| Since cloud computing becomes universal, more and more servers utilize hardware virtualization to support cloud computing. Data centers of cloud providers implement elastic computing.Different users or tasks can share physical resources, such as CPU or disks. The number of companies that migrate their services to cloud is increasing. Thus, the security of cloud has been becoming the focus of cloud computing. As one of the essences of cloud computing, virtualization also brings new opportunity and challenge to computer security.In order to satisfy the need of how to monitor guest virtual machines and provide security guarantees, researchers proposed virtual machine introspection. Using Vir-tual Machine Introspection, introspection tools can monitor the status of guest virtual machines from outside, and make security decisions. One of the main road blocks to implement virtual machine introspection is the semantic gap. The semantic gap is how to construct high level semantic, such as process control blocks, from the low level information, such as memory or disk I/O, that hypervisor can access. Security tools depend on high level semantic information to make security decisions. For example, security tools can scan the running processes of the guest virtual machine to detect abnormal processes. Virtual machine introspection can be applied to enhance the ca-pability of security tools in cloud computing, such as malware analysis and memory forensics.Existing VMI techniques have high overhead, and require customized introspec-tion programs/tools for different guest OS versions-lack of generality and practicality. In this paper, we present ShadowContext, a system for close-to-realtime manual-effort-free VMI. ShadowContext can meet several important real-world VMI needs which ex-isting VMI techniques cannot—generality, low overhead and automation. Compared to other automatic introspection tool generation techniques, ShadowContext has two merits:(1) Its overhead is significantly less. It achieves close-to-realtime VMI. (2) It significantly improves the practical usefulness of introspection tools by allowing one introspection program to inspect a variety of guest OS versions. These merits are achieved via a new concept called "Shadow Context" which allows the guest OSes system call code to be reused inside a "shadowed" portion of the context of the out-of-guest inspection program. The system call code inside the guest would automatically transform low level information into high level semantic. Besides, ShadowContext is secure enough to defend against a variety of real world attacks. ShadowContext is designed, implemented and systematically evaluated. Experimental results show that the performance overhead is about 75% with a median initialization time of 0.117 mil-liseconds. And ShadowContext allows one introspection to monitor several different guest virtual machines simultaneously. ShadowContext is totally transparent to guest virtual machines and introspection tools. |
PDF Full Text Request