Secure Observation of Kernel Behavior

View/ Open
Date
2008Author
Srivastava, Abhinav
Singh, Kapil
Giffin, Jonathon
Metadata
Show full item recordAbstract
Operating system kernels are difficult to understand and monitor. Hardware virtualization provides a
layer where security tools can observe a kernel, but the gap between operating system abstractions and hardware
accesses limits the ability of tools to comprehend the kernel’s activity. Virtual machine introspection
(VMI) builds knowledge of high-level kernel state by directly accessing the memory of an executing kernel.
We show that implementations of introspection-based tools unsafely rely on operating system level
data structures to provide meaningful information about a guest. We evade XenAccess, an open source
implementation of introspection developed for Xen. We then develop Wizard, a Xen-based kernel monitor
cognizant of the semantic correlation between events at a high-level kernel service interface and events
at a low-level hardware device interface. In contrast to VMI, Wizard trusts no guest OS data, but its semantic
understanding still identifies kernel-level attacks that alter the kernel’s execution behavior. Wizard’s
monitoring imposes modest overheads of 0%–25% on guest applications.