Design And Implementation Of Virtual Machine Introspection System Based On KVM

With the growing popularity of virtualization technology, users are free to create, transfer and share various types of virtualized operating systems and application software, and enjoy the convenience brought by this technology. However, users are faced with a variety of intrusion every minute for the openness of computer systems. Virtual machine introspection(VMI) technology can provide the user virtual machine system with better security for that it can achieve both high visibility and good barrier properties. As a result, VMI technology has been widely studied.This thesis designs and implements a virtual machine introspection system based on KVM platform. This system overcomes the "semantic gap" obstacles in VMI system and reconstructs the internal semantic views(e.g., processes, and kernel, modules) of a VM nonintrusive from the outside. The VMI system can get the “inside view” of virtual machines from the “outside of the box”. This view is the abstraction information of virtual machines, such as physical page, register, equipment. Then the VMI system can restore the “inside view” to sematic object of virtual machine. As a result, the VMI system can see the semantic objects of virtual machines, like process, kernel module, also the internal system calls, interrupts and other semantic event of the virtual machine system can be monitored effectively. To achieve this, hooks are needed in the KVM to allow the VMI system to get the state of memory, registers, and equipment from the outside of virtual machines. In the same way, the VMI system can intervene and interpret the specific events(e.g., interrupts, system calls, and change device/memory/register states) of virtual machines, thus the VMI system can achieve to monitor the virtual machine from the outside.Based on KVM, this thesis develops a comprehensive VMI framework library for the virtual machine. In the VMI framework library, there are several VMI API interface functions, and these functions provide service in the form of dynamic link library. The VMI framework library can introspect both static content and dynamic events of the virtual machines. The static content includes physical page, register, hard disk device, I/O devices, etc.; the dynamic events are like system calls, interrupts, register / memory page / changes in equipment status. Compared with the existing project, the VMI framework library are more comprehensive and has better scalability. According to a series of tests, the KVM-based VMI system is effective and efficient in monitoring the virtual machine.