SlideShare a Scribd company logo
www.bitdefender.com 
8/25/2014• 1Zero-Footprint Guest Memory Introspection from Xen 
Xen Project DEVELOPER SUMMITAugust 18th, 2014Mihai DONȚU –Technical Project Manager, BitdefenderRavi SAHITA –Principal Engineer, IntelImproving VM Introspection Using Hardware Virtualization Extensions
www.bitdefender.com 
8/25/2014• 2 
Outline 
•Security issues 
•Memory introspection 
oOperation 
oEvolution 
•XenAccess and mem-events enhancements 
•Sample usages 
•Hardware Acceleration for memory introspection 
•Conclusions
www.bitdefender.com 
8/25/2014• 3 
Securityissues we are facing today 
•Advanced malware types 
oRootkits 
oKernel exploits 
oZero-days 
•APTs, botnets, cyber-espionage and so on heavily rely on those…
www.bitdefender.com 
8/25/2014• 4 
Securityissues we are facing today2
www.bitdefender.com 
8/25/2014• 5 
Securityissuesweare facing today3 
Malware today execute in the same context and with the same privileges as anti-malware software lack of isolation problem 
Common Malware 
Advanced Malware 
Drivers 
App1(Office) 
OS Kernel 
ISOLATIONKernel Controlled 
App2(Browser) 
SecuritySolution 
SecurityFilter 
Drivers 
App1(Office) 
OS Kernel 
App2(Browser) 
SecuritySolution 
SecurityFilter 
ISOLATIONKernel Controlled 
Isolation Bypassed & Malware Controlled
www.bitdefender.com 
8/25/2014• 6 
Conclusion: advanced attacks evade traditional security solutions
www.bitdefender.com 
8/25/2014• 7 
Envision the big picture 
so… what’s the big difference?... 
Xen Hypervisor 
dom0 
SVA 
(domU0) 
domU1 
MemoryIntrospection Engine 
domU2 
domUN 
Protected area
www.bitdefender.com 
8/25/2014• 8 
Memory introspection 
Envision the big picture 
Xen Hypervisor 
dom0 
SVA 
(domU0) 
domU1 
MemoryIntrospection Engine 
domU2 
domUN 
Protected area 
Hypervisor Controlled, Hardware EnforcedSTRONG ISOLATION 
Introspection Engine Alternative 2 
Introspection Engine Alternative 3
www.bitdefender.com 
8/25/2014• 9 
•Address a number of security issues from outside the guest OS without relying on functionality that can be rendered unreliable by advanced malware 
•Analyze raw memory image of guest OS, services and user mode applications, then identify 
okernel memory areas 
odriver objects, driver code, IDT, etc. 
ouser memory areas 
oprocess code, process stack, process heap, etc. 
What is memory introspection? 
Envision the big picture
www.bitdefender.com 
8/25/2014• 10 
•Use existent hardware virtualization extensions (Intel EPT / AMD RVI) 
•Set hooks on guest OS memory 
omark 4K pages as non-execute or non-writable 
ohooking & notification must be supported efficientlyby HV & CPU 
•Audit access of those areas by the code running in VM (OS or apps) 
owrite attempts (driver objects, fast I/O tables, page tables) 
oexecution attempts 
•Allow or deny attempts –decision provided by security logic 
How does it work? 
Memory introspection
www.bitdefender.com 
8/25/2014• 11 
How does it work? 2 
Memory introspection 
EPT protected areas 
provide detection for various OS level changes (ex. new module load, new process start, …) 
EPT protected areas 
provide detection for attempts & protection against integrity violation 
Guest VM PhysicalMemory Space 
OS kernel code 
kernel driver code and data 
kernel data SSDT, IDT, … 
user mode code 
user mode stacks & heaps
www.bitdefender.com 
8/25/2014• 12 
•Building a reliable image of the guest OS state 
owhat objects are inside a guest VM? 
owhat operations are being performed inside a guest VM? 
oobject and event identification and correlation is done by the introspection engine –to decide event and object maliciousness 
•Using hooks we can detect numerous events, including 
oa driver / kernel module is loaded or unloaded 
oa new user process or thread is created 
ouser stack / heap is allocated 
omemory is being paged in / out 
How does it work? 3 
Memory introspection
www.bitdefender.com 
8/25/2014• 13 
How does it work? 4 
Memory introspection 
Traditional in-guest security solution 
Out-of-guest memory introspection 
OS Kernel 
Typical Anti-Malware Kernel Module 
Read mem by Virtual Addr, read files, registry, … 
Enum processes, files, … 
0101010011 
MZ… 
Setup well-knowncallbacks & notifications 
New process PID 0x1234 
HKLM... 
XEN Hypervisor 
Memory Introspection Engine 
Read mem by Physical AddrRead vCPUregisters 
0101010011 
Setup EPT hooks on mempages (by Physical Addr) 
Write / Execute attempt on PA 0x000A12345678 
RAX = 0x1234RIP = 0x7890
www.bitdefender.com 
8/25/2014• 14 
•bridging the semantic gap –obtain rich semantics from only raw physical memory pages and virtual CPU registers 
ohow do we correlate 4K memory pages with semantically rich and meaningful OS specific data structures? 
oto be solved by security solution vendors 
•forward lots of mem-event notifications with low overhead to introspection engine 
oto be solved by hypervisor and CPU vendors 
Two big challenges 
Memory introspection
www.bitdefender.com 
8/25/2014• 15 
Memory introspection evolution 
•2003 –Garfinkel & Rosenblum: “A Virtual Machine Introspection Based Architecture for Intrusion Detection” 
