DIGITAL FORENSIC RESEARCH CONFERENCE

VMI-PL: A Monitoring Language for Virtual Platforms

Using Virtual Machine Introspection

By

Florian Westphal, Stefan Axelsson,

Christian Neuhaus and Andreas Polze

Presented At

The Digital Forensic Research Conference

DFRWS 2014 USA Denver, CO (Aug 3rd - 6th)

DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized
the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners
together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working
groups, annual conferences and challenges to help drive the direction of research and development.

http:/dfrws.org
VMI-PL: A monitoring language for virtual platforms
using virtual machine introspection

Florian Westphal 1,2 Stefan Axelsson 1 Christian Neuhaus 2

Andreas Polze 2
1 Blekinge
Institute of Technology
Karlskrona, Sweden
2 HassoPlattner Institute
Potsdam, Germany

August 5, 2014

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 1 / 19

Outline

1 Introduction
Virtual Machine Introspection (VMI)
VMI Techniques

2 Virtual Machine Introspection Probe Language (VMI-PL)

Overview
Language Constructs
Demo

3 Evaluation
Measurement Scenarios
VMI-PL Performance
Comparison between VMI-PL and VMware VProbes

4 Conclusion

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 2 / 19

Virtual Machine Introspection (VMI)

“Virtual machine introspection (VMI) describes the method of

monitoring and analyzing the state of a virtual machine from the
hypervisor level.”

— Jonas Pfoh [Pfoh et al., 2009]

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 3 / 19

Virtual Machine Introspection (VMI)

“Virtual machine introspection (VMI) describes the method of

monitoring and analyzing the state of a virtual machine from the
hypervisor level.”

— Jonas Pfoh [Pfoh et al., 2009]

First Described by Garfinkel and Rosenblum [Garfinkel et al., 2003]

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 3 / 19

Virtual Machine Introspection (VMI)

“Virtual machine introspection (VMI) describes the method of

monitoring and analyzing the state of a virtual machine from the
hypervisor level.”

— Jonas Pfoh [Pfoh et al., 2009]

First Described by Garfinkel and Rosenblum [Garfinkel et al., 2003]

Semantic gap problem [Chen et al., 2001]

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 3 / 19

VMI Techniques

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 4 / 19

VMI Techniques

Data-based techniques:

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 4 / 19

VMI Techniques

Data-based techniques:
Memory introspection

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 4 / 19

VMI Techniques

Data-based techniques:
Memory introspection
Register introspection

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 4 / 19

VMI Techniques

Data-based techniques:
Memory introspection
Register introspection

Event-based techniques:

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 4 / 19

VMI Techniques

Data-based techniques:
Memory introspection
Register introspection

Event-based techniques:
Monitor writes to certain registers

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 4 / 19

VMI Techniques

Data-based techniques:
Memory introspection
Register introspection

Event-based techniques:
Monitor writes to certain registers
Monitor system and user defined interrupts

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 4 / 19

VMI Techniques

Data-based techniques:
Memory introspection
Register introspection

Event-based techniques:
Monitor writes to certain registers
Monitor system and user defined interrupts

Stream-based techniques:

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 4 / 19

VMI Techniques

Data-based techniques:
Memory introspection
Register introspection

Event-based techniques:
Monitor writes to certain registers
Monitor system and user defined interrupts

Stream-based techniques:
Inspect network traffic

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 4 / 19

VMI Techniques

Data-based techniques:
Memory introspection
Register introspection

Event-based techniques:
Monitor writes to certain registers
Monitor system and user defined interrupts

Stream-based techniques:
Inspect network traffic
Monitor keyboard input

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 4 / 19

Outline

1 Introduction
Virtual Machine Introspection (VMI)
VMI Techniques

2 Virtual Machine Introspection Probe Language (VMI-PL)

Overview
Language Constructs
Demo

3 Evaluation
Measurement Scenarios
VMI-PL Performance
Comparison between VMI-PL and VMware VProbes

4 Conclusion

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 5 / 19

VMI-PL - Overview I

VMI-PL:

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 6 / 19

VMI-PL - Overview I

VMI-PL:
Data probes
Event probes
Stream probes

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 6 / 19

VMI-PL - Overview I

VMI-PL:
Data probes
Event probes
Stream probes
Filters
Reconfiguration instructions

