The Semantic Gap

The basic problem of VMI is the problem of interpreting the cur-rent hardware and software state of a Virtual Machine (VM) from the outside without further knowledge about the current system’s internals. This step of interpretation was coined as thesemantic gap by Chen and Noble [24]. The problem in this step arises due to the large amount of binary data that has to be parsed.

In order to resolve the issue researchers have found different ways to handle this problem and to reduce the amount of information that has to be generated to generate a consistent view about the monitored system. In this process they introduced a classification of different view generation patterns [70]. This classification was made as of two reasons. First it classifies the amount of information that can be gathered by view generation pattern, second, it also classifies the amount of trust, that an external inspector should put into the generated information.

In the following we will shortly describe these view generation patterns:

2.2.1.1. Derivation

The first approach to infer information about a previously unknown system is to derive the information directly through semantic in-formation about the underlying hardware architecture. While the amount of information that can be gathered with this approach is limited, it has two major advantages. First, the gathered information isbinding and thus can not be changed by a malicious attacker. This is due to the fact, that the information that us used during this process is directly used by the hardware. The critical data-structures used in the derivation process are thusrooted in hardware[71], as one can build a chain between the data-structures and an immutable, hardware defined component. A VMI application can for example derive a sequence of system calls, as the address of the system call handler is contained in a special hardware register and any execution

2. Background

of that page can be trapped by the hypervisor. Also, it is for example possible to derive the memory areas that are allocated for a certain process within the guest VM, as a pointer to the page mapping for each process is contained in a special register (CR3 on x86), together with a description of the paging mode that is currently used (CR0 on x86). Using these two registers, a VMI application can extract the page tables for each process from memory and can thus extract, e. g. all executable pages. As of that, hardware-rooted data structures becomeevasion-resistant.

Second, this approach is also software agnostic, as it only relates to the underlying hardware architecture and not on certain imple-mentation decisions made by e. g. Linux or Windows. This results in the fact that VMI applications that solely rely on a derived view are guest operating system agnostic.

A drawback of this method is, that only hardware-rooted informa-tion can be derived from a system. This still leaves a dark spot on most of the guest state. This is also, why other means of information delivery approaches are required.

2.2.1.2. Out-of-band delivery

Another important part of guest memory is defined by the concrete applications that are executed within the monitored guest. These applications usually consist of an OS kernel together with appli-cations that are executed in userspace. To be able to make sense of the information that is processed by the kernel, a VMI applica-tion requires symbol informaapplica-tion to connect the raw memory with its higher level representation. This symbol information is usually generated in an out-of-band approach by analyzing the source code or binary information of the executed programs. This information for example consists of all the data types that are defined within the program and the addresses of all global variables together with information about their respective types. Thus, a VMI application is enabled to navigate through the guest memory, while starting at global variables.

Background

2.2. Virtual Machine Introspection

This approach has the advantage, that the semantic information can already be generated in an offline manner and the view generation process is independent of the monitoring process. On the other hand it has the disadvantage, that the information that was generated does not take the active system state into account. Not only is the information bound to a specific software version, malware could also change the monitored system in a way, that the generated view does not match the current system any more. These attacks are known as Direct Kernel Object Manipulation (DKOM) [17] and Direct Kernel Structure Manipulation (DKSM) [7]. Another problem with this approach is, that the type of internal data structures may also depend on the current system state and that the generated view is thus ambiguous. Therefore, this approach is also callednon-binding, as the gathered information is not directly bound to the monitored systems state.

Due to this, current VMI mechanisms use a combination of the derivation and the out-of-band delivery approach.

2.2.1.3. In-band delivery

In contrast to the previously described view-generation approaches, one can also use an in-guest agent, to deliver information about the monitored guest system. Due to its internal position, the in-guest agent directly uses the monitored guests semantic information. Thus it is also possible to use this delivery approach to bridge the semantic gap for parts of memory, that could not be bridged using other means of view generation.

However, in-band delivery also comes with a fundamental problem, which has to be thought of, before leveraging this mechanism. As the view generation is executed within the domain of the monitored system, an attacker is able to tamper with the view generator. It can, for example, provide the agent with malicious or modified data.

This means, that a VMI system must take special care and consider that the generated results might me unreliable or false.

2. Background

Monitored VMM VM

Derivation

Out-of-band delivery

In-band delivery

VMI Application

Host OS

Figure 2.1.: Different view-generation approaches.