virtual machine introspection with xen on arm
TRANSCRIPT
Virtual Machine Introspection with Xen on ARMTamas K. Lengyel@[email protected]
Virtual Machine Introspection
1. Why?2. What is needed?
a. Isolationb. Interpretationc. Interposition
3. Current status
Why?
● Traditional defense mechanisms don’t integrate well into virtual environments
● Mobile (ARM) platform is rapidly growing● Starting with Cortex-A15 virtualization
extensions are available in hardware● Xen on ARM available since March 2014
Isolation
Xen Security Modules on ARM● Will be available in 4.5● Allows for advanced
disaggregation● Security domain separate
from the TCB
Interpretation
Reconstruct guest OS state information● LibVMI purpose built for this task● ARM paging support added in November, 2014● Detect running processes, modules, files,
users etc. in the guest
Interposition - WiP
Step into the execution of the guest when something of interest happens● Requires hardware & VMM support● ARM two-stage address translation● Configure paging to trap memory accesses● VMM trap handlers need to forward the
events to the security domain
Patches merged to Xen 4.5
Interposition - WiP
● Cleanup of Xen MEM_EVENT subsystem● Xen on ARM trap handlers need performance
regression testing● More research needed into ARM hardware
support for event trapping!● SMC is good but limited to the guest kernel