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 6 / 19

VMI-PL - Overview I

VMI-PL:
Data probes
Event probes
Stream probes
Filters
Reconfiguration instructions
Configuration

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 6 / 19

VMI-PL - Overview II

1 Configuration {
2 < configuration - item >
3 }
4 < event - probe >( < parameters >){
5 < data - probe >( < parameters >)
6 < filter >( < parameters >){
7 < data - probe >( < parameters >)
8 }
9 }
10 < stream - probe >( < parameters >)

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 7 / 19

VMI-PL - Language Constructs I

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 8 / 19

VMI-PL - Language Constructs I

Data Probes:
ReadMemory(<virtual address> <size>, [<file-path> |
<stream-id>])

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 8 / 19

VMI-PL - Language Constructs I

Data Probes:
ReadMemory(<virtual address> <size>, [<file-path> |
<stream-id>])
WriteToMemoryAt(<register>, <offset>, <value>)

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 8 / 19

VMI-PL - Language Constructs I

Data Probes:
ReadMemory(<virtual address> <size>, [<file-path> |
<stream-id>])
WriteToMemoryAt(<register>, <offset>, <value>)
ProcessList(<field>, [<file-path> | <stream-id>])

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 8 / 19

VMI-PL - Language Constructs I

Data Probes:
ReadMemory(<virtual address> <size>, [<file-path> |
<stream-id>])
WriteToMemoryAt(<register>, <offset>, <value>)
ProcessList(<field>, [<file-path> | <stream-id>])

Event Probes:
CRWrite(<number>)

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 8 / 19

VMI-PL - Language Constructs I

Data Probes:
ReadMemory(<virtual address> <size>, [<file-path> |
<stream-id>])
WriteToMemoryAt(<register>, <offset>, <value>)
ProcessList(<field>, [<file-path> | <stream-id>])

Event Probes:
CRWrite(<number>)
Syscall([<syscall number> | -])

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 8 / 19

VMI-PL - Language Constructs I

Data Probes:
ReadMemory(<virtual address> <size>, [<file-path> |
<stream-id>])
WriteToMemoryAt(<register>, <offset>, <value>)
ProcessList(<field>, [<file-path> | <stream-id>])

Event Probes:
CRWrite(<number>)
Syscall([<syscall number> | -])

Stream Probes:
CaptureNetwork(<mac address>, [<file-path> | <stream-id>])

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 8 / 19

VMI-PL - Language Constructs I

Data Probes:
ReadMemory(<virtual address> <size>, [<file-path> |
<stream-id>])
WriteToMemoryAt(<register>, <offset>, <value>)
ProcessList(<field>, [<file-path> | <stream-id>])

Event Probes:
CRWrite(<number>)
Syscall([<syscall number> | -])

Stream Probes:
CaptureNetwork(<mac address>, [<file-path> | <stream-id>])
CaptureKeyboardInput([<file-path> | <stream-id>])

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 8 / 19

VMI-PL - Language Constructs II

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 9 / 19

VMI-PL - Language Constructs II

Filters:
RegisterHasValue(<register>, <value>)

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 9 / 19

VMI-PL - Language Constructs II

Filters:
RegisterHasValue(<register>, <value>)

Reconfiguration Instructions:
Pause

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 9 / 19

VMI-PL - Language Constructs II

Filters:
RegisterHasValue(<register>, <value>)

Reconfiguration Instructions:
Pause
Reconfigure(<event probe id>)

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 9 / 19

VMI-PL - Demo I

1 Configuration {
2 P ro ce ss L is tH ea d : 0 xc17cdfe0
3 TasksOffset : 440
4 PIDOffset : 520
5 P r o c e s s N a m e O f f s e t : 744
6 MMSt ructOffs et : 468
7 ExeFileOffset : 444
8 DEntryOffset : 12
9 ParentOffset : 16
10 DNameOffset : 28
11 PGDOffset : 40
12 }
13 CRWrite (3){
14 ReadRegister ( CR3 , # demo )
15 }
16 ExecuteAt (0 xc104f060 ){
17 ProcessList ( PID , NAME , PATH , PGDP , # demo )
18 ReadRegister ( CR3 , # demo )
19 }
20 Capt ureNetwo rk (00:16:35: AF :94:4 B , # demo )

