Seeing through the same lens: Introspecting guest address space at native speed
Software-based MMU emulation lies at the heart of out-of-VM live memory introspection, an important technique in the cloud setting that applications such as live forensics and intrusion detection depend on. Due to the emulation, the software-based approach is much slower compared to native memory ac...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2017
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/4168 https://ink.library.smu.edu.sg/context/sis_research/article/5171/viewcontent/sec17_zhao.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-5171 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-51712018-11-22T02:53:19Z Seeing through the same lens: Introspecting guest address space at native speed ZHAO, Siqi DING, Xuhua XU, Wen GU, Dawu Software-based MMU emulation lies at the heart of out-of-VM live memory introspection, an important technique in the cloud setting that applications such as live forensics and intrusion detection depend on. Due to the emulation, the software-based approach is much slower compared to native memory access by the guest VM. The slowness not only results in undetected transient malicious behavior, but also inconsistent memory view with the guest; both undermine the effectiveness of introspection. We propose the immersive execution environment (ImEE) with which the guest memory is accessed at native speed without any emulation. Meanwhile, the address mappings used within the ImEE are ensured to be consistent with the guest throughout the introspection session. We have implemented a prototype of the ImEE on Linux KVM. The experiment results show that ImEE-based introspection enjoys a remarkable speed up, performing several hundred times faster than the legacy method. Hence, this design is especially useful for real-time monitoring, incident response and high-intensity introspection. 2017-08-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4168 https://ink.library.smu.edu.sg/context/sis_research/article/5171/viewcontent/sec17_zhao.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Information Security |
| spellingShingle |
Information Security ZHAO, Siqi DING, Xuhua XU, Wen GU, Dawu Seeing through the same lens: Introspecting guest address space at native speed |
| description |
Software-based MMU emulation lies at the heart of out-of-VM live memory introspection, an important technique in the cloud setting that applications such as live forensics and intrusion detection depend on. Due to the emulation, the software-based approach is much slower compared to native memory access by the guest VM. The slowness not only results in undetected transient malicious behavior, but also inconsistent memory view with the guest; both undermine the effectiveness of introspection. We propose the immersive execution environment (ImEE) with which the guest memory is accessed at native speed without any emulation. Meanwhile, the address mappings used within the ImEE are ensured to be consistent with the guest throughout the introspection session. We have implemented a prototype of the ImEE on Linux KVM. The experiment results show that ImEE-based introspection enjoys a remarkable speed up, performing several hundred times faster than the legacy method. Hence, this design is especially useful for real-time monitoring, incident response and high-intensity introspection. |
| format |
text |
| author |
ZHAO, Siqi DING, Xuhua XU, Wen GU, Dawu |
| author_facet |
ZHAO, Siqi DING, Xuhua XU, Wen GU, Dawu |
| author_sort |
ZHAO, Siqi |
| title |
Seeing through the same lens: Introspecting guest address space at native speed |
| title_short |
Seeing through the same lens: Introspecting guest address space at native speed |
| title_full |
Seeing through the same lens: Introspecting guest address space at native speed |
| title_fullStr |
Seeing through the same lens: Introspecting guest address space at native speed |
| title_full_unstemmed |
Seeing through the same lens: Introspecting guest address space at native speed |
| title_sort |
seeing through the same lens: introspecting guest address space at native speed |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2017 |
| url |
https://ink.library.smu.edu.sg/sis_research/4168 https://ink.library.smu.edu.sg/context/sis_research/article/5171/viewcontent/sec17_zhao.pdf |
| _version_ |
1770574390938828800 |