A Writable Virtual Machine Introspection For Cloud

VMI(virtual machine introspection)technique pulls the run-time states of monitored OSes into the hypervisor to perform a outside monitoring,which has the many benefits,such as high privileges,high stealthiness and strong isolation.However,current existing VMI techniques have high overhead,which consume a large amount of cloud resources and produce a longer introspection response time.Besides,they cannot monitor multiple VMs with different guest OSes,which are lack of generality.In addition,current VMI techniques cannot provide a writable capability,which means that updating the states of guest VM from the outside,so that they cannot be applied to an automated cloud management.Therefore,how to implement a practical and writable VMI technique for cloud is a deserving of research.A practical and writable VMI system,CloudVMI,for cloud has the characteristics of low overhead,strong practicability and writable VMI.CloudVMI solves the semantic gap problem by redirecting system call execution into the target VM,so that it can transparently monitor the states of target VM.CloudVMI provides a writable capability based on the detailed system call redirection policy,which not only can monitor target VMs,but also can update the states of target VMs from the outside.Thus,it can be applied to an automated cloud management due to the benefit of high automation brought by writable VMI.Besides,due to the compatibility of Linux system call,it can monitor multiple guest VMs with different OSes,which greatly improve the generality of VMI.Inside VMM,CloudVMI leverages the memory protection and consistency checking mechanism to protect the secure execution of redirected system call in the target VMs,and to ensure the reliability of introspection results.The test results show that the managers can use current Linux utilities based on CloudVMI to monitor and manage the target VMs.A VMI program based on CloudVMI can monitor the target VMs with different OSes.In performance evaluation,CloudVMI produces low overhead to introspection tools,and the response time of all introspection tools is in milliseconds.