CAREER: A Dual-VM Binary Code Reuse Based Framework for Automated Virtual Machine Introspection

职业：基于双虚拟机二进制代码重用的自动化虚拟机自省框架

• 批准号: 1834215
• 负责人: Zhiqiang Lin
• 金额: $ 48.8万
• 依托单位: Ohio State University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-01-01 至 2023-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1834215&HistoricalAwards=false
• 关键词: CAREER; Dual; VM; Binary; Code

Virtual Machine Monitors (VMMs) and hypervisors have become a foundational technology for system developers to achieve increased levels of security, reliability, and manageability for large-scale computing systems such as cloud computing. However, when developing software at the VMM layer, developers often need to interpret the very low level hardware layer state and reconstruct the semantic meanings of the guest operating system events due to the lack of operating system level abstractions. This semantic gap problem has been a road block for a decade for many VMM level applications such as virtual machine introspection (VMI), malware analysis, and virtual machine management.This research seeks to design and develop new approaches, practical techniques, and efficient implementations to automatically bridge the semantic gap for VMM layer programs including VMI. In particular, a dual-VM, binary code reuse based framework is formulated and applied to automatically bridge the semantic gap. Such a framework directly enables a large set of legacy utility software to automatically become VMI software. Meanwhile, the research includes developing a set of practical enabling techniques such as memory exclusive kernel version inference, and integrates these techniques with efficient implementations from binary rewriting. The results of this research are to significantly increase the productivity of virtualization software development as well as the security of virtualization software, and also open new opportunities for automated system administration, intrusion detection, and incident response.

虚拟机管理程序（VMM）和虚拟机管理程序已经成为系统开发人员的基础技术，以实现诸如云计算之类的大规模计算系统的更高级别的安全性、可靠性和可扩展性。然而，当在VMM层开发软件时，由于缺乏操作系统级抽象，开发人员通常需要解释非常低级别的硬件层状态并重构客户操作系统事件的语义含义。 这个语义鸿沟问题已经成为许多VMM层应用程序，如虚拟机内省（VMI），恶意软件分析和虚拟机管理的一个拦路虎十年。本研究旨在设计和开发新的方法，实用的技术，和有效的实现，以自动弥合语义鸿沟的VMM层程序，包括VMI。特别是，双VM，二进制代码重用为基础的框架制定和应用自动弥合语义差距。这样的框架直接使大量的遗留实用软件自动成为VMI软件。同时，研究包括开发一套实用的使能技术，如内存独占内核版本推断，并将这些技术与二进制重写的有效实现相结合。这项研究的结果将显著提高虚拟化软件开发的生产力以及虚拟化软件的安全性，并为自动化系统管理、入侵检测和事件响应提供新的机会。