| Virtual Machine Introspection (VMI) has been widely used in many security applications, such as intrusion detection, malware analysis, and memory forensics. However, it is generally believed to be a tedious, time-consuming, and error-prone process to develop a VMI tool because of the semantic gap. In this dissertation, we present a number of new approaches to bridge the semantic gap via binary code reuse. More specifically, based on different security constraints, we have developed three approaches, Vmst, Hybrid-Bridge, and HyperShell. Vmst makes a first step in bridging the semantic gap via an on-line binary code reuse and enables native inspection programs to automatically become introspection programs. Hybrid-Bridge improves the performance of Vmst by one order of magnitude through training memorization and decoupled execution. It is thus feasible for cloud providers to perform real-time monitoring of virtual machine states by using HybridBridge. Both Vmst and Hybrid-Bridge ensure the code integrity of VMI tools. By trusting kernel code of target machine, HyperShell, a hypervisor layer shell for automated guest OS management, redirects syscalls into target machine for execution to bridge the semantic gap. We have developed a number of enabling techniques including system call execution context identification, redirectable data identification, kernel data redirection, training memoization, and reverse system call execution to realize these approaches. We have obtained the following preliminary results. Vmst was successfully tested with 25 commonly used utilities atop a number of different operating system (OS) kernels including both Linux and Microsoft Windows. Hybrid-Bridge significantly improves the performance of existing binary code reuse based VMI solutions with at least one order of magnitude for many of the tested benchmark tools. HyperShell has an average 2.73X slowdown for the 101 tested utilities compared to their native in-VM execution and less than 5% overhead to the guest OS kernel. |