othe starting point for a considerable amount of academic research 
•2006 –Jiang & Wang: “’Out-of-the-box’ Monitoring of VM-based High-Interaction Honeypots” 
•2008 –Dinaburg et al.: “Ether: Malware Analysis via Hardware Virtualization Extensions” 
oBuilt on top of Xen 3.1 
•2008 –VMsafe API announced by VMware, which provides access to a guest’s: 
oCPU, memory, disk, I/O devices etc. 
osupported memory introspection for vSphere / ESXi 
•2010 –VMware vShield Endpoint(as a replacement for VMsafe API) 
oin-guest agent based 
ofile introspection only 
•2012 –VMware deprecates VMsafe
www.bitdefender.com 
8/25/2014• 16 
Memory introspection in Xen 
•2007 –XenAccess, XenProbes 
•2008 –Lares 
•2009 –first patches for the mem-events API 
•2010 –LibVMI –uses XenAccess and XenStore 
otargets Xen, but support for other HV-s can be added 
oinsufficient flexibility in changing page permissions 
ono support for mapping guest memory RW 
oinsufficient information about the guest CPUs 
ohigh overhead when reading the vCPUregister state 
oa ‘complete’ initialization requires intimate knowledge about the guest OS 
ocode for handling specific guest OS-s (Windows, with Linux in the works)
www.bitdefender.com 
8/25/2014• 17 
XenAccess and mem-events enhancements 
•2014 –Bitdefender published a set of patches (as RFC) to enhance the mem-events API 
oimplements its own version of LibVMI 
osimpler API 
onothing [guest] OS specific 
osupport for other HV-s can be added 
oallows to map guest memory (via EPT) 
ouses a very simple page cache to optimize (un)maps 
ooptimized access to specific resources 
•Some patches went into mainline, others will follow shortly
www.bitdefender.com 
8/25/2014• 18 
XenAccess and mem-events enhancements2 
mem-event notification 
Xen Hypervisor 
SVA 
(domU0) 
MemoryIntrospection Engine 
domU1 
uint32_t flags; 
uint32_t vcpu_id; 
uint64_t gfn; 
… 
mem_event_regs_t regs;
www.bitdefender.com 
8/25/2014• 19 
Example use of the extended API 
Xen Hypervisor 
dom0 
SVA 
(domU0) 
MemoryIntrospection Engine 
Protected areas 
Critical Kernel Module 
Critical Kernel Module 
App1 
App2 
… 
Code, stacks, heaps, IAT, … 
Code, stacks, heaps, IAT, … 
Code, stacks, heaps, IAT, … 
Mem-events andVMCALLs facilitated by XEN
www.bitdefender.com 
8/25/2014• 20 
Example use of the extended API 2 
•Bitdefender’s own introspection engine can 
oprotect the kernel from known rootkit hooking techniques 
oprotect user processes (e.g. browsers, MS Office, Adobe Reader, …) from 
ocode injection 
ofunction detouring 
ocode execution from stack / heap 
ounpacked malicious code 
oinject remediation tools into the guest on-the-fly (no help from ‘within’ needed) 
•Runs in userspace in a user domain (SVA –Security Virtual Appliance) 
•Introspection logic has very small overhead 
obulk of the overhead is given by sending / receiving events and calls between protected guest VMs and SVA
21 
Hardware Acceleration for Memory IntrospectionRavi SahitaIntel
22 
Hardware Acceleration for Memory Introspection 
Factors Limiting VM Memory Monitoring Performance 
Addressing Lack of Memory Isolation 
Addressing Performance gaps for execution and data access-control policies 
Xen Extensions
23 
Factors Limiting VM Memory Monitoring Performance 
Round-trip time 
–Monitoring execution and data accesses 
–Dynamic data structures imply high frequency events 
Filtering events 
–Monitoring data accesses requires filtering non- interesting events due to 4K page sharing 
Further, round-trip time is amplified with VMMs nesting
24 
Multiple EPTs as Protection Domains 
CPU0 
Hypervisor 
Intel®VT-xwith EPT 
VM0 
Extended Page Table(EPT) Domains 
EPTWalker 
Execution crossing 
EPT domains or data 
Accesses causing events 
host physical address 
Intel®Virtualization Technology for IA-32, Intel®64 and Intel®Architecture (Intel®VT-x) 
OS kernel 
Code/data 
(RX/RW) 
Driver 
Code (RX) 
Driver 
Code (RO) 
OS kernel 
Code/data 
(RO/NP) 
Data 
(RW) 
Data 
(NP)
25 
Addressing Lack of Isolation… 
Xen 
EPT Domains 
EPT Domains 
policy 
events 
CPU 
Hypervisor- derived isolation
26 
Kernel module 
Kernel module 
Security module 
…Without Sacrificing Performance 
Must allow for legal execution of components isolated in permission domains 
Each execution transfer across domains leads to VM exits that the hypervisor must mediate 
As components isolated via domains, numerous execution transfers are induced 
High Frequency of such VM exits to the hypervisor causes overhead 
Process 
Hypervisor 
Eliminate these induced VM exitson legalcontrol transfers 
Legal control transfers
27 
VM Functions: Hypercalls Without VM Exits 
VM Functions: Intel®VT-x extensions for services configured by the hypervisor 
–Different VM Functions correspond to different services 
Hypervisor configures VM Functions via new fields in VMCS 
Guest software invokes VM Functions via new instruction (VMFUNC<leaf>) 
–Value in EAX specifies which VM Function leaf is invoked 
CPU provides services as configured with no VM exit 
Intel®Virtualization Technology for IA-32, Intel®64 and Intel®Architecture (Intel®VT-x)
