Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection

It is generally believed to be a tedious, time-consuming, and error-prone process to develop a virtual machine introspection (VMI) tool because of the semantic gap. Recent advance shows that the semantic-gap can be largely narrowed by reusing the executed code from a trusted OS kernel. However, the limitation for such an approach is that it only reuses the exercised code through a training process, which suffers the code coverage issues. Thus, in this article, we present Vmst, a new technique that can seamlessly bridge the semantic gap and automatically generate the VMI tools. The key idea is that, through system wide instruction monitoring, Vmst automatically identifies the introspection related data from a secure-VM and online redirects these data accesses to the kernel memory of a product-VM, without any training. Vmst offers a number of new features and capabilities. Particularly, it enables an in-VM inspection program (e.g., ps) to automatically become an out-of-VM introspection program. We have tested Vmst with over 25 commonly used utilities on top of a number of different OS kernels including Linux and Microsoft Windows. The experimental results show that our technique is general (largely OS-independent), and it introduces 9.3X overhead for Linux utilities and 19.6X overhead for Windows utilities on average for the introspected program compared to the native in-VM execution without data redirection.