An essential goal of virtual machine introspection (VMI) is security policy enforcement in the presence of an untrustworthy OS. One obstacle to this goal is the diffi culty in accurately extracting semantic meaning from the hypervisor's hardware-level view of a guest OS. V irtual machine introspection (VMI) techniques allow an external security monitor to observe soft ware behavior inside a virtual machine (VM), including the guest OS. For example, we can use VMI to list programs running inside

more »

... a VM-comparable to ps on Unix systems or Windows Task Manager. Obtaining a process list outside a VM is appealing from a security perspective because security administrators can identify illicit programs on a system, even if the OS kernel is compromised. Th ere are also nonsecurity benefi ts to listing processes outside the VM, such as standardization of administrative utilities across multiple guest OSs. A simple VMI-based process list would identify process descriptors' memory addresses and typecast them (in C parlance) to interpret their content. VMI developers must fi nd the kernel data structures, such as process descriptors, by searching publicly available symbols for the addresses of the process descriptors' data structure. Any guest OS abstraction can be introspected, including open fi le descriptors, network sockets, and interprocess communication abstractions. For instance, storage system prototypes have used VMI to track whether disk writes are data or metadata, writing metadata changes to disk more aggressively than data. 1 In this article, we focus on in-memory data structures and CPU register state. VMI is appealing because it can move OS security monitoring out of the OS. Widely used OS kernels are generally very large and aff ord litt le fault or security isolation among components; are writt en in languages such as C or C++ that off er litt le protection against exploitable programmer errors; and have complex, hard-to-secure APIs. Th us, if any OS kernel component has an exploitable bug, all OS-level security measures are easily disabled. In our process listing example, a rootkit module could tamper with the kernel's mechanism for listing the set of running processes, oft en to hide other malware running on the system. Not only could an eff ective rootkit hide malware from a process listing utility or antivirus system inside the OS, it could also avoid detection and removal. A VMI monitor can view all guest OS memory and identify rootkits. Th e fundamental challenge underlying VMI is how to reliably infer what's happening in the guest OS. In our simple example, the VMI monitor has direct access only to hardware-level states, such as CPU registers and memory contents, and must make inferences about high-level abstractions, such as process descriptors and