dynamic vm monitoring using hypervisor probes
play

Dynamic VM Monitoring using Hypervisor Probes Z. J. Estrada , C. - PowerPoint PPT Presentation

May 12, 2023 •303 likes •1.08k views

Dynamic VM Monitoring using Hypervisor Probes Z. J. Estrada , C. Pham, F. Deng, L. Yan, Z. Kalbarczyk, R. K. Iyer European Dependable Computing Conference 2015-09-09 ECE ILLINOIS 1 Department of Electrical and Computer Engineering Dynamic VM

  1. Dynamic VM Monitoring using Hypervisor Probes Z. J. Estrada , C. Pham, F. Deng, L. Yan, Z. Kalbarczyk, R. K. Iyer European Dependable Computing Conference 2015-09-09 ECE ILLINOIS 1 Department of Electrical and Computer Engineering

  2. Dynamic VM Monitoring Goal On-demand VM Monitoring to reduce the effort required to harden computing systems against failures and attacks. � Uptime requirements � Effort required � QA concerns � Lack of knowledge ECE ILLINOIS 2 Department of Electrical and Computer Engineering

  3. VM Monitoring Reliability & Security Monitoring Recording and analyzing a computer system to detect failures and attacks. ◮ Passive - polling based ◮ Active - event based ECE ILLINOIS 3 Department of Electrical and Computer Engineering

  4. VM Monitoring Applications VM OS Hypervisor KVM ECE ILLINOIS 4 Department of Electrical and Computer Engineering

  5. VM Monitoring Applications VM OS Hypervisor KVM Monitor ECE ILLINOIS 4 Department of Electrical and Computer Engineering

  6. VM Monitoring Applications VM OS Hypervisor KVM ECE ILLINOIS 4 Department of Electrical and Computer Engineering

  7. VM Monitor Monitor is running inside the hypervisor ECE ILLINOIS 5 Department of Electrical and Computer Engineering

  8. VM Monitor VM execution reaches a hook ECE ILLINOIS 5 Department of Electrical and Computer Engineering

  9. VM Monitor Control is transferred to the monitor ECE ILLINOIS 5 Department of Electrical and Computer Engineering

  10. VM Monitor The monitor performs its monitoring function ECE ILLINOIS 5 Department of Electrical and Computer Engineering

  11. VM Monitor Control is transferred back to the VM ECE ILLINOIS 5 Department of Electrical and Computer Engineering

  12. VM Monitor The VM resumes normal execution ECE ILLINOIS 5 Department of Electrical and Computer Engineering

  13. Hook-Based VM Monitoring Previous techniques: + Active monitoring + Protected hooks − Guest OS only - no userspace − Not dynamic - boot time config − Require guest OS modifications ECE ILLINOIS 6 Department of Electrical and Computer Engineering

  14. Goals Hook-based monitoring should: + be protected from attacks in the VM + be simple to use + not require guest OS modification + be runtime adaptable + allow for arbitrary hook placement ECE ILLINOIS 7 Department of Electrical and Computer Engineering

  15. Hypervisor Probes ECE ILLINOIS 8 Department of Electrical and Computer Engineering

  16. Hardware Assisted Virt. Host Mode Guest Mode (root) (non-root) User User VMEntry Kernel VMExit Kernel ECE ILLINOIS 9 Department of Electrical and Computer Engineering

  17. Hypervisor Probes ◮ Event on guest execution ◮ Event transfers control to hypervisor (VM Exit) ◮ Perform monitoring after that event ◮ Hooks added/removed at runtime ◮ Monitors applications and the guest OS ECE ILLINOIS 10 Department of Electrical and Computer Engineering

  18. Hprobe Architecture Host System VM Probe Probe Probe Status Hprobe Checker user agent Set/Remove probes ioctl (…) Detector 1 Event Forwarder Insert/Remove probes Hprobe Detector 2 Helper APIs Set single step Kernel agent KVM Hypervisor Detector n Host Linux kernel ECE ILLINOIS 11 Department of Electrical and Computer Engineering

