Agent-Based File Extraction Using Virtual Machine Introspection

Dangl, Thomas; Taubmann, Benjamin; Reiser, Hans P.

doi:10.1007/978-3-030-70852-8_11

Cited by 2 publications

(1 citation statement)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Second, when injecting shellcode into a VM, e.g. to bootstrap an in-guest agent [4], the shellcode typically consists of multiple instructions and the injection will likely overwrite more than one instruction in the target location. Even if we limit the injection to a single virtual address space (solving the first problem), multiple threads of the same process may concurrently be executing the overwritten instructions on multiple CPU cores, and, as a result, the injection may lead to non-deterministic program behavior.…”

Section: Introductionmentioning

confidence: 99%

RapidVMI: Fast and multi-core aware active virtual machine introspection

Dangl

Taubmann

Reiser

2021

Proceedings of the 16th International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

Virtual machine introspection (VMI) is a technique for the external monitoring of virtual machines. Through previous work, it became apparent that VMI can contribute to the security of distributed systems and cloud architectures by facilitating stealthy intrusion detection, malware analysis, and digital forensics. The main shortcomings of active VMI-based approaches such as program tracing or process injection in production environments result from the side effects of writing to virtual address spaces and the parallel execution of shared main memory on multiple processor cores.In this paper, we present RapidVMI, a framework for active virtual machine introspection that enables fine-grained, multi-core aware VMI-based memory access on virtual address spaces. It was built to overcome the outlined shortcomings of existing VMI solutions and facilitate the development of introspection applications as if they run in the monitored virtual machine itself. Furthermore, we demonstrate that hypervisor support for this concept improves introspection performance in prevalent virtual machine tracing applications considerably up to 98 times. CCS CONCEPTS• Security and privacy → Virtualization and security.

show abstract

Section: Introductionmentioning

confidence: 99%