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 10 / 19

VMI-PL - Demo II

Demo

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 11 / 19

Outline

1 Introduction
Virtual Machine Introspection (VMI)
VMI Techniques

2 Virtual Machine Introspection Probe Language (VMI-PL)

Overview
Language Constructs
Demo

3 Evaluation
Measurement Scenarios
VMI-PL Performance
Comparison between VMI-PL and VMware VProbes

4 Conclusion

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 12 / 19

Evaluation - Measurement Scenarios

Without monitoring support

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 13 / 19

Evaluation - Measurement Scenarios

Without monitoring support

Monitoring support enabled (VMI-PL, VProbes)

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 13 / 19

Evaluation - Measurement Scenarios

Without monitoring support

Monitoring support enabled (VMI-PL, VProbes)

Process life cycle monitoring (LC)

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 13 / 19

Evaluation - Measurement Scenarios

Without monitoring support

Monitoring support enabled (VMI-PL, VProbes)

Process life cycle monitoring (LC)

Process execution monitoring (Exec)

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 13 / 19

 14 / 19
August 5, 2014

ll
Ca )
em s (8
st t
Sy cr
ip
)
lS (1
el ts
Sh c rip n
lS tio
el ea
Sh Cr in
g
s
es it ch
oc
Pr Sw
t ut
ex hp
nt ug
Co ro

VMI-PL - DFRWS USA 2014

Th 96
Evaluation - VMI-PL Performance I

pe 40
Pi py
Co 6
le 25
Fi py
Co 24
le 10
Fi y t
p pu
Co gh
Fi
le ou
hr
lT
ec
Ex ne
to
ts
UnixBench Benchmark

he
W ne
to
ys
hr
D

F. Westphal (BTH, HPI)

LC
Exec
VMI-PL
100

80

60

40

20

0
Performance in %
Evaluation - VMI-PL Performance II

VMI-PL Apache Build Slowdown

10

VMI-PL
8 LC
Exec
6
Slowdown in %

-2

-4

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 15 / 19

Evaluation - Comparison

UnixBench Benchmark

100

VMI-PL
80 VProbes
Performance in %

60

40

20

0
VMI-PL/ LC Exec
VProbes

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 16 / 19

Outline

1 Introduction
Virtual Machine Introspection (VMI)
VMI Techniques

2 Virtual Machine Introspection Probe Language (VMI-PL)

Overview
Language Constructs
Demo

3 Evaluation
Measurement Scenarios
VMI-PL Performance
Comparison between VMI-PL and VMware VProbes

4 Conclusion

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 17 / 19

Conclusion

Classification scheme for VMI techniques

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 18 / 19

Conclusion

Classification scheme for VMI techniques

Simple description language for VMI

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 18 / 19

Conclusion

Classification scheme for VMI techniques

Simple description language for VMI

Support for data, event, and stream-based techniques

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 18 / 19

Conclusion

Classification scheme for VMI techniques

Simple description language for VMI

Support for data, event, and stream-based techniques
Support for VM state manipulation

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 18 / 19

Conclusion

Classification scheme for VMI techniques

Simple description language for VMI

Support for data, event, and stream-based techniques
Support for VM state manipulation
Support for retrieving operating system level information

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 18 / 19

Conclusion

Classification scheme for VMI techniques

Simple description language for VMI

Support for data, event, and stream-based techniques
Support for VM state manipulation
Support for retrieving operating system level information

Prototype for KVM

Available at https://github.com/FlorianWestphal/VMI-PL

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 18 / 19

References

J. Pfoh, Ch. Schneider, C. Eckert (2009)

A Formal Model for Virtual Machine Introspection.
In Proc. of the 1st ACM workshop on Virtual machine security 1 – 10.

T. Garfinkel, M. Rosenblum (2003)

A Virtual Machine Introspection Based Architecture for Intrusion Detection.
In Proc. Network and Distributed Systems Security Symposium 191 – 206.

P.M. Chen, B.D. Noble (2001)

When virtual is better than real [operating system relocation to virtual machines].
Hot Topics in Operating Systems, 2001. Proceedings of the Eighth Workshop on
133–138.

F. Westphal (BTH, HPI) VMI-PL - DFRWS USA 2014 August 5, 2014 19 / 19