This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Virtual Machine Introspection: Observation or Interference?
September/October 2008 (vol. 6 no. 5)
pp. 32-37
Kara Nance, University of Alaska, Fairbanks
Matt Bishop, University of California, Davis
Brian Hay, University of Alaska, Fairbanks
As virtualization becomes increasingly mainstream, virtual machine introspection techniques and tools are evolving to provide methods to monitor the behavior of virtual machines. This survey classifies and describes current VMI introspection technologies according to three primary classifications: threat monitoring versus interference, semantic awareness, and event replay. The authors also describe the Virtual Introspection for Xen (VIX) tool suite, which was developed to address key VMI requirements, and outline key research areas for future investigation.

1. T. Garfinkel and M. Rosenblum, "A Virtual Machine Introspection-Based Architecture for Intrusion Detection," Proc. 10th Symp. Network and Distributed System Security (NDSS 03), Internet Society, 2003, pp. 191–206.
2. IBM Systems Virtualization Version 2 Release 1, IBM Corp., 2005; publib.boulder.ibm.com/infocenter/eserver/v1r2/topic/eicay/eicay.pdf.
3. Understanding Full Virtualization, Paravirtualization, and Hardware Assist, white paper, VMware, 2007; www.vmware.com/files/pdfVMware_paravirtualization.pdf .
4. S. Jones, A. Arpaci-Dusseau, and R. Arpaci-Dusseau, "VMM-based Hidden Process Detection and Identification Using Lycosid," Proc. ACM Int'l Conf. Virtual Execution Environments (VEE 08), ACM Press, 2008, pp. 91–100.
5. L. Litty and D. Lie, "Manitou: A Layer-Below Approach to Fighting Malware," Proc. Workshop Architectural and System Support for Improving Software Dependability (ASID 06), ACM Press, 2006, pp. 6–11.
6. A. Whitaker et al., "Constructing Services with Interposable Virtual Hardware," Proc. 1st Symp. Networked Systems Design and Implementation (NSDI 04), Mar. 2004.
7. B. Payne et al., "Lares: An Architecture for Secure Active Monitoring Using Virtualization," Proc. IEEE Symp. Security and Privacy, IEEE CS Press, 2008, pp. 233–247.
8. S. Jones, A. Arpaci-Dusseau, and R. Arpaci-Dusseau, "AntFarm: Tracking Processes in a Virtual Machine Environment," Proc. Annual Usenix Tech. Conf., Usenix Assoc., 2008, pp. 1–14.
9. A. Joshi et al., "Detecting Past and Present Intrusions through Vulnerability-Specific Predicates," Proc. Symp. Operating System Principles (SOSP), 2005, pp. 91–104.
10. G.W. Dunlap et al., "ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay," Proc. 2002 Symp. OS Design and Implementation (OSDI 02), ACM Press, 2002, pp. 211–224.
11. S. King, G. Dunlap, and P. Chen, "Debugging Operating Systems with Time-Traveling Virtual Machines," Proc. Annual Usenix Tech. Conf., Usenix Assoc., 2005; www.usenix.org/events/usenix05/tech/general/ kingking.pdf.
12. B. Hay and K. Nance, "Forensics Examination of Volatile System Data Using Virtual Introspection," ACM Sigops OS Review, vol. 42, no. 3, 2008, pp. 74–82.
13. M. Pollitt et al., "Virtualization and Digital Forensics: A Research and Education Agenda," J. Digital Forensic Practice, vol. 2, no. 2, 2008, pp. 62–73.

Index Terms:
virtual machine monitoring, virtual machine introspection, intrusion monitoring, attack analysis
Citation:
Kara Nance, Matt Bishop, Brian Hay, "Virtual Machine Introspection: Observation or Interference?," IEEE Security & Privacy, vol. 6, no. 5, pp. 32-37, Sept.-Oct. 2008, doi:10.1109/MSP.2008.134
Usage of this product signifies your acceptance of the Terms of Use.