over-all goal of this project is to enable VMI on systems on which introspection is not feasible with today's tools and libraries, to enable the acquisition of significantly more detailed information using in-depth memory introspection and a variety of VMI-based tracing mechanisms, and to enable a human operator to better control these mechanisms and visualize the resulting data.
We plan to integrate our innovative algorithms and strategies into an open-source prototype for enhanced virtual machine introspection, which also supports the development of high-level tools for attack detection, analysis and prevention.
Principal Investigator(s) at the University | Prof. Dr. Hans P. Reiser (Juniorprofessur für Sicherheit in Informationssystemen) |
---|---|
Project period | 01.01.2018 - 31.12.2019 |
Source of funding | DFG - Deutsche Forschungsgemeinschaft > DFG - Sachbeihilfe |