28 
VMFUNC-based Domain Switching 
Paravirtualized software can request protection domain switch via VMFUNC (specifying domain index) 
Hypervisor pre- configures domain index to EPTPs 
Hypervisor pre- configures domain boundaries 
View switching to speed up access control policies 
CPU0 
Hypervisor 
Intel®VT-xwith EPT 
VM0 
Extended Page Table(EPT) domains 
EPTWalker 
VMFUNC (EPTP switch) 
Host physical address 
Aternate ExtendedPage Table(EPT) list 
Intel®Virtualization Technology for IA-32, Intel®64 and Intel®Architecture (Intel®VT-x)
29 
Asynchronous Induced VMExits 
In VM-introspection scenarios critical data is monitored in place 
Legacy approaches are to VMExit and emulate access 
Alternatively, VMExit and switch views to single step the guest (MTF) 
High frequency of writes to monitored data cause high overhead 
Requires custom logic in the VMM increasing complexity/state in the hypervisor 
Kernel (Guest) 
Hypervisor 
EPT Domains 
Ring-0 
Monitoring 
Agent 
Monitored 
Memory 
WRITE 
2. EPT-V 
VMexit 
3. VMResume to single step access 
Single 
Step Memory 
View 
4. VMexit after access completed 
Access Policy 
1. View Policies 
5. VMResume 
EPT Domains 
Emulation
30 
Accelerating Induced Events 
Via Virtualization Exception (#VE) 
–Mutates EPT violations into a new IA exception–delivered through guest IDT 
VMM enables EPT violation conversion to #VE 
Data access monitoring view policies setup in EPT domains 
Data access causes #VE instead of VMexit 
Guest monitoring agent can emulate in guest OR use VMFUNC to single step access 
Hypervisor (VMX-root) 
Kernel/VMX-non-root 
EPT Domains 
Monitoring 
Service 
Monitored 
Memory 
1. Handle #VE 
3. Complete single step or emulate in guest 
Single Step 
Memory 
View 
2. Setup single step or emulate 
WRITE 
Access Policy 
1. Policies 
VMFUNC 
VMFUNC 
#VE 
#VE info 
VMFUNC 
EPT Domains
31 
VMFUNC Configuration 
Hypervisor checks IA32_VMX_VMFUNC MSR for allowed VM-Function controls 
Opts-in by setting “Enable VM functions” in the secondary processor-based VM- execution controls field 
Activates “EPTP switching” by setting bit-0 in the VM Function Control 
Configure alternate EPTP values in memory referenced via VMCS field 
Guest software uses VMFUNC opcode with leaf selector EAX=0 and ECX containing the index of EPTP (view) selected 
Errors reported to the hypervisor via VM Exits 
“Enable VM functions” VM- execution control (bit 13) 
EPTP-list address 
0:Alternate-EPTP 
1:Alternate-EPTP 
511:Alternate-EPTP 
“EPTP switching” (bit 0) 
Secondary processor-based VM-execution controls 
VMFunction Control (new) 
In memory 
VMCS 
In VMCS 
(new) 
IA32_VMX_VMFUNC MSR (index 491H)
32 
Virtualization Exception (VE) Configuration 
Enumerated by the VMM via capability MSR 
Set VMCS “Enable VE” bit 
Negotiate “VE Info” page with Hypervisor 
#VE delivered through guest IDT 
Suppress VE EPTE Bit 63 
–Set on pages the VMM does not want to cause a #VE for 
“Enable VE” VM-execution control (bit 18) 
VE Information Address 
Exit Reason 
Suppress 
Exit Qualification 
Secondary processor-based VM-execution controls 
In memory 
Virtual Machine Control Structure (VMCS) 
In VMCS 
(new) 
IA32_VMX_PROCBASED_ CTLS2 (48Bh) Bit 50 
Guest Linear Address 
Guest Physical Address 
EPTP Index
33 
Xen Extensions 
1.Efficiently creating and maintaining alternate EPT views/domains via extension of p2m 
2.Hypercalls to edit EPT permissions without conflicting with Xen EPT management 
3.Report guest-specific memory events via #VE in a Xen compatible manner (Suppress #VE EPTE bit) 
4.Enabling CPU acceleration if VMFUNC and #VE CPU enumerated and opted-in 
Xen Hypervisor 
domUN 
domU0 
Security 
Engine 
EPT Domains 
EPT Domains 
Security 
Engine 
CPU 
#VE 
EPT Domains 
EPT Domains 
#VE
34 
VM Introspection Performance Improvements 
Round-trip time 
–VMFUNC to allow safe, fast Memory View (EPT) switches 
–VMexits mutated to #VE for guest memory monitoring 
Filtering events 
–Reduced latency of #VE event handling reduces overhead of filtering events 
Round-trip time amplification due to VMM nesting 
–No VMexits to root VMM implies no amplification of VMexits due to EPT violations 
Scalable Runtime Memory Introspection w/o VT overheads
www.bitdefender.com 
8/25/2014• 35 
•Today Xen can be the base for providing a much improved layer of security –serves as a model for other HV vendors 
oTruly agentless security (zero in guest footprint) 
oIT Admins can deploy introspection based solutions seamlessly, without changing a single line of config inside the guest VMs 
•Hardware enforced isolation (against kernel exploits, zero days, …) 
•Hardware extensions enable intra-VM isolation to enable protected agent based introspection for high frequency access monitoring and agent isolation 
•Both models require straight-forward Xen infrastructure changes (multi-EPT views, hardware acceleration capabilities) 
Conclusions
www.bitdefender.com 
8/25/2014• 36 
Thank you! 
enterprise.bitdefender.com
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bitdefender and Ravi Sahita, Intel

