CAREER: A Dual-VM Binary Code Reuse Based Framework for Automated Virtual Machine Introspection

职业：基于双虚拟机二进制代码重用的自动化虚拟机自省框架

• 批准号: 1834215
• 负责人: Zhiqiang Lin
• 金额: $ 48.8万
• 依托单位: Ohio State University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-01-01 至 2023-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1834215&HistoricalAwards=false
• 关键词: CAREER; Dual; VM; Binary; Code

Virtual Machine Monitors (VMMs) and hypervisors have become a foundational technology for system developers to achieve increased levels of security, reliability, and manageability for large-scale computing systems such as cloud computing. However, when developing software at the VMM layer, developers often need to interpret the very low level hardware layer state and reconstruct the semantic meanings of the guest operating system events due to the lack of operating system level abstractions. This semantic gap problem has been a road block for a decade for many VMM level applications such as virtual machine introspection (VMI), malware analysis, and virtual machine management.This research seeks to design and develop new approaches, practical techniques, and efficient implementations to automatically bridge the semantic gap for VMM layer programs including VMI. In particular, a dual-VM, binary code reuse based framework is formulated and applied to automatically bridge the semantic gap. Such a framework directly enables a large set of legacy utility software to automatically become VMI software. Meanwhile, the research includes developing a set of practical enabling techniques such as memory exclusive kernel version inference, and integrates these techniques with efficient implementations from binary rewriting. The results of this research are to significantly increase the productivity of virtualization software development as well as the security of virtualization software, and also open new opportunities for automated system administration, intrusion detection, and incident response.

虚拟机监视器 (VMM) 和虚拟机管理程序已成为系统开发人员提高云计算等大规模计算系统的安全性、可靠性和可管理性水平的基础技术。然而，在VMM层开发软件时，由于缺乏操作系统级抽象，开发人员通常需要解释非常低级的硬件层状态并重建客户操作系统事件的语义。 十年来，这种语义差距问题一直是许多 VMM 级应用程序（例如虚拟机自省 (VMI)、恶意软件分析和虚拟机管理）的障碍。本研究旨在设计和开发新方法、实用技术和高效实现自动弥合 VMM 层程序（包括 VMI）的语义差距。特别是，制定并应用了基于双VM、二进制代码重用的框架来自动弥合语义差距。这样的框架直接使大量遗留实用软件自动成为VMI软件。同时，研究还包括开发一套实用的使能技术，例如内存独占内核版本推断，并将这些技术与二进制重写的高效实现相结合。这项研究的结果将显着提高虚拟化软件开发的生产力以及虚拟化软件的安全性，并为自动化系统管理、入侵检测和事件响应开辟新的机会。