Authors: Stewart Sentanoe (University of Passau), Thomas Dangl (University of Passau), and Hans P. Reiser (University of Passau)
DFRWS USA 2022
Abstract
Virtual machine introspection (VMI) has evolved into a widely used technique for purposes such as digital forensics, intrusion detection, and malware analysis. The recent integration of enhanced VMI capabilities into KVM further facilitate the use of VMI. A significant obstacle, however, remains: VMI usually requires highly privileged access to the host system. Existing research prototypes that address this issue either target only the Xen hypervisor, are extremely slow, offer only a subset of the desired functionality, or are hard to deploy in real-life systems. We present our flexible KVMIveggur architecture as a novel solution to these challenges. It offers three flavors of isolation (using containers, virtual machines, and network remote access) that all enable access control for secure self-service VMI in cloud environments. It enables the full use of passive and active VMI, supports continuous monitoring also during live VM migration, and can be tailored for low overhead and minimal resource utilization on the host system. The experimental evaluation of our prototype demonstrates the feasibility and the efficiency of our approach and provides detailed insights into the differences between the three flavors.