More Related Content

What's hot

Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the Line
The Linux Foundation
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
The Linux Foundation
 
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
The Linux Foundation
 
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16:  Xenbedded: Xen-based client virtualization for phones and tablets - ...XPDS16:  Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
The Linux Foundation
 
LCA13: Xen on ARM
LCA13: Xen on ARMLCA13: Xen on ARM
LCA13: Xen on ARM
Linaro
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)
The Linux Foundation
 
Xen io
Xen ioXen io
Xen io
wangyuanzhf
 
µ-Xen
µ-Xenµ-Xen
µ-Xen
Lars Kurth
 
Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)
Russell Pavlicek
 
XPDS16: Xen Development Update
XPDS16: Xen Development UpdateXPDS16: Xen Development Update
XPDS16: Xen Development Update
The Linux Foundation
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
The Linux Foundation
 
XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...
XPDDS18: LCC18:  Xen Project: After 15 years, What's Next? - George Dunlap, C...XPDDS18: LCC18:  Xen Project: After 15 years, What's Next? - George Dunlap, C...
XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...
The Linux Foundation
 
Xen Project: Windows PV Drivers
Xen Project: Windows PV DriversXen Project: Windows PV Drivers
Xen Project: Windows PV Drivers
The Linux Foundation
 
Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013
The Linux Foundation
 
PVH : PV Guest in HVM container
PVH : PV Guest in HVM containerPVH : PV Guest in HVM container
PVH : PV Guest in HVM container
The Linux Foundation
 
XPDS16: CPUID handling for guests - Andrew Cooper, Citrix
XPDS16:  CPUID handling for guests - Andrew Cooper, CitrixXPDS16:  CPUID handling for guests - Andrew Cooper, Citrix
XPDS16: CPUID handling for guests - Andrew Cooper, Citrix
The Linux Foundation
 
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
The Linux Foundation
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
Priyanka Aash
 
Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)
Russell Pavlicek
 
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
The Linux Foundation
 

What's hot (20)

Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the Line
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
 
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
 
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16:  Xenbedded: Xen-based client virtualization for phones and tablets - ...XPDS16:  Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
 
LCA13: Xen on ARM
LCA13: Xen on ARMLCA13: Xen on ARM
LCA13: Xen on ARM
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)
 
Xen io
Xen ioXen io
Xen io
 
µ-Xen
µ-Xenµ-Xen
µ-Xen
 
Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)
 
XPDS16: Xen Development Update
XPDS16: Xen Development UpdateXPDS16: Xen Development Update
XPDS16: Xen Development Update
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
 
XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...
XPDDS18: LCC18:  Xen Project: After 15 years, What's Next? - George Dunlap, C...XPDDS18: LCC18:  Xen Project: After 15 years, What's Next? - George Dunlap, C...
XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...
 
Xen Project: Windows PV Drivers
Xen Project: Windows PV DriversXen Project: Windows PV Drivers
Xen Project: Windows PV Drivers
 
Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013
 
PVH : PV Guest in HVM container
PVH : PV Guest in HVM containerPVH : PV Guest in HVM container
PVH : PV Guest in HVM container
 
XPDS16: CPUID handling for guests - Andrew Cooper, Citrix
XPDS16:  CPUID handling for guests - Andrew Cooper, CitrixXPDS16:  CPUID handling for guests - Andrew Cooper, Citrix
XPDS16: CPUID handling for guests - Andrew Cooper, Citrix
 
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
 
Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)
 
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
 

Viewers also liked

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
Tamas K Lengyel
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xen
Bitdefender Enterprise
 
Software QA Services – An Important Ingredient in Software Development
Software QA Services – An Important Ingredient in Software DevelopmentSoftware QA Services – An Important Ingredient in Software Development
Software QA Services – An Important Ingredient in Software Development
Software Testing Solution
 
XPDS13: Erlang on Xen - Redefining the Cloud Software Stack - Victor Sovietov...
XPDS13: Erlang on Xen - Redefining the Cloud Software Stack - Victor Sovietov...XPDS13: Erlang on Xen - Redefining the Cloud Software Stack - Victor Sovietov...
XPDS13: Erlang on Xen - Redefining the Cloud Software Stack - Victor Sovietov...
The Linux Foundation
 
OWF: Xen - Open Source Hypervisor Designed for Clouds
OWF: Xen - Open Source Hypervisor Designed for CloudsOWF: Xen - Open Source Hypervisor Designed for Clouds
OWF: Xen - Open Source Hypervisor Designed for Clouds
The Linux Foundation
 
