Full virtual machine state reconstruction for security applications

System virtualization allows one to monitor, analyze, and manipulate the state of a virtual machine from the vantage point of the hypervisor. This method is known as virtual machine introspection (VMI). Various security mechanisms can be implemented by exercising the extensive control the hypervisor has over the virtual machines running on top of it, such as malware analysis, intrusion detection, secure logging, and digital forensics. As virtualization technology becomes increasingly ubiquitous in everyday computing, VMI represents a viable option to enhance system security from the hypervisor level. However, all systems that utilize VMI face a common challenge, namely the semantic gap. This challenge describes the disconnect between the low-level state that the hypervisor has access to and its semantics within the guest. In this work, we explore the possibilities and implications of bridging the semantic gap to support security applications from the hypervisor level. We define a formal model for VMI that allows us to describe and compare such approaches in a uniform way. Using our model, we identify three common patterns for bridging the semantic gap and describe the properties of the corresponding implementations. Based on these findings, we propose a novel VMI framework that allows one to analyze the full virtual machine state in a universal way. We apply semantic knowledge of the operating system kernel to recreate the graph of kernel objects from guest physical memory. Since dynamic pointer manipulations such as type-casting and pointer arithmetic are prevalent in kernel code, we develop a type-centric, semantic source code analysis technique to identify such runtime manipulations in the C programming language. The results of this analysis augment the static type information and allow us to over-approximate the possible data types of pointer values, thus increasing the overall coverage of the kernel object graph in a fully automated fashion. However, not all instances of runtime dependent type manipulations can be detected this way. As a solution, our framework additionally supports the manual formulation of simple, yet powerful type manipulation rules. These rules allow the user to extend the type knowledge with his own expertise in a generic, re-usable way. To give evidence for the effectiveness of our methods, we have implemented a prototype of this system as part of this work to perform virtual machine introspection. Our prototype faithfully reconstructs the graph of kernel objects of Linux guests almost perfectly. The identified objects can be exposed to arbitrary VMI applications for further analysis through a rich set of interfaces. From all the possible security applications that could work on the object graph, we choose malware detection as an example. The experimental evaluation shows that our approach is well suited to detect various kinds of kernel-level attacks, including those that are specifically designed to cover their tracks within the system.