Virtual Machine Monitors (VMMs) and hypervisors have become a foundational technology for system developers to achieve increased levels of security, reliability, and manageability for large-scale computing systems such as cloud computing. However, when developing software at the VMM layer, developers often need to interpret the very low level hardware layer state and reconstruct the semantic meanings of the guest operating system events due to the lack of operating system level abstractions. This semantic gap problem has been a road block for a decade for many VMM level applications such as virtual machine introspection (VMI), malware analysis, and virtual machine management. This research seeks to design and develop new approaches, practical techniques, and efficient implementations to automatically bridge the semantic gap for VMM layer programs including VMI. In particular, a dual-VM, binary code reuse based framework is formulated and applied to automatically bridge the semantic gap. Such a framework directly enables a large set of legacy utility software to automatically become VMI software. Meanwhile, the research includes developing a set of practical enabling techniques such as memory exclusive kernel version inference, and integrates these techniques with efficient implementations from binary rewriting. The results of this research are to significantly increase the productivity of virtualization software development as well as the security of virtualization software, and also open new opportunities for automated system administration, intrusion detection, and incident response.
Continuation of Award #: 1453011
CAREER: A Dual-VM Binary Code Reuse Based Framework for Automated Virtual Machine Introspection