High Performance VM Introspection Using Virtualization Exceptions

Presented at BSidesSF 2019, March 3, 2019, 3:30 p.m. (30 minutes)

Hypervisor memory introspection is a security solution isolated from the protected virtual machine's operating system by leveraging hardware virtualization technologies. It relies on the second-level address translation (SLAT) mechanism, in order to enforce restrictions on certain memory areas of the protected VM. In some scenarios this can have a high performance impact, especially due to accesses inside the guest paging structures done by the CPU page walker or the OS memory manager. Most of these accesses are not relevant to the HVI logic. This presentation addresses these issues, promoting an innovative approach on filtering the page-table accesses directly from the guest VM. The filtering is done by a small in-guest agent that uses the virtualization exception (#VE) mechanism: relevant accesses are reported to the main HVI module via a hypercall, while the other accesses are discarded with minimal performance impact. We also discuss a method of protecting the in-guest agent from possible malicious guests by isolating it inside a different physical address space.


Presenters:

  • Raul Tosa - Bitdefender
    Raul has been working with Bitdefender since 2005, building a strong technical background in fields like malware research, kernel driver development and virtualization. In the past years he's been researching how hardware virtualization technologies can be leveraged to strengthen operating systems security. He's also PhD student and lab attendant at Babes-Bolyai University of Cluj-Napoca, Faculty of Mathematics and Computer Science, and he has been granted more than 10 US patents.
  • Cristinel-Ionel Anichitei - Bitdefender SRL
    Cristinel-Ionel Anichitei is a team leader for the Windows HVI team at BitDefender who joined the team 4 years ago. Since then they played a key role in ensuring the success of the project. Their efforts are mainly focused towards Windows reverse engineering, security, and performance optimizations. They are also a master’s student at the Technical University of Cluj Napoca.

Links:

Similar Presentations: