dynamic vm monitoring using hypervisor probes
play

Dynamic VM Monitoring using Hypervisor Probes Z. J. Estrada , C. - PowerPoint PPT Presentation

May 12, 2023 •303 likes •1.08k views

Dynamic VM Monitoring using Hypervisor Probes Z. J. Estrada , C. Pham, F. Deng, L. Yan, Z. Kalbarczyk, R. K. Iyer European Dependable Computing Conference 2015-09-09 ECE ILLINOIS 1 Department of Electrical and Computer Engineering Dynamic VM

  1. Dynamic VM Monitoring using Hypervisor Probes Z. J. Estrada , C. Pham, F. Deng, L. Yan, Z. Kalbarczyk, R. K. Iyer European Dependable Computing Conference 2015-09-09 ECE ILLINOIS 1 Department of Electrical and Computer Engineering

  2. Dynamic VM Monitoring Goal On-demand VM Monitoring to reduce the effort required to harden computing systems against failures and attacks. � Uptime requirements � Effort required � QA concerns � Lack of knowledge ECE ILLINOIS 2 Department of Electrical and Computer Engineering

  3. VM Monitoring Reliability & Security Monitoring Recording and analyzing a computer system to detect failures and attacks. ◮ Passive - polling based ◮ Active - event based ECE ILLINOIS 3 Department of Electrical and Computer Engineering

  4. VM Monitoring Applications VM OS Hypervisor KVM ECE ILLINOIS 4 Department of Electrical and Computer Engineering

  5. VM Monitoring Applications VM OS Hypervisor KVM Monitor ECE ILLINOIS 4 Department of Electrical and Computer Engineering

  6. VM Monitoring Applications VM OS Hypervisor KVM ECE ILLINOIS 4 Department of Electrical and Computer Engineering

  7. VM Monitor Monitor is running inside the hypervisor ECE ILLINOIS 5 Department of Electrical and Computer Engineering

  8. VM Monitor VM execution reaches a hook ECE ILLINOIS 5 Department of Electrical and Computer Engineering

  9. VM Monitor Control is transferred to the monitor ECE ILLINOIS 5 Department of Electrical and Computer Engineering

  10. VM Monitor The monitor performs its monitoring function ECE ILLINOIS 5 Department of Electrical and Computer Engineering

  11. VM Monitor Control is transferred back to the VM ECE ILLINOIS 5 Department of Electrical and Computer Engineering

  12. VM Monitor The VM resumes normal execution ECE ILLINOIS 5 Department of Electrical and Computer Engineering

  13. Hook-Based VM Monitoring Previous techniques: + Active monitoring + Protected hooks − Guest OS only - no userspace − Not dynamic - boot time config − Require guest OS modifications ECE ILLINOIS 6 Department of Electrical and Computer Engineering

  14. Goals Hook-based monitoring should: + be protected from attacks in the VM + be simple to use + not require guest OS modification + be runtime adaptable + allow for arbitrary hook placement ECE ILLINOIS 7 Department of Electrical and Computer Engineering

  15. Hypervisor Probes ECE ILLINOIS 8 Department of Electrical and Computer Engineering

  16. Hardware Assisted Virt. Host Mode Guest Mode (root) (non-root) User User VMEntry Kernel VMExit Kernel ECE ILLINOIS 9 Department of Electrical and Computer Engineering

  17. Hypervisor Probes ◮ Event on guest execution ◮ Event transfers control to hypervisor (VM Exit) ◮ Perform monitoring after that event ◮ Hooks added/removed at runtime ◮ Monitors applications and the guest OS ECE ILLINOIS 10 Department of Electrical and Computer Engineering

  18. Hprobe Architecture Host System VM Probe Probe Probe Status Hprobe Checker user agent Set/Remove probes ioctl (…) Detector 1 Event Forwarder Insert/Remove probes Hprobe Detector 2 Helper APIs Set single step Kernel agent KVM Hypervisor Detector n Host Linux kernel ECE ILLINOIS 11 Department of Electrical and Computer Engineering

