Publication Type
Conference Proceeding Article
Version
publishedVersion
Publication Date
8-2017
Abstract
Software-based MMU emulation lies at the heart of out-of-VM live memory introspection, an important technique in the cloud setting that applications such as live forensics and intrusion detection depend on. Due to the emulation, the software-based approach is much slower compared to native memory access by the guest VM. The slowness not only results in undetected transient malicious behavior, but also inconsistent memory view with the guest; both undermine the effectiveness of introspection. We propose the immersive execution environment (ImEE) with which the guest memory is accessed at native speed without any emulation. Meanwhile, the address mappings used within the ImEE are ensured to be consistent with the guest throughout the introspection session. We have implemented a prototype of the ImEE on Linux KVM. The experiment results show that ImEE-based introspection enjoys a remarkable speed up, performing several hundred times faster than the legacy method. Hence, this design is especially useful for real-time monitoring, incident response and high-intensity introspection.
Discipline
Information Security
Research Areas
Cybersecurity
Publication
Proceedings of the 26th USENIX Security Symposium, Vancouver, BC, Canada, 2017 August 16-18
First Page
799
Last Page
813
ISBN
9781931971409
Publisher
USENIX Association
City or Country
Berkeley, CA
Citation
ZHAO, Siqi; DING, Xuhua; XU, Wen; and GU, Dawu.
Seeing through the same lens: Introspecting guest address space at native speed. (2017). Proceedings of the 26th USENIX Security Symposium, Vancouver, BC, Canada, 2017 August 16-18. 799-813.
Available at: https://ink.library.smu.edu.sg/sis_research/4168
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.