Advances, Systems and Applications
Table 1 Comparison of VMI techniques
From: Virtual machine introspection: towards bridging the semantic gap
Category | Technique | Location of code | VMM transparency | VMM alteration | Guest support | Advantages | ||
|---|---|---|---|---|---|---|---|---|
| Â | Â | Guest VM | Secure VM | VMM | Â | Â | Â | Â |
Memory introspection | Using Xen Libraries | N | Y | Y | No | Required | PV Guests | Safety of VMI code |
I/O Introspection | Â | N | N | Y | No | Required | All Types | Driver and I/O access inspection |
System call introspection | Using VT support | N | Y | Y | No | Required | All Types | Processor support makes introspection less complicated |
| Â | By Hardware Rooting | N | Y | N | No | Required | All Types | Protection from DKSM attacks |
Process introspection | Using Hooks | Y | Y | Y | Yes | Required | All Types | Reverse remote control possible |
| Â | Using Shadow Page Tables | Y | N | Y | Yes | Required | All Types | Trusted Introspection code execution |
| Â | Using CFG | Y | N | Y | Yes | Required | All Types | Novel approach for code malfunction detection |
Other techniques | Code Injection | Y | N | Y | Â | Required | All Types | Secure and less prone to attacks |
| Â | Function Call Injection | Y | Y | Y | No | Required | All Types | Novel approach |
| Â | Page Flag Inspection | Y | Y | N | No | No | PV guests | Detects packed & encrypted malwares |
| Â | Process Out-grafting | Y | Y | Y | Yes | Required | All Types | A novel approach |
| Â | Live Kernel Data Redirection | Y | Y | Y | Yes | Required | All Types | Choice of selection for introspection programme |
Proposed technique | Event Injection | Y | N | Y | Yes | Required | All Types | Secure & almost every introspection code can be used |