Creativity and Design Thinking
Creativity and Design ThinkingCreativity and Design Thinking
Creativity and Design Thinking
Luís Gustavo Martins
 
Creativity exercises
Creativity exercisesCreativity exercises
Creativity exercises
Frank Calberg
 
Creativity
CreativityCreativity
Creativity
Joseph Zeoli
 
virtualization tutorial at ACM bangalore Compute 2009
virtualization tutorial at ACM bangalore Compute 2009virtualization tutorial at ACM bangalore Compute 2009
virtualization tutorial at ACM bangalore Compute 2009
ACMBangalore
 
Leadership styles
Leadership stylesLeadership styles
Leadership styles
Mohini Sahu
 
17 Ways to Design a Presentation People Want to View
17 Ways to Design a Presentation People Want to View17 Ways to Design a Presentation People Want to View
17 Ways to Design a Presentation People Want to View
Jim MacLeod
 

Viewers also liked (12)

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xen
 
Software QA Services – An Important Ingredient in Software Development
Software QA Services – An Important Ingredient in Software DevelopmentSoftware QA Services – An Important Ingredient in Software Development
Software QA Services – An Important Ingredient in Software Development
 
XPDS13: Erlang on Xen - Redefining the Cloud Software Stack - Victor Sovietov...
XPDS13: Erlang on Xen - Redefining the Cloud Software Stack - Victor Sovietov...XPDS13: Erlang on Xen - Redefining the Cloud Software Stack - Victor Sovietov...
XPDS13: Erlang on Xen - Redefining the Cloud Software Stack - Victor Sovietov...
 
OWF: Xen - Open Source Hypervisor Designed for Clouds
OWF: Xen - Open Source Hypervisor Designed for CloudsOWF: Xen - Open Source Hypervisor Designed for Clouds
OWF: Xen - Open Source Hypervisor Designed for Clouds
 
Creativity and Design Thinking
Creativity and Design ThinkingCreativity and Design Thinking
Creativity and Design Thinking
 
Creativity exercises
Creativity exercisesCreativity exercises
Creativity exercises
 
Creativity
CreativityCreativity
Creativity
 
virtualization tutorial at ACM bangalore Compute 2009
virtualization tutorial at ACM bangalore Compute 2009virtualization tutorial at ACM bangalore Compute 2009
virtualization tutorial at ACM bangalore Compute 2009
 
Leadership styles
Leadership stylesLeadership styles
Leadership styles
 
17 Ways to Design a Presentation People Want to View
17 Ways to Design a Presentation People Want to View17 Ways to Design a Presentation People Want to View
17 Ways to Design a Presentation People Want to View
 

Similar to XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bitdefender and Ravi Sahita, Intel

Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
Rahul Mohandas
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
Xen revisited
Xen revisitedXen revisited
Xen revisited
Shahbaz Sidhu
 
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
Casey Bisson
 
Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT Isolation
LinuxCon ContainerCon CloudOpen China
 
ICALEPCS 2011: Testing Environments using Virtualization
ICALEPCS 2011: Testing Environments using VirtualizationICALEPCS 2011: Testing Environments using Virtualization
ICALEPCS 2011: Testing Environments using Virtualization
Omer Khalid
 
The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)
Casey Bisson
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptx
ssusere142fe
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]
Louis Göhl
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systems
SZ Lin
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE Virtualization
Project ACRN
 
Unikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOSUnikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOS
Docker, Inc.
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware Alive
FFRI, Inc.
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor
Sierraware
 
Qinghai Tang, pacsec english-version-final
Qinghai Tang, pacsec english-version-finalQinghai Tang, pacsec english-version-final
Qinghai Tang, pacsec english-version-final
PacSecJP
 
Handout2o
Handout2oHandout2o
Handout2o
Shahbaz Sidhu
 
Unikernels: Rise of the Library Hypervisor
Unikernels: Rise of the Library HypervisorUnikernels: Rise of the Library Hypervisor
Unikernels: Rise of the Library Hypervisor
Anil Madhavapeddy
 

Similar to XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bitdefender and Ravi Sahita, Intel (20)

Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Xen revisited
Xen revisitedXen revisited
Xen revisited
 
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
 
Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT Isolation
 
ICALEPCS 2011: Testing Environments using Virtualization
ICALEPCS 2011: Testing Environments using VirtualizationICALEPCS 2011: Testing Environments using Virtualization
ICALEPCS 2011: Testing Environments using Virtualization
 
The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptx
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systems
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE Virtualization
 
Unikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOSUnikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOS
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware Alive
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor
 
Qinghai Tang, pacsec english-version-final
Qinghai Tang, pacsec english-version-finalQinghai Tang, pacsec english-version-final
Qinghai Tang, pacsec english-version-final
 
Handout2o
Handout2oHandout2o
Handout2o
 
Unikernels: Rise of the Library Hypervisor
Unikernels: Rise of the Library HypervisorUnikernels: Rise of the Library Hypervisor
Unikernels: Rise of the Library Hypervisor
 

More from The Linux Foundation

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made Simple
The Linux Foundation
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
The Linux Foundation
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
The Linux Foundation
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote:  Unikraft Weather ReportXPDDS19 Keynote:  Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather Report
The Linux Foundation
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
The Linux Foundation
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
The Linux Foundation
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
The Linux Foundation
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
The Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
The Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
The Linux Foundation
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
The Linux Foundation
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
The Linux Foundation
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
The Linux Foundation
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
The Linux Foundation
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
The Linux Foundation
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
The Linux Foundation
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
The Linux Foundation
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
The Linux Foundation
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
The Linux Foundation
 
