Semantics-Driven Introspection in a Virtual Environment Francesco Tamberi, Dario Maggiari, Daniele Sgandurra Dipartimento di Informatica Universit` a di Pisa {tamberi, maggiari, daniele}@di.unipi.it Fabrizio Baiardi Polo G. Marconi, La Spezia Universit` a di Pisa baiardi@di.unipi.it Abstract Semantics-driven monitoring discovers attacks against a process by evaluating invariants on the process state. We propose an approach that increases the robustness and the transparency of the run-time monitoring system by intro- ducing two virtual machines (VMs) running on the same platform. One VM runs the monitored process, i.e. the pro- cess P to be protected, while the other one evaluates in- variants on P state each time P invokes a system call. To this purpose, an Introspection Library allows the monitor- ing VM to access the memory and the processor registers of the monitored VM. After describing the overall architecture, we focus on the Introspection Library and the problems posed by the intro- spection of variables in the memory of a program running in a distinct VM to evaluate invariants. A first prototype implementation is also presented together with preliminary performance results. 1. Introduction Virtualization is becoming increasingly popular, because enterprises can reduce the total number of servers by mi- grating the real environments, hosted on physical machines, to virtual machines (VMs) running on a single server. Since a VM is an exact replica of a real machine, it can execute the same OS and applications but several VMs can share a sin- gle physical host concurrently. The consolidation of multi- ple server onto a single platform harnesses unused comput- ing power and cuts hardware and lifetime costs. While these advantages cannot be neglect, we believe that virtualization should also be exploited to build more robust systems [3]. As an example, the Virtual Machine Monitor (VMM), i.e. the software that runs, confines, and manages the VMs, exports a control interface that allows a monitoring VM to analyse the running state of other VMs through Virtual Machine Introspection (VMI) [4]. The in- trospection capability leverages the fact that a VM com- pletely encapsulates the state of the corresponding physical host, so that a monitoring VM can analyse in full detail the host running inside another VM, for example it can search for specific values in the memory of another VM or inspect the content of the VCPU registers. In this way, a monitor- ing VM can analyse and compare the data obtained through introspection against those returned by invocations to the OS of a monitored VM. Any discrepancy signals that an at- tacker may have altered the OS of a monitored VM [1]. This paper proposes an approach to discover attacks against a process P based upon the evaluation of an invari- ant on the state of P every time P invokes a system call. The approach requires a static tool, which analyses P pro- gram to deduce an invariant to be evaluated for each system call, and a run-time tool that intercepts any system call is- sued by P and evaluates the corresponding invariant. In this paper we focus on the run-time tool, which is implemented by two VMs: a Monitored VM (Mon-VM), which runs P , and a monitoring Introspection VM (I-VM). The I-VM runs an Assertion Checker that evaluates invariants on the state of P . The Assertion Checker accesses the values of variables of P and the processor registers of the Mon-VM through an Introspection Library. Every time P issues a system call, the Mon-VM transfers control to the I-VM, which: (i) re- trieves the value of the processor registers of the Mon-VM; (ii) determines the invariant I paired with the system call that P has issued; (iii) retrieves the values of variables of P that I refers to; (iv) evaluates I and kills P anytime I is false. In this way, the monitoring is both fully transparent to P , which is not aware of being monitored, and highly ro- bust, because it is applied by a VM that is separated from the one that executes P . The rest of the paper is organised as follows. Section 2 briefly outlines some features of Xen memory management, which we have exploited to implement the current proto- type. Section 3 describes the overall architecture of the run-time tool, the Introspection Library and the Assertion Checker, and evaluates the overhead of the current proto- type. Section 4 discusses related works. Finally, Sect. 5 draws some conclusions and outlines future developments.