TY - GEN
T1 - A formal model for virtual machine introspection
AU - Pfoh, Jonas
AU - Schneider, Christian
AU - Eckert, Claudia
PY - 2009
Y1 - 2009
N2 - Virtual machine introspection (VMI) describes the method of monitoring and analyzing the state of a virtual machine from the hypervisor level. In this paper, we present a formal discussion of the development of VMI-based security applications. We begin by identifying three major challenges that all VMI-based security applications must overcome. The main contribution of our work is the definition of a formal model for describing VMI techniques. This model is broken down in such a way that allows for thorough discussion of any VMI approach with regard to each of the three challenges. Then, we specify three design patterns for interpreting state information using our model. We argue that these patterns are complete, that is, they cover all possible methods for state interpretation. The properties of all patterns are thoroughly discussed so that the pros and cons of their application may be fully understood. Finally, we describe and discuss an ideal VMI-based intrusion detection system using our model and begin to detail the practical implications in building such a system.
AB - Virtual machine introspection (VMI) describes the method of monitoring and analyzing the state of a virtual machine from the hypervisor level. In this paper, we present a formal discussion of the development of VMI-based security applications. We begin by identifying three major challenges that all VMI-based security applications must overcome. The main contribution of our work is the definition of a formal model for describing VMI techniques. This model is broken down in such a way that allows for thorough discussion of any VMI approach with regard to each of the three challenges. Then, we specify three design patterns for interpreting state information using our model. We argue that these patterns are complete, that is, they cover all possible methods for state interpretation. The properties of all patterns are thoroughly discussed so that the pros and cons of their application may be fully understood. Finally, we describe and discuss an ideal VMI-based intrusion detection system using our model and begin to detail the practical implications in building such a system.
KW - Formalization
KW - Introspection
KW - Intrusion detection
KW - Security
KW - Virtualization
UR - http://www.scopus.com/inward/record.url?scp=74049126468&partnerID=8YFLogxK
U2 - 10.1145/1655148.1655150
DO - 10.1145/1655148.1655150
M3 - Conference contribution
AN - SCOPUS:74049126468
SN - 9781605587806
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 1
EP - 9
BT - Proceedings of the 1st ACM Workshop on Virtual Machine Security, VMSec '09, Co-located with the 16th ACM Computer and Communications Security Conference, CCS'09
T2 - 1st ACM Workshop on Virtual Machine Security, VMSec '09, Co-located with the 16th ACM Computer and Communications Security Conference, CCS'09
Y2 - 9 November 2009 through 13 November 2009
ER -