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information SecurityXPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
The Linux Foundation
 

More from The Linux Foundation (20)

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made Simple
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote:  Unikraft Weather ReportXPDDS19 Keynote:  Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather Report
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
 
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information SecurityXPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
 

Recently uploaded

AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
Fwdays
 

Recently uploaded (20)

AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
 

XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bitdefender and Ravi Sahita, Intel

  • 1. www.bitdefender.com 8/25/2014• 1Zero-Footprint Guest Memory Introspection from Xen Xen Project DEVELOPER SUMMITAugust 18th, 2014Mihai DONȚU –Technical Project Manager, BitdefenderRavi SAHITA –Principal Engineer, IntelImproving VM Introspection Using Hardware Virtualization Extensions
  • 2. www.bitdefender.com 8/25/2014• 2 Outline •Security issues •Memory introspection oOperation oEvolution •XenAccess and mem-events enhancements •Sample usages •Hardware Acceleration for memory introspection •Conclusions
  • 3. www.bitdefender.com 8/25/2014• 3 Securityissues we are facing today •Advanced malware types oRootkits oKernel exploits oZero-days •APTs, botnets, cyber-espionage and so on heavily rely on those…
  • 4. www.bitdefender.com 8/25/2014• 4 Securityissues we are facing today2
  • 5. www.bitdefender.com 8/25/2014• 5 Securityissuesweare facing today3 Malware today execute in the same context and with the same privileges as anti-malware software lack of isolation problem Common Malware Advanced Malware Drivers App1(Office) OS Kernel ISOLATIONKernel Controlled App2(Browser) SecuritySolution SecurityFilter Drivers App1(Office) OS Kernel App2(Browser) SecuritySolution SecurityFilter ISOLATIONKernel Controlled Isolation Bypassed & Malware Controlled
  • 6. www.bitdefender.com 8/25/2014• 6 Conclusion: advanced attacks evade traditional security solutions
  • 7. www.bitdefender.com 8/25/2014• 7 Envision the big picture so… what’s the big difference?... Xen Hypervisor dom0 SVA (domU0) domU1 MemoryIntrospection Engine domU2 domUN Protected area
  • 8. www.bitdefender.com 8/25/2014• 8 Memory introspection Envision the big picture Xen Hypervisor dom0 SVA (domU0) domU1 MemoryIntrospection Engine domU2 domUN Protected area Hypervisor Controlled, Hardware EnforcedSTRONG ISOLATION Introspection Engine Alternative 2 Introspection Engine Alternative 3
  • 9. www.bitdefender.com 8/25/2014• 9 •Address a number of security issues from outside the guest OS without relying on functionality that can be rendered unreliable by advanced malware •Analyze raw memory image of guest OS, services and user mode applications, then identify okernel memory areas odriver objects, driver code, IDT, etc. ouser memory areas oprocess code, process stack, process heap, etc. What is memory introspection? Envision the big picture
  • 10. www.bitdefender.com 8/25/2014• 10 •Use existent hardware virtualization extensions (Intel EPT / AMD RVI) •Set hooks on guest OS memory omark 4K pages as non-execute or non-writable ohooking & notification must be supported efficientlyby HV & CPU •Audit access of those areas by the code running in VM (OS or apps) owrite attempts (driver objects, fast I/O tables, page tables) oexecution attempts •Allow or deny attempts –decision provided by security logic How does it work? Memory introspection
  • 11. www.bitdefender.com 8/25/2014• 11 How does it work? 2 Memory introspection EPT protected areas provide detection for various OS level changes (ex. new module load, new process start, …) EPT protected areas provide detection for attempts & protection against integrity violation Guest VM PhysicalMemory Space OS kernel code kernel driver code and data kernel data SSDT, IDT, … user mode code user mode stacks & heaps
  • 12. www.bitdefender.com 8/25/2014• 12 •Building a reliable image of the guest OS state owhat objects are inside a guest VM? owhat operations are being performed inside a guest VM? oobject and event identification and correlation is done by the introspection engine –to decide event and object maliciousness •Using hooks we can detect numerous events, including oa driver / kernel module is loaded or unloaded oa new user process or thread is created ouser stack / heap is allocated omemory is being paged in / out How does it work? 3 Memory introspection
  • 13. www.bitdefender.com 8/25/2014• 13 How does it work? 4 Memory introspection Traditional in-guest security solution Out-of-guest memory introspection OS Kernel Typical Anti-Malware Kernel Module Read mem by Virtual Addr, read files, registry, … Enum processes, files, … 0101010011 MZ… Setup well-knowncallbacks & notifications New process PID 0x1234 HKLM... XEN Hypervisor Memory Introspection Engine Read mem by Physical AddrRead vCPUregisters 0101010011 Setup EPT hooks on mempages (by Physical Addr) Write / Execute attempt on PA 0x000A12345678 RAX = 0x1234RIP = 0x7890
  • 14. www.bitdefender.com 8/25/2014• 14 •bridging the semantic gap –obtain rich semantics from only raw physical memory pages and virtual CPU registers ohow do we correlate 4K memory pages with semantically rich and meaningful OS specific data structures? oto be solved by security solution vendors •forward lots of mem-event notifications with low overhead to introspection engine oto be solved by hypervisor and CPU vendors Two big challenges Memory introspection
  • 15. www.bitdefender.com 8/25/2014• 15 Memory introspection evolution •2003 –Garfinkel & Rosenblum: “A Virtual Machine Introspection Based Architecture for Intrusion Detection” othe starting point for a considerable amount of academic research •2006 –Jiang & Wang: “’Out-of-the-box’ Monitoring of VM-based High-Interaction Honeypots” •2008 –Dinaburg et al.: “Ether: Malware Analysis via Hardware Virtualization Extensions” oBuilt on top of Xen 3.1 •2008 –VMsafe API announced by VMware, which provides access to a guest’s: oCPU, memory, disk, I/O devices etc. osupported memory introspection for vSphere / ESXi •2010 –VMware vShield Endpoint(as a replacement for VMsafe API) oin-guest agent based ofile introspection only •2012 –VMware deprecates VMsafe
  • 16. www.bitdefender.com 8/25/2014• 16 Memory introspection in Xen •2007 –XenAccess, XenProbes •2008 –Lares •2009 –first patches for the mem-events API •2010 –LibVMI –uses XenAccess and XenStore otargets Xen, but support for other HV-s can be added oinsufficient flexibility in changing page permissions ono support for mapping guest memory RW oinsufficient information about the guest CPUs ohigh overhead when reading the vCPUregister state oa ‘complete’ initialization requires intimate knowledge about the guest OS ocode for handling specific guest OS-s (Windows, with Linux in the works)
  • 17. www.bitdefender.com 8/25/2014• 17 XenAccess and mem-events enhancements •2014 –Bitdefender published a set of patches (as RFC) to enhance the mem-events API oimplements its own version of LibVMI osimpler API onothing [guest] OS specific osupport for other HV-s can be added oallows to map guest memory (via EPT) ouses a very simple page cache to optimize (un)maps ooptimized access to specific resources •Some patches went into mainline, others will follow shortly
  • 18. www.bitdefender.com 8/25/2014• 18 XenAccess and mem-events enhancements2 mem-event notification Xen Hypervisor SVA (domU0) MemoryIntrospection Engine domU1 uint32_t flags; uint32_t vcpu_id; uint64_t gfn; … mem_event_regs_t regs;
  • 19. www.bitdefender.com 8/25/2014• 19 Example use of the extended API Xen Hypervisor dom0 SVA (domU0) MemoryIntrospection Engine Protected areas Critical Kernel Module Critical Kernel Module App1 App2 … Code, stacks, heaps, IAT, … Code, stacks, heaps, IAT, … Code, stacks, heaps, IAT, … Mem-events andVMCALLs facilitated by XEN
  • 20. www.bitdefender.com 8/25/2014• 20 Example use of the extended API 2 •Bitdefender’s own introspection engine can oprotect the kernel from known rootkit hooking techniques oprotect user processes (e.g. browsers, MS Office, Adobe Reader, …) from ocode injection ofunction detouring ocode execution from stack / heap ounpacked malicious code oinject remediation tools into the guest on-the-fly (no help from ‘within’ needed) •Runs in userspace in a user domain (SVA –Security Virtual Appliance) •Introspection logic has very small overhead obulk of the overhead is given by sending / receiving events and calls between protected guest VMs and SVA
  • 21. 21 Hardware Acceleration for Memory IntrospectionRavi SahitaIntel
  • 22. 22 Hardware Acceleration for Memory Introspection Factors Limiting VM Memory Monitoring Performance Addressing Lack of Memory Isolation Addressing Performance gaps for execution and data access-control policies Xen Extensions
  • 23. 23 Factors Limiting VM Memory Monitoring Performance Round-trip time –Monitoring execution and data accesses –Dynamic data structures imply high frequency events Filtering events –Monitoring data accesses requires filtering non- interesting events due to 4K page sharing Further, round-trip time is amplified with VMMs nesting
  • 24. 24 Multiple EPTs as Protection Domains CPU0 Hypervisor Intel®VT-xwith EPT VM0 Extended Page Table(EPT) Domains EPTWalker Execution crossing EPT domains or data Accesses causing events host physical address Intel®Virtualization Technology for IA-32, Intel®64 and Intel®Architecture (Intel®VT-x) OS kernel Code/data (RX/RW) Driver Code (RX) Driver Code (RO) OS kernel Code/data (RO/NP) Data (RW) Data (NP)
  • 25. 25 Addressing Lack of Isolation… Xen EPT Domains EPT Domains policy events CPU Hypervisor- derived isolation
  • 26. 26 Kernel module Kernel module Security module …Without Sacrificing Performance Must allow for legal execution of components isolated in permission domains Each execution transfer across domains leads to VM exits that the hypervisor must mediate As components isolated via domains, numerous execution transfers are induced High Frequency of such VM exits to the hypervisor causes overhead Process Hypervisor Eliminate these induced VM exitson legalcontrol transfers Legal control transfers
