| |
Seeing Through The Same Lens: Introspecting Guest Address Space At Native Speed
Speaker (s): 
ZHAO Siqi
PhD Candidate
School of Information Systems
Singapore Management University |
Date:
Time:
Venue:
| | August 4, 2017, Friday
2:00pm - 2:30pm
Meeting Room 4.4, Level 4
School of Information Systems
Singapore Management University
80 Stamford Road
Singapore 178902
We look forward to seeing you at this research seminar. 
|
|
About the talk Software-based MMU emulation lies at the heart of out-of-VM live memory introspection, an important technique in the cloud setting that applications such as live forensics and intrusion detection depend on. Due to the emulation, the software-based approach is much slower compared to native memory access by the guest VM. The slowness not only results in undetected transient malicious behavior, but also inconsistent memory view with the guest; both undermine the effectiveness of introspection. We propose the immersive execution environment (ImEE) with which the guest memory is accessed at native speed without any emulation. Meanwhile, the address mappings used within the ImEE are ensured to be consistent with the guest throughout the introspection session. We have implemented a prototype of the ImEE on Linux KVM. The experiment results show that ImEE-based introspection enjoys a remarkable speed up, performing several hundred times faster than the legacy method. Hence, this design is especially useful for real- time monitoring, incident response and high-intensity introspection. This a pre-conference talk for 26th USENIX Security Symposium, USENIX Security 2017. About the Speaker ZHAO Siqi is a PhD candidate in the School of Information System, Singapore Management University. His research focuses on utilising virtualisation based system for security purposes such as isolated execution, access control, virtual machine introspection etc |
