Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Virtual Machine Introspection with Xen on ARM


Published on

Slides for ACSAC 2014 Works-in-Progess

Published in: Software
  • Login to see the comments

  • Be the first to like this

Virtual Machine Introspection with Xen on ARM

  1. 1. Virtual Machine Introspection with Xen on ARM Tamas K. Lengyel @tklengyel
  2. 2. Virtual Machine Introspection 1. Why? 2. What is needed? a. Isolation b. Interpretation c. Interposition 3. Current status
  3. 3. Why? ● Traditional defense mechanisms don’t integrate well into virtual environments ● Mobile (ARM) platform is rapidly growing ● Starting with Cortex-A15 virtualization extensions are available in hardware ● Xen on ARM available since March 2014
  4. 4. Isolation Xen Security Modules on ARM ● Will be available in 4.5 ● Allows for advanced disaggregation ● Security domain separate from the TCB
  5. 5. Interpretation Reconstruct guest OS state information ● LibVMI purpose built for this task ● ARM paging support added in November, 2014 ● Detect running processes, modules, files, users etc. in the guest
  6. 6. Interposition - WiP Step into the execution of the guest when something of interest happens ● Requires hardware & VMM support ● ARM two-stage address translation ● Configure paging to trap memory accesses ● VMM trap handlers need to forward the events to the security domain
  7. 7. Patches merged to Xen 4.5
  8. 8. Interposition - WiP ● Cleanup of Xen MEM_EVENT subsystem ● Xen on ARM trap handlers need performance regression testing ● More research needed into ARM hardware support for event trapping! ● SMC is good but limited to the guest kernel