  • 27. 27 VM Functions: Hypercalls Without VM Exits VM Functions: Intel®VT-x extensions for services configured by the hypervisor –Different VM Functions correspond to different services Hypervisor configures VM Functions via new fields in VMCS Guest software invokes VM Functions via new instruction (VMFUNC<leaf>) –Value in EAX specifies which VM Function leaf is invoked CPU provides services as configured with no VM exit Intel®Virtualization Technology for IA-32, Intel®64 and Intel®Architecture (Intel®VT-x)
  • 28. 28 VMFUNC-based Domain Switching Paravirtualized software can request protection domain switch via VMFUNC (specifying domain index) Hypervisor pre- configures domain index to EPTPs Hypervisor pre- configures domain boundaries View switching to speed up access control policies CPU0 Hypervisor Intel®VT-xwith EPT VM0 Extended Page Table(EPT) domains EPTWalker VMFUNC (EPTP switch) Host physical address Aternate ExtendedPage Table(EPT) list Intel®Virtualization Technology for IA-32, Intel®64 and Intel®Architecture (Intel®VT-x)
  • 29. 29 Asynchronous Induced VMExits In VM-introspection scenarios critical data is monitored in place Legacy approaches are to VMExit and emulate access Alternatively, VMExit and switch views to single step the guest (MTF) High frequency of writes to monitored data cause high overhead Requires custom logic in the VMM increasing complexity/state in the hypervisor Kernel (Guest) Hypervisor EPT Domains Ring-0 Monitoring Agent Monitored Memory WRITE 2. EPT-V VMexit 3. VMResume to single step access Single Step Memory View 4. VMexit after access completed Access Policy 1. View Policies 5. VMResume EPT Domains Emulation
  • 30. 30 Accelerating Induced Events Via Virtualization Exception (#VE) –Mutates EPT violations into a new IA exception–delivered through guest IDT VMM enables EPT violation conversion to #VE Data access monitoring view policies setup in EPT domains Data access causes #VE instead of VMexit Guest monitoring agent can emulate in guest OR use VMFUNC to single step access Hypervisor (VMX-root) Kernel/VMX-non-root EPT Domains Monitoring Service Monitored Memory 1. Handle #VE 3. Complete single step or emulate in guest Single Step Memory View 2. Setup single step or emulate WRITE Access Policy 1. Policies VMFUNC VMFUNC #VE #VE info VMFUNC EPT Domains
  • 31. 31 VMFUNC Configuration Hypervisor checks IA32_VMX_VMFUNC MSR for allowed VM-Function controls Opts-in by setting “Enable VM functions” in the secondary processor-based VM- execution controls field Activates “EPTP switching” by setting bit-0 in the VM Function Control Configure alternate EPTP values in memory referenced via VMCS field Guest software uses VMFUNC opcode with leaf selector EAX=0 and ECX containing the index of EPTP (view) selected Errors reported to the hypervisor via VM Exits “Enable VM functions” VM- execution control (bit 13) EPTP-list address 0:Alternate-EPTP 1:Alternate-EPTP 511:Alternate-EPTP “EPTP switching” (bit 0) Secondary processor-based VM-execution controls VMFunction Control (new) In memory VMCS In VMCS (new) IA32_VMX_VMFUNC MSR (index 491H)
  • 32. 32 Virtualization Exception (VE) Configuration Enumerated by the VMM via capability MSR Set VMCS “Enable VE” bit Negotiate “VE Info” page with Hypervisor #VE delivered through guest IDT Suppress VE EPTE Bit 63 –Set on pages the VMM does not want to cause a #VE for “Enable VE” VM-execution control (bit 18) VE Information Address Exit Reason Suppress Exit Qualification Secondary processor-based VM-execution controls In memory Virtual Machine Control Structure (VMCS) In VMCS (new) IA32_VMX_PROCBASED_ CTLS2 (48Bh) Bit 50 Guest Linear Address Guest Physical Address EPTP Index
  • 33. 33 Xen Extensions 1.Efficiently creating and maintaining alternate EPT views/domains via extension of p2m 2.Hypercalls to edit EPT permissions without conflicting with Xen EPT management 3.Report guest-specific memory events via #VE in a Xen compatible manner (Suppress #VE EPTE bit) 4.Enabling CPU acceleration if VMFUNC and #VE CPU enumerated and opted-in Xen Hypervisor domUN domU0 Security Engine EPT Domains EPT Domains Security Engine CPU #VE EPT Domains EPT Domains #VE
  • 34. 34 VM Introspection Performance Improvements Round-trip time –VMFUNC to allow safe, fast Memory View (EPT) switches –VMexits mutated to #VE for guest memory monitoring Filtering events –Reduced latency of #VE event handling reduces overhead of filtering events Round-trip time amplification due to VMM nesting –No VMexits to root VMM implies no amplification of VMexits due to EPT violations Scalable Runtime Memory Introspection w/o VT overheads
  • 35. www.bitdefender.com 8/25/2014• 35 •Today Xen can be the base for providing a much improved layer of security –serves as a model for other HV vendors oTruly agentless security (zero in guest footprint) oIT Admins can deploy introspection based solutions seamlessly, without changing a single line of config inside the guest VMs •Hardware enforced isolation (against kernel exploits, zero days, …) •Hardware extensions enable intra-VM isolation to enable protected agent based introspection for high frequency access monitoring and agent isolation •Both models require straight-forward Xen infrastructure changes (multi-EPT views, hardware acceleration capabilities) Conclusions
  • 36. www.bitdefender.com 8/25/2014• 36 Thank you! enterprise.bitdefender.com