Advances, Systems and Applications
From: Virtual machine introspection: towards bridging the semantic gap
Category | Technique | Location of code | VMM transparency | VMM alteration | Guest support | Advantages | ||
---|---|---|---|---|---|---|---|---|
 |  | Guest VM | Secure VM | VMM |  |  |  |  |
Memory introspection | Using Xen Libraries | N | Y | Y | No | Required | PV Guests | Safety of VMI code |
I/O Introspection | Â | N | N | Y | No | Required | All Types | Driver and I/O access inspection |
System call introspection | Using VT support | N | Y | Y | No | Required | All Types | Processor support makes introspection less complicated |
 | By Hardware Rooting | N | Y | N | No | Required | All Types | Protection from DKSM attacks |
Process introspection | Using Hooks | Y | Y | Y | Yes | Required | All Types | Reverse remote control possible |
 | Using Shadow Page Tables | Y | N | Y | Yes | Required | All Types | Trusted Introspection code execution |
 | Using CFG | Y | N | Y | Yes | Required | All Types | Novel approach for code malfunction detection |
Other techniques | Code Injection | Y | N | Y | Â | Required | All Types | Secure and less prone to attacks |
 | Function Call Injection | Y | Y | Y | No | Required | All Types | Novel approach |
 | Page Flag Inspection | Y | Y | N | No | No | PV guests | Detects packed & encrypted malwares |
 | Process Out-grafting | Y | Y | Y | Yes | Required | All Types | A novel approach |
 | Live Kernel Data Redirection | Y | Y | Y | Yes | Required | All Types | Choice of selection for introspection programme |
Proposed technique | Event Injection | Y | N | Y | Yes | Required | All Types | Secure & almost every introspection code can be used |