Secure Observation of Kernel Behavior

Operating system kernels are difficult to understand and monitor. Hardware virtualization provides a layer where security tools can observe a kernel, but the gap between operating system abstractions and hardware accesses limits the ability of tools to comprehend the kernel’s activity. Virtual machine introspection (VMI) builds knowledge of high-level kernel state by directly accessing the memory of an executing kernel. We show that implementations of introspection-based tools unsafely rely on operating system level data structures to provide meaningful information about a guest. We evade XenAccess, an open source implementation of introspection developed for Xen. We then develop Wizard, a Xen-based kernel monitor cognizant of the semantic correlation between events at a high-level kernel service interface and events at a low-level hardware device interface. In contrast to VMI, Wizard trusts no guest OS data, but its semantic understanding still identifies kernel-level attacks that alter the kernel’s execution behavior. Wizard’s monitoring imposes modest overheads of 0%–25% on guest applications.