  19. Hprobes API int HPROBE_add_probe( ); int HPROBE_remove_probe( ); ◮ addr info : gva+cr3 ◮ vmid : unique id for VM ◮ vcpu type : vcpu state ECE ILLINOIS 12 Department of Electrical and Computer Engineering

  20. Probe ⇒ Event Forwarder Hypervisor VM ... pushl %eax incl %eax decl %ebx ... ECE ILLINOIS 13 Department of Electrical and Computer Engineering

  21. Probe ⇒ Event Forwarder Hypervisor VM ... pushl %eax int3 decl %ebx ... ECE ILLINOIS 13 Department of Electrical and Computer Engineering

  22. Probe ⇒ Event Forwarder Hypervisor VM probe hit handler() (int3) Detector ... pushl %eax int3 decl %ebx ... ECE ILLINOIS 13 Department of Electrical and Computer Engineering

  23. Probe ⇒ Event Forwarder Hypervisor VM probe hit handler() (int3) Reset inst. ... pushl %eax incl %eax decl %ebx ... ECE ILLINOIS 13 Department of Electrical and Computer Engineering

  24. Probe ⇒ Event Forwarder Hypervisor VM probe hit handler() (int3) Reset inst. ... single execute pushl %eax inst. step incl %eax decl %ebx ... ECE ILLINOIS 13 Department of Electrical and Computer Engineering

  25. Probe ⇒ Event Forwarder Hypervisor VM probe hit handler() (int3) Reset inst. ... single execute pushl %eax inst. step int3 decl %ebx rewrite trap ... int3 ECE ILLINOIS 13 Department of Electrical and Computer Engineering

  26. Probe ⇒ Event Forwarder Hypervisor VM probe hit handler() (int3) Reset inst. ... single execute pushl %eax inst. step int3 decl %ebx rewrite trap ... int3 ... resume ECE ILLINOIS 13 Department of Electrical and Computer Engineering

  27. Userspace Probe Challenge Guest Page Tables ECE ILLINOIS 14 Department of Electrical and Computer Engineering

  28. Userspace Probe Challenge Guest Page Tables ECE ILLINOIS 14 Department of Electrical and Computer Engineering

  29. Userspace Probe Challenge Guest Page Tables ECE ILLINOIS 14 Department of Electrical and Computer Engineering

  30. Extended Page Tables (EPT) [1] ◮ Guest OS has full control over PTs ◮ 2nd set of HW PTs for GPA → HPA ◮ Use EPT to write-protect Guest Page Table [1] http://www-archive.xenproject.org/files/xensummit 4/VT roadmap d Nakajima.pdf ECE ILLINOIS 15 Department of Electrical and Computer Engineering

  31. Goals Hook-based monitoring should: + be protected from attacks in the VM + be simple to use + not require guest OS modification + be runtime adaptable + allow for arbitrary hook placement ECE ILLINOIS 16 Department of Electrical and Computer Engineering

  32. Goals Hook-based monitoring should: � be protected from attacks in the VM + be simple to use + not require guest OS modification + be runtime adaptable + allow for arbitrary hook placement ECE ILLINOIS 16 Department of Electrical and Computer Engineering

  33. Goals Hook-based monitoring should: � be protected from attacks in the VM � be simple to use + not require guest OS modification + be runtime adaptable + allow for arbitrary hook placement ECE ILLINOIS 16 Department of Electrical and Computer Engineering

  34. Goals Hook-based monitoring should: � be protected from attacks in the VM � be simple to use � not require guest OS modification + be runtime adaptable + allow for arbitrary hook placement ECE ILLINOIS 16 Department of Electrical and Computer Engineering

  35. Goals Hook-based monitoring should: � be protected from attacks in the VM � be simple to use � not require guest OS modification � be runtime adaptable + allow for arbitrary hook placement ECE ILLINOIS 16 Department of Electrical and Computer Engineering

  36. Goals Hook-based monitoring should: � be protected from attacks in the VM � be simple to use � not require guest OS modification � be runtime adaptable � allow for arbitrary hook placement ECE ILLINOIS 16 Department of Electrical and Computer Engineering

