Efficient VM Introspection in KVM and Performance Comparison with Xen

Intrusion Detection Systems (IDS) play a crucial role in detecting attacks against servers, but attackers are finding ways to disable them. IDS offloading using virtual machines (VMs) can prevent compromise, providing enhanced security. VM Introspection (VMI) allows monitoring VMs from the outside, with techniques like memory, disk, and network introspection. The performance of VMI in KVM compared to Xen is an important consideration for users in selecting virtualization software.

• VM Introspection
• IDS Offloading
• Virtual Machines
• Security
• Performance Comparison

are_ru Follow

Uploaded on Sep 23, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Efficient VM Introspection in KVM and Performance Comparison with Xen Kenichi Kourai Kousuke Nakamura Kyushu Institute of Technology

2. Intrusion Detection System (IDS) IDSes detect attacks against servers Monitor the systems and networks of servers Alert to administrators Recently, attackers attempt to disable IDSes Before they are detected This is easy because IDSes are running in servers detect intrude IDS server

3. IDS Offloading Offloading IDSes using virtual machines (VMs) Run a server in a VM Execute IDSes outside the VM Prevent IDSes from being compromised Can be provided as a cloud service Cloud providers can protect users' VMs VM monitor IDS IDS VM In-VM monitoring IDS offloading

4. VM Introspection (VMI) A technique for monitoring VMs from the outside Memory introspection Obtain raw memory contents and extract OS data Disk introspection Obtain raw disk data and interpret a filesystem Network introspection Obtain packets only from/to VMs VM memory ??? IDS disk ??? network packets

5. Performance of VMI Performance has not been reported in detail No performance comparison E.g., VMwatcher [Jiang+ CCS'07] Implemented in Xen, QEMU, VMware, and UML Reported only for UML E.g., EXTERIOR [Fu+ VEE'13] Implemented in KVM and QEMU No difference due to using memory dump Performance data is important For user's selection of virtualization software

6. The Purpose of This Work Performance comparison among virtualization software in terms of VMI Target: Xen and KVM Widely used open source virtualization software System architecture is different process VM VM VM hypervisor OS Xen KVM

7. Implementation for KVM No efficient implementation of VMI for KVM Several studies have been done for KVM The implementation details are unclear LibVMI [Payne+ '11] supports VMI for both Xen and KVM The performance of memory introspection is too low in KVM Optimized for Xen

8. KVMonitor We have developed an efficient VMI tool for KVM Execute an IDS as a process of the host OS Provide functions for introspecting memory, disks, and NICs in QEMU VM offload IDS disk NIC QEMU monitor memory KVMonitor KVM module host OS

9. Memory Introspection (1/2) Difficult to efficiently introspect QEMU's memory LibVMI obtains memory contents from QEMU KVMonitor shares VM's physical memory with QEMU via a memory file Access As a memory-mapped file Enable direct memory introspection IDS VM KVMonitor QEMU VM's physical memory VM's physical memory memory VM's physical memory file

10. Memory Introspection (2/2) IDSes usually access OS data using virtual addresses KVMonitor translates virtual addresses into physical addresses Look up the page table for address translation Introspect the CR3 register using QMP VM IDS CR3 KVMonitor QEMU page table VM's physical memory VM's physical memory memory file

11. Disk/Network Introspection KVMonitor introspects VM's disks via the network block device (NBD) Interpret the qcow2 format in the NBD server Interpret the filesystem in the host OS KVMonitor captures packets from a tap device disk image file VM IDS KVMonitor NBD server QEMU NBD tap host OS network

12. Transcall with KVMonitor We have ported Transcall [Iida+ '11] for Xen to KVM Enable offloading legacy IDSes without any modifications Consist of a system call emulator and a shadow filesystem Including the proc filesystem Analyze OS data by memory introspection IDS VM Transcall analyze KVMonitor QEMU

13. Experiments We examined that KVMonitor achieved Efficient memory introspection No impact on memory performance of a VM Effective IDS offloading PC VM CPU: Intel Xeon E5630 (12 MB L3 cache) Memory: 6 GB DDR3 PC3-8500 HDD: 250 GB SATA NIC: gigabit Ethernet Hypervisor: KVM 1.1.2 Host OS: Linux 3.2.0 CPU: 1 Memory: 512 MB Disk: 20 GB (ext3) Guest OS: Linux 2.6.27

14. KVMonitor vs. LibVMI We measured the performance of memory introspection Copy VM's physical memory by 4KB KVMonitor LibVMI 12 9.6 10 fast 8 read (GB/s) KVMonitor was 32x faster than LibVMI 6 4 2 0.3 0

15. Why is LibVMI so slow? LibVMI has to issue a QMP command for each memory access Memory contents are transferred from QEMU to LibVMI VM VM IDS IDS QMP LibVMI QEMU KVMonitor QEMU memory file VM's memory VM's memory VM's memory KVMonitor LibVMI

16. In-VM Memory Performance Doesn't using a memory file affect memory performance of a VM? memory file malloc Using a memory file was as efficient as malloc 10 8.6 8.5 8 throughput (GB/s) 6.6 6.3 6 VM VM 4 QEMU QEMU memory file 2 VM's memory VM's memory 0 read write memory file malloc

17. KVMonitor vs. In-VM Access KVMonitor was faster than in-VM memory access Due to virtualization overhead KVMonitor In-VM 9.6 10 8.6 8 fast read (GB/s) 6 VM IDS KVMonitor QEMU 4 memory file VM's memory VM's memory 2 0

18. Offloading Legacy IDSes (1/3) Tripwire Check filesystem integrity in disks We added, deleted, and modified files Offloaded Tripwire detected changed files Rule Name ... Added Removed Modified Monitor Filesystems Total Objects scanned: 67082 Total violations found: 3 1 1 1 VM Tripwire disk DB

19. Offloading Legacy IDSes (2/3) Snort Inspect network packets We performed portscans from another host Offloaded Snort detected portscans [**] [1:1421:11] SNMP AgentX/tcp request [**] [Classification: Attempted Information Leak] ... 01/28-10:47:13.406931 192.168.0.68:47962 -> 192.168.0.81:705 VM Snort rule sets portscan packets

20. Offloading Legacy IDSes (3/3) Chkrootkit Detect rootkits using ps, netstat, and file inspection We tampered with ps and netstat in a VM Offloaded chkrootkit detected tampered commands ROOTDOR is / Checking ps ...INFECTED Checking netstat ...INFECTED : VM disk chkrootkit execute ps netstat ... ps netstat

21. Cross-view Diff (1/2) A technique for detecting hidden malware Compare the results of VMI and in-VM monitoring The difference means the existence of hidden malware C is hidden cross-view diff engine VM monitor A B D ... A B C D ... IDS IDS

22. Cross-view Diff (2/2) We tampered with ps in a VM A hidden process was detected as malicious We tampered with netstat in a VM A hidden port was detected as a backdoor PID TTY TIME CMD 1 ? 00:00:00 init 2 ? 00:00:00 kthreadd : PID TTY TIME CMD 2 ? 00:00:00 kthreadd : ps Proto ... Local Address ... tcp 0.0.0.0:22 : Proto ... Local Address ... tcp 0.0.0.0:5900 tcp 0.0.0.0:22 : netstat results from offloaded commands results from in-VM commands

23. KVMonitor vs. Xen We compared the performance of VMI between KVM and Xen Using a VMI tool for Xen Memory: standard library Disk: loopback mount Network: tap device Dom0 (VM) VM disk image file tap IDS libxenctrl Hypervisor: Xen 4.1.3 Dom0 OS: Linux 3.2.0 VM: fully virtualized hypervisor

24. Memory Introspection We measured read throughput Copy VM's physical memory by 4KB KVM Xen 12 9.6 10 KVMonitor was 48x faster than Xen 8 fast read (GB/s) 6 4 2 0.2 0 VMI

25. Why is Xen so slow? Xen has to map each memory page It cannot map all the pages in advance It takes time proportional to the number of pages KVMonitor can read a pre-mapped file VM IDS IDS memory file libxenctrl KVMonitor VM's memory map Xen KVMonitor

26. Kernel Integrity Checking We measured the execution time of the kernel integrity checker Read the code area Translate virtual to physical addresses KVM Xen 250 224 200 time (ms) 150 KVMonitor was 118x faster than Xen 100 fast 50 1.9 0

27. Why is the speedup so larger? The speedup in the real IDS was much larger 48x (simple benchmark) 118x (kernel checker) Due to address translation In Xen, the access cost of the page table is high Only 8 bytes are read after memory mapping VM VM IDS IDS map & read map & read libxenctrl libxenctrl simple benchmark real kernel checker

28. Disk Introspection We measured the execution time of Tripwire For two formats of disks raw and qcow2 KVM Xen 9.4 10 9.2 KVMonitor was Comparable to Xen 7.5 7.5 8 time (min) 6 4 The difference between formats was larger Raw was faster than qcow2 fast 2 0 raw qcow2

29. Network Introspection We measured the packet loss rate in Snort Send many packets as fast as possible KVM Xen 12 10.4 10 packet loss rate (%) KVMonitor was more lightweight than Xen Dom0 suffered from virtualization overhead 8 6.2 6 4 fast 2 0

30. Chkrootkit We measured the execution time of chkrootkit KVM Xen KVMonitor was 1.6x faster than Xen Efficient memory introspection No virtualization overhead 2x slower than in-VM Due to system call traps 60 55 50 time (sec) 40 35 fast 30 21 18 20 10 0 Offloading in-VM

31. Related Work VMI tools Livewire [Garfinkel+ NDSS'03] for VMware XenAccess [Payne+ ACSAC'07] for Xen Shm-snapshot for LibVMI [Xu+ PDL'13] Take a VM's memory snapshot in shared memory It takes 1.4 seconds for 3 GB Volatility [Walters '07] A memory forensics framework VMI for KVM is enabled by a Python adapter, PyVMI from LibVMI

32. Conclusion KVMonitor Achieve efficient VM introspection (VMI) in KVM 32x faster than existing LibVMI Performance comparison with Xen 118x faster at maximum Chkrootkit was 1.6x faster Future work Comparison with other virtualization software Integration with LibVMI