![Page 1: Virtual Machine Introspection with Xen on ARM](https://reader036.vdocuments.us/reader036/viewer/2022073118/55ab61581a28ab652f8b4729/html5/thumbnails/1.jpg)
Virtual Machine Introspection with Xen on ARMTamas K. Lengyel@[email protected]
![Page 2: Virtual Machine Introspection with Xen on ARM](https://reader036.vdocuments.us/reader036/viewer/2022073118/55ab61581a28ab652f8b4729/html5/thumbnails/2.jpg)
Virtual Machine Introspection
1. Why?2. What is needed?
a. Isolationb. Interpretationc. Interposition
3. Current status
![Page 3: Virtual Machine Introspection with Xen on ARM](https://reader036.vdocuments.us/reader036/viewer/2022073118/55ab61581a28ab652f8b4729/html5/thumbnails/3.jpg)
Why?
● Traditional defense mechanisms don’t integrate well into virtual environments
● Mobile (ARM) platform is rapidly growing● Starting with Cortex-A15 virtualization
extensions are available in hardware● Xen on ARM available since March 2014
![Page 4: Virtual Machine Introspection with Xen on ARM](https://reader036.vdocuments.us/reader036/viewer/2022073118/55ab61581a28ab652f8b4729/html5/thumbnails/4.jpg)
Isolation
Xen Security Modules on ARM● Will be available in 4.5● Allows for advanced
disaggregation● Security domain separate
from the TCB
![Page 5: Virtual Machine Introspection with Xen on ARM](https://reader036.vdocuments.us/reader036/viewer/2022073118/55ab61581a28ab652f8b4729/html5/thumbnails/5.jpg)
Interpretation
Reconstruct guest OS state information● LibVMI purpose built for this task● ARM paging support added in November, 2014● Detect running processes, modules, files,
users etc. in the guest
![Page 6: Virtual Machine Introspection with Xen on ARM](https://reader036.vdocuments.us/reader036/viewer/2022073118/55ab61581a28ab652f8b4729/html5/thumbnails/6.jpg)
Interposition - WiP
Step into the execution of the guest when something of interest happens● Requires hardware & VMM support● ARM two-stage address translation● Configure paging to trap memory accesses● VMM trap handlers need to forward the
events to the security domain
![Page 7: Virtual Machine Introspection with Xen on ARM](https://reader036.vdocuments.us/reader036/viewer/2022073118/55ab61581a28ab652f8b4729/html5/thumbnails/7.jpg)
Patches merged to Xen 4.5
![Page 8: Virtual Machine Introspection with Xen on ARM](https://reader036.vdocuments.us/reader036/viewer/2022073118/55ab61581a28ab652f8b4729/html5/thumbnails/8.jpg)
Interposition - WiP
● Cleanup of Xen MEM_EVENT subsystem● Xen on ARM trap handlers need performance
regression testing● More research needed into ARM hardware
support for event trapping!● SMC is good but limited to the guest kernel