  37. Hprobe Microbenchmarks ◮ probe @ noop kernel function ◮ execute 1M times VM Hypervisor insert probe kernel kernel record start/stop time hypercall user user [2] [2] Adapted from an image by Fei Deng ECE ILLINOIS 17 Department of Electrical and Computer Engineering

  38. Hprobe Single Probe Latency 4.5 4.0 3.5 Time ( µ s) 3.0 2.5 2.0 2.6GHz E5430 2.2-3.0GHz E5-2660 Harpertown (2007) Sandy Bridge (2012) ECE ILLINOIS 18 Department of Electrical and Computer Engineering

  39. Hook-based VM Monitoring Name Latency User Dynamic Modifications Lares 28 µ s No No Hypervisor/Guest SIM 0.40 µ s No No Hypervisor/Guest hprobes 2.6 µ s Yes Yes Hypervisor ECE ILLINOIS 19 Department of Electrical and Computer Engineering

  40. Hook-based VM Monitoring Name Latency User Dynamic Modifications Lares 28 µ s No No Hypervisor/Guest SIM 0.40 µ s No No Hypervisor/Guest hprobes 2.6 µ s Yes Yes Hypervisor ◮ as-a-Service is worth slight performance cost ECE ILLINOIS 19 Department of Electrical and Computer Engineering

  41. Detectors What detectors can we build with hprobes? ECE ILLINOIS 20 Department of Electrical and Computer Engineering

  42. Detectors What detectors can we build with hprobes? ◮ Arbitrarily chose events ◮ On-demand ◮ Access to VM memory & CPU state ECE ILLINOIS 20 Department of Electrical and Computer Engineering

  43. Heartbeat/watchdog App Detector ECE ILLINOIS 21 Department of Electrical and Computer Engineering

  44. Heartbeat/watchdog App e b o r P t r e s n I Detector ECE ILLINOIS 21 Department of Electrical and Computer Engineering

  45. Heartbeat/watchdog App e b P o r r o P b e t r e H s i t n I Detector ECE ILLINOIS 21 Department of Electrical and Computer Engineering

  46. Heartbeat/watchdog App e b P o r r o P b e t r e H s i t n I Detector reset timer ECE ILLINOIS 21 Department of Electrical and Computer Engineering

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automating the Automating the configuration of flow configuration of flow monitoring probes

Automating the Automating the configuration of flow configuration of flow monitoring probes

Zurich Research Laboratory Automating the Automating the configuration of flow configuration of flow monitoring probes monitoring probes Xenofontas (Fontas) Dimitropoulos (xed@zurich.ibm.com) Andreas Kind (ank@zurich.ibm.com) IBM | Dec 07

303 views • 14 slides
Dynamic address durations in RIPE Atlas probes Ramakrishna Padmanabhan, Emile Aben, Amogh

Dynamic address durations in RIPE Atlas probes Ramakrishna Padmanabhan, Emile Aben, Amogh

Dynamic address durations in RIPE Atlas probes Ramakrishna Padmanabhan, Emile Aben, Amogh Dhamdhere, kc claffy, Neil Spring 1 Dynamic address: 1.2.3.4 How long does a public dynamic address last on a device? 2 How long does a public

518 views • 47 slides
Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr,

Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr,

Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr, Peter Libi and Petr Tma Charles University in Prague Context: Dynamic Monitoring of Production Systems Dynamic Monitoring of Production Systems

999 views • 61 slides
Monitoring In Motion Challenges in monitoring kubernetes, containers, and dynamic infrastructure.

Monitoring In Motion Challenges in monitoring kubernetes, containers, and dynamic infrastructure.

Monitoring In Motion Challenges in monitoring kubernetes, containers, and dynamic infrastructure. Ilan Rabinovitch ContainerCon Toronto Director, Technical Community Aug 24, 2016 Datadog $ finger ilan@datadog [datadoghq.com] Name:

989 views • 78 slides
Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, Cornelius Aschermann, Ali Abbasi,

Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, Cornelius Aschermann, Ali Abbasi,

Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wrner and Thorsten Holz Chair for Systems Security Ruhr-Universitt Bochum Motivation Hypervisor Motivation Hypervisor VM 1 VM 2

688 views • 53 slides
Exploratory Monitoring at Bing AUTOMATED SYNTHETIC EXPLORATORY MONITORING OF DYNAMIC WEB SITES

Exploratory Monitoring at Bing AUTOMATED SYNTHETIC EXPLORATORY MONITORING OF DYNAMIC WEB SITES

Exploratory Monitoring at Bing AUTOMATED SYNTHETIC EXPLORATORY MONITORING OF DYNAMIC WEB SITES USING SELENIUM Outline 1. Modern Engineering Principles 2. Monitoring Approaches 3. Statistical Models 4. Selenium 5. Exploratory Principles 6.

618 views • 26 slides
Pilot Experiences with Station Monitoring and NERC PRC-005-2 Tony Pink Dynamic Ratings

Pilot Experiences with Station Monitoring and NERC PRC-005-2 Tony Pink Dynamic Ratings

Pilot Experiences with Station Monitoring and NERC PRC-005-2 Tony Pink Dynamic Ratings Monitoring, Control and Communications Solutions for Electrical Power Apparatus Why Consider Battery Monitoring NERC PRC-005-2 NERC Evidence

414 views • 18 slides
Using the Xen Hypervisor to Turbocharge OS Deployment Mike D. Day Ryan Harper Anthony Liguori

Using the Xen Hypervisor to Turbocharge OS Deployment Mike D. Day Ryan Harper Anthony Liguori

Using the Xen Hypervisor to Turbocharge OS Deployment Mike D. Day Ryan Harper Anthony Liguori Andrew Theurer Michael Hohnbaum Real-world Hypervisor Applications Make more efficient use of expensive hardware Server Consolidation

633 views • 24 slides
Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture

Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture

Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture Dom0 VMs QEMU Xen Scheduler MMU vPIC Memory CPUs I/O HW Emulation in hypervisor For performance Examples: Interrupt controller

859 views • 20 slides
Sun TM xVM Hypervisor Gary Pennington Solaris Kernel Engineer April 24, 2008 USE IMPROVE

Sun TM xVM Hypervisor Gary Pennington Solaris Kernel Engineer April 24, 2008 USE IMPROVE

USE IMPROVE EVANGELIZE Sun TM xVM Hypervisor Gary Pennington Solaris Kernel Engineer April 24, 2008 USE IMPROVE EVANGELIZE Agenda Hypervisors 101 Introduction to Sun TM xVM Hypervisor Use Cases Using the hypervisor

731 views • 36 slides
Bulk observables vs. hard probes bulk high- p T probes Only few particles with high transverse

Bulk observables vs. hard probes bulk high- p T probes Only few particles with high transverse

Bulk observables vs. hard probes bulk high- p T probes Only few particles with high transverse momenta (or containing heavy quarks), but their production mechanism is a priori better understood (perturbative QCD) can probe their environment

683 views • 30 slides
Recent flow results from LHC Soft probes, hard probes and their interplay You Zhou Niels

Recent flow results from LHC Soft probes, hard probes and their interplay You Zhou Niels

Recent flow results from LHC Soft probes, hard probes and their interplay You Zhou Niels Bohr Institute, University of Copenhagen You Zhou (NBI) @ COST workshop, Lund Anisotropic flow in Pb-Pb collisions Hydro: J. Noronha-Hostler etc,

663 views • 23 slides
WIFI FIRE: A A Scalable e Da Data-Driven M Monitoring, D Dynamic Prediction and R an Res

WIFI FIRE: A A Scalable e Da Data-Driven M Monitoring, D Dynamic Prediction and R an Res

WIFI FIRE: A A Scalable e Da Data-Driven M Monitoring, D Dynamic Prediction and R an Res esil ilie ience C Cyb yberin infrastructure for Wild ildfir ires Monitoring Visualization Fire Modeling Data CA F Fires 10/2017 t 2017

447 views • 11 slides
Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare

Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare

Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare metal. Dedicated virtualization machine. Higher performance. Typical for servers. Type 2 Virtualization Hypervisor sits on