  19. Hprobes API int HPROBE_add_probe( ); int HPROBE_remove_probe( ); ◮ addr info : gva+cr3 ◮ vmid : unique id for VM ◮ vcpu type : vcpu state ECE ILLINOIS 12 Department of Electrical and Computer Engineering

  20. Probe ⇒ Event Forwarder Hypervisor VM ... pushl %eax incl %eax decl %ebx ... ECE ILLINOIS 13 Department of Electrical and Computer Engineering

  21. Probe ⇒ Event Forwarder Hypervisor VM ... pushl %eax int3 decl %ebx ... ECE ILLINOIS 13 Department of Electrical and Computer Engineering

  22. Probe ⇒ Event Forwarder Hypervisor VM probe hit handler() (int3) Detector ... pushl %eax int3 decl %ebx ... ECE ILLINOIS 13 Department of Electrical and Computer Engineering

  23. Probe ⇒ Event Forwarder Hypervisor VM probe hit handler() (int3) Reset inst. ... pushl %eax incl %eax decl %ebx ... ECE ILLINOIS 13 Department of Electrical and Computer Engineering

  24. Probe ⇒ Event Forwarder Hypervisor VM probe hit handler() (int3) Reset inst. ... single execute pushl %eax inst. step incl %eax decl %ebx ... ECE ILLINOIS 13 Department of Electrical and Computer Engineering

  25. Probe ⇒ Event Forwarder Hypervisor VM probe hit handler() (int3) Reset inst. ... single execute pushl %eax inst. step int3 decl %ebx rewrite trap ... int3 ECE ILLINOIS 13 Department of Electrical and Computer Engineering

  26. Probe ⇒ Event Forwarder Hypervisor VM probe hit handler() (int3) Reset inst. ... single execute pushl %eax inst. step int3 decl %ebx rewrite trap ... int3 ... resume ECE ILLINOIS 13 Department of Electrical and Computer Engineering

  27. Userspace Probe Challenge Guest Page Tables ECE ILLINOIS 14 Department of Electrical and Computer Engineering

  28. Userspace Probe Challenge Guest Page Tables ECE ILLINOIS 14 Department of Electrical and Computer Engineering

  29. Userspace Probe Challenge Guest Page Tables ECE ILLINOIS 14 Department of Electrical and Computer Engineering

  30. Extended Page Tables (EPT) [1] ◮ Guest OS has full control over PTs ◮ 2nd set of HW PTs for GPA → HPA ◮ Use EPT to write-protect Guest Page Table [1] http://www-archive.xenproject.org/files/xensummit 4/VT roadmap d Nakajima.pdf ECE ILLINOIS 15 Department of Electrical and Computer Engineering

  31. Goals Hook-based monitoring should: + be protected from attacks in the VM + be simple to use + not require guest OS modification + be runtime adaptable + allow for arbitrary hook placement ECE ILLINOIS 16 Department of Electrical and Computer Engineering

  32. Goals Hook-based monitoring should: � be protected from attacks in the VM + be simple to use + not require guest OS modification + be runtime adaptable + allow for arbitrary hook placement ECE ILLINOIS 16 Department of Electrical and Computer Engineering

  33. Goals Hook-based monitoring should: � be protected from attacks in the VM � be simple to use + not require guest OS modification + be runtime adaptable + allow for arbitrary hook placement ECE ILLINOIS 16 Department of Electrical and Computer Engineering

  34. Goals Hook-based monitoring should: � be protected from attacks in the VM � be simple to use � not require guest OS modification + be runtime adaptable + allow for arbitrary hook placement ECE ILLINOIS 16 Department of Electrical and Computer Engineering

  35. Goals Hook-based monitoring should: � be protected from attacks in the VM � be simple to use � not require guest OS modification � be runtime adaptable + allow for arbitrary hook placement ECE ILLINOIS 16 Department of Electrical and Computer Engineering

