Final Report Abstract

The ARADIA project investigated technical solutions that enable the efficient and secure use of virtual machine introspection (VMI) in a broad range of contexts. Aiming at creating a basis for nextgeneration tools for intrusion detection, malware analysis, and digital forensics, ARADIA focussed on four research questions: (1) how to enable in-depth introspection of a target system with enhanced semantic reconstruction and better time-dimension control; (2) how to enable dynamic, fine-grained, and more efficient active tracing of a target system; (3) how to securely and efficiently deploy VMI applications in real-world environments, and (4) how to simplify the management and control of VMI mechanisms from an application point of view. 1. ARADIA provides an introspection library that augments the support for analysing applicationlevel functions. We demonstrated the efficiency and the benefits of application-level tracing by sample use cases, such as the implementation of an SSH honeypot and the extraction of cryptographic keys from main memory for forensics purposes. The key result is that ARADIA enables getting the right information fast and with strong consistency guarantees. 2. ARADIA demonstrates that moving selected introspection functionality to the hypervisor and offering a suitable interface to an introspection application is a key step forward to obtaining efficient VMI-based tracing that does not cause prohibitively large performance degradation of the introspection target. Furthermore, we identified the lack of support for multi-core execution of a target system as a severe deficit of state-of-the-art VMI libraries. We demonstrate that hardware features of the Intel x86 platform can be used to construct an efficient solution for this problem. 3. ARADIA successfully provides novel solutions for the secure deployment of virtual machine introspection. Besides encapsulating the VMI application in a monitoring VM, we synchronise the live migration of the monitoring VM and the target VM and address the reconstruction of in-hypervisor state relevant for introspection at the migration target. This approach enables seamless live migration of virtual machines while monitoring them continuously with VMI. Furthermore, we extended our Xen-based CloudPhylactor architecture with support for the KVM hypervisor and for different deployment flavours (remote host, virtual machine, container) of the VMI monitoring application. 4. Embedding the low-level introspection library in an architecture in which the introspection library can be remotely controlled with a well-defined interface and in which the output of the introspection library is efficiently forwarded to a streaming database enables simplified interactive data acquisition and visualisation. The ARADIA project is an enabler for virtual machine introspection technology. It enhances the deployment options and increases stealthiness, performance, temporal control, and consistency of VMI mechanisms. The contributions of ARADIA provide the foundation for better tools for system monitoring, intrusion detection and prevention, malware analysis, and digital forensics.

Publications

• Introspection for ARM TrustZone with the ITZ Library. 2018 IEEE International Conference on Software Quality, Reliability and Security (QRS), 123-134. IEEE.
  Guerra, Miguel; Taubmann, Benjamin; Reiser, Hans P.; Yalew, Sileshi & Correia, Miguel
  
• Sarracenia: Enhancing the performance and stealthiness of SSH honeypots using virtual machine introspection. In Proc. of the 23. Nordic Conference on Secure IT Systems, 2018.
  Stewart Sentanoe, Benjamin Taubmann & Hans P. Reiser
  
• TwinPorter - An Architecture For Enabling the Live Migration of VMI-Based Monitored Virtual Machines. 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), 427-434. IEEE.
  Taubmann, Benjamin; Bohm, Alexander & Reiser, Hans P.
  
• VMIGuard: Detecting and preventing service integrity violations by malicious insiders using virtual machine introspection. In Proc. of the 24th Nordic Conference on Secure IT Systems (NordSec), pages 271–282, 2019.
  Stewart Sentanoe, Benjamin Taubmann & Hans P. Reiser
  
• Agent-based file extraction using virtual machine introspection. In Proc. of the 25th Nordic Conference on Secure IT Systems (NordSec), 2020.
  Thomas Dangl, Benjamin Taubmann & Hans P. Reiser
  
• RapidVMI: Fast and multi-core aware active virtual machine introspection. Proceedings of the 16th International Conference on Availability, Reliability and Security, 1-10. ACM.
  Dangl, Thomas; Taubmann, Benjamin & Reiser, Hans P.
  
• KVMIveggur: Flexible, secure, and efficient support for self-service virtual machine introspection. Forensic Science International: Digital Investigation, 42, 301397.
  Sentanoe, Stewart; Dangl, Thomas & Reiser, Hans P.
  
• VMIFresh: Efficient and Fresh Caches for Virtual Machine Introspection. Proceedings of the 17th International Conference on Availability, Reliability and Security, 1-9. ACM.
  Dangl, Thomas; Sentanoe, Stewart & Reiser, Hans P.