571 views • 17 slides
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to Provide Security Monitoring as a Service in Clouds?) Seungwon Shin Guofei Gu SUCCESS Lab SUCCESS Lab Texas A&M University Texas A&M

314 views • 6 slides
cooling circuit plumb line tubing joints sealing sheets temperature probes coffin casings and

cooling circuit plumb line tubing joints sealing sheets temperature probes coffin casings and

one of many types column steel reinforcement earth network of concrete piping for monitoring cooling circuit plumb line tubing joints sealing sheets temperature probes coffin casings and primary and secondary injection network OPTIMIZATION OF

358 views • 34 slides
On the spectral features of robust probing security Maria Chiara Molteni 1 Vittorio Zaccaria 2 1

On the spectral features of robust probing security Maria Chiara Molteni 1 Vittorio Zaccaria 2 1

Context Theoretical contribution Applications Complexity Conclusion On the spectral features of robust probing security Maria Chiara Molteni 1 Vittorio Zaccaria 2 1 Dipartimento di Informatica Giovanni Degli Antoni Universit` a degli

1.03k views • 52 slides
Probing Emergent Semantics in Predictive Agents via Question Answering Link to slides with

Probing Emergent Semantics in Predictive Agents via Question Answering Link to slides with

Probing Emergent Semantics in Predictive Agents via Question Answering Link to slides with playable videos: bit.ly/3iKYJd3 Abhishek Fede Hamza Laura Rosalia Das* 1 Carnevale* Merzic Rimell Schneider Josh Alden Arjun Stephen Greg

600 views • 40 slides
Metadata Management for Data Integration in Medical Sciences - Experiences from the LIFE Study -

Metadata Management for Data Integration in Medical Sciences - Experiences from the LIFE Study -

Metadata Management for Data Integration in Medical Sciences - Experiences from the LIFE Study - Toralf Kirsten, Alexander Kiel, Mathias Rhle, Jonas Wagner LIFE Reserach Center for Civilization Diseases University of Leipzig BTW, Stuttgart,

537 views • 20 slides
Lecture 04: More Process Modelling & Software Metrics 2015-05-04 Prof. Dr. Andreas Podelski,

Lecture 04: More Process Modelling & Software Metrics 2015-05-04 Prof. Dr. Andreas Podelski,

Softwaretechnik / Software-Engineering Lecture 04: More Process Modelling & Software Metrics 2015-05-04 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal 04 2015-05-04 main Albert-Ludwigs-Universit at Freiburg, Germany

2.09k views • 173 slides
DTrace/SystemTap SDT Probes in OpenAFS Andrew Deason June 2019 OpenAFS Workshop 2019 1

DTrace/SystemTap SDT Probes in OpenAFS Andrew Deason June 2019 OpenAFS Workshop 2019 1

DTrace/SystemTap SDT Probes in OpenAFS Andrew Deason June 2019 OpenAFS Workshop 2019 1 Userspace DTrace Background Specify triggers on events (function calls) No special support needed Complex functionality builtin threading

310 views • 14 slides
The generalized split probe problem Celina Miraglia Herrera de Figueiredo workshop on graphs and

The generalized split probe problem Celina Miraglia Herrera de Figueiredo workshop on graphs and

The generalized split probe problem Celina Miraglia Herrera de Figueiredo workshop on graphs and algorithms In honor of Derek Corneils contributions to graph theory and computer science C probe graphs Given a graph class C , a graph G = ( V ,

557 views • 16 slides
Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Grkaynak Luca Benini

750 views • 58 slides
Detecting Probe-resistant Proxies Sergey Frolov, Jack Wampler, Eric Wustrow University of

Detecting Probe-resistant Proxies Sergey Frolov, Jack Wampler, Eric Wustrow University of

Detecting Probe-resistant Proxies Sergey Frolov, Jack Wampler, Eric Wustrow University of Colorado Boulder Proxies Censored User obfs3 proxy Censor-Controlled Network Active Probing obfs3?? Lets confirm! Censored User obfs3 proxy

479 views • 46 slides

More recommend