  36. Goals Hook-based monitoring should: � be protected from attacks in the VM � be simple to use � not require guest OS modification � be runtime adaptable � allow for arbitrary hook placement ECE ILLINOIS 16 Department of Electrical and Computer Engineering

  37. Hprobe Microbenchmarks ◮ probe @ noop kernel function ◮ execute 1M times VM Hypervisor insert probe kernel kernel record start/stop time hypercall user user [2] [2] Adapted from an image by Fei Deng ECE ILLINOIS 17 Department of Electrical and Computer Engineering

  38. Hprobe Single Probe Latency 4.5 4.0 3.5 Time ( µ s) 3.0 2.5 2.0 2.6GHz E5430 2.2-3.0GHz E5-2660 Harpertown (2007) Sandy Bridge (2012) ECE ILLINOIS 18 Department of Electrical and Computer Engineering

  39. Hook-based VM Monitoring Name Latency User Dynamic Modifications Lares 28 µ s No No Hypervisor/Guest SIM 0.40 µ s No No Hypervisor/Guest hprobes 2.6 µ s Yes Yes Hypervisor ECE ILLINOIS 19 Department of Electrical and Computer Engineering

  40. Hook-based VM Monitoring Name Latency User Dynamic Modifications Lares 28 µ s No No Hypervisor/Guest SIM 0.40 µ s No No Hypervisor/Guest hprobes 2.6 µ s Yes Yes Hypervisor ◮ as-a-Service is worth slight performance cost ECE ILLINOIS 19 Department of Electrical and Computer Engineering

  41. Detectors What detectors can we build with hprobes? ECE ILLINOIS 20 Department of Electrical and Computer Engineering

  42. Detectors What detectors can we build with hprobes? ◮ Arbitrarily chose events ◮ On-demand ◮ Access to VM memory & CPU state ECE ILLINOIS 20 Department of Electrical and Computer Engineering

  43. Heartbeat/watchdog App Detector ECE ILLINOIS 21 Department of Electrical and Computer Engineering

  44. Heartbeat/watchdog App e b o r P t r e s n I Detector ECE ILLINOIS 21 Department of Electrical and Computer Engineering

  45. Heartbeat/watchdog App e b P o r r o P b e t r e H s i t n I Detector ECE ILLINOIS 21 Department of Electrical and Computer Engineering

  46. Heartbeat/watchdog App e b P o r r o P b e t r e H s i t n I Detector reset timer ECE ILLINOIS 21 Department of Electrical and Computer Engineering

Recommend

Automating the Automating the configuration of flow configuration of flow monitoring probes

Automating the Automating the configuration of flow configuration of flow monitoring probes

Zurich Research Laboratory Automating the Automating the configuration of flow configuration of flow monitoring probes monitoring probes Xenofontas (Fontas) Dimitropoulos (xed@zurich.ibm.com) Andreas Kind (ank@zurich.ibm.com) IBM | Dec 07

303 views • 14 slides
Dynamic address durations in RIPE Atlas probes Ramakrishna Padmanabhan, Emile Aben, Amogh

Dynamic address durations in RIPE Atlas probes Ramakrishna Padmanabhan, Emile Aben, Amogh

Dynamic address durations in RIPE Atlas probes Ramakrishna Padmanabhan, Emile Aben, Amogh Dhamdhere, kc claffy, Neil Spring 1 Dynamic address: 1.2.3.4 How long does a public dynamic address last on a device? 2 How long does a public

518 views • 47 slides
Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr,

Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr,

Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr, Peter Libi and Petr Tma Charles University in Prague Context: Dynamic Monitoring of Production Systems Dynamic Monitoring of Production Systems

999 views • 61 slides
Monitoring In Motion Challenges in monitoring kubernetes, containers, and dynamic infrastructure.

Monitoring In Motion Challenges in monitoring kubernetes, containers, and dynamic infrastructure.

Monitoring In Motion Challenges in monitoring kubernetes, containers, and dynamic infrastructure. Ilan Rabinovitch ContainerCon Toronto Director, Technical Community Aug 24, 2016 Datadog $ finger ilan@datadog [datadoghq.com] Name:

989 views • 78 slides
Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, Cornelius Aschermann, Ali Abbasi,

Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, Cornelius Aschermann, Ali Abbasi,

Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wrner and Thorsten Holz Chair for Systems Security Ruhr-Universitt Bochum Motivation Hypervisor Motivation Hypervisor VM 1 VM 2

688 views • 53 slides
Exploratory Monitoring at Bing AUTOMATED SYNTHETIC EXPLORATORY MONITORING OF DYNAMIC WEB SITES

Exploratory Monitoring at Bing AUTOMATED SYNTHETIC EXPLORATORY MONITORING OF DYNAMIC WEB SITES

Exploratory Monitoring at Bing AUTOMATED SYNTHETIC EXPLORATORY MONITORING OF DYNAMIC WEB SITES USING SELENIUM Outline 1. Modern Engineering Principles 2. Monitoring Approaches 3. Statistical Models 4. Selenium 5. Exploratory Principles 6.

618 views • 26 slides
Pilot Experiences with Station Monitoring and NERC PRC-005-2 Tony Pink Dynamic Ratings

Pilot Experiences with Station Monitoring and NERC PRC-005-2 Tony Pink Dynamic Ratings

Pilot Experiences with Station Monitoring and NERC PRC-005-2 Tony Pink Dynamic Ratings Monitoring, Control and Communications Solutions for Electrical Power Apparatus Why Consider Battery Monitoring NERC PRC-005-2 NERC Evidence

414 views • 18 slides
Using the Xen Hypervisor to Turbocharge OS Deployment Mike D. Day Ryan Harper Anthony Liguori

Using the Xen Hypervisor to Turbocharge OS Deployment Mike D. Day Ryan Harper Anthony Liguori

Using the Xen Hypervisor to Turbocharge OS Deployment Mike D. Day Ryan Harper Anthony Liguori Andrew Theurer Michael Hohnbaum Real-world Hypervisor Applications Make more efficient use of expensive hardware Server Consolidation

633 views • 24 slides
Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture

Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture

Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture Dom0 VMs QEMU Xen Scheduler MMU vPIC Memory CPUs I/O HW Emulation in hypervisor For performance Examples: Interrupt controller

859 views • 20 slides
Sun TM xVM Hypervisor Gary Pennington Solaris Kernel Engineer April 24, 2008 USE IMPROVE

Sun TM xVM Hypervisor Gary Pennington Solaris Kernel Engineer April 24, 2008 USE IMPROVE

USE IMPROVE EVANGELIZE Sun TM xVM Hypervisor Gary Pennington Solaris Kernel Engineer April 24, 2008 USE IMPROVE EVANGELIZE Agenda Hypervisors 101 Introduction to Sun TM xVM Hypervisor Use Cases Using the hypervisor

731 views • 36 slides
Bulk observables vs. hard probes bulk high- p T probes Only few particles with high transverse

Bulk observables vs. hard probes bulk high- p T probes Only few particles with high transverse

Bulk observables vs. hard probes bulk high- p T probes Only few particles with high transverse momenta (or containing heavy quarks), but their production mechanism is a priori better understood (perturbative QCD) can probe their environment

683 views • 30 slides
Recent flow results from LHC Soft probes, hard probes and their interplay You Zhou Niels

Recent flow results from LHC Soft probes, hard probes and their interplay You Zhou Niels

Recent flow results from LHC Soft probes, hard probes and their interplay You Zhou Niels Bohr Institute, University of Copenhagen You Zhou (NBI) @ COST workshop, Lund Anisotropic flow in Pb-Pb collisions Hydro: J. Noronha-Hostler etc,

663 views • 23 slides
WIFI FIRE: A A Scalable e Da Data-Driven M Monitoring, D Dynamic Prediction and R an Res

WIFI FIRE: A A Scalable e Da Data-Driven M Monitoring, D Dynamic Prediction and R an Res

WIFI FIRE: A A Scalable e Da Data-Driven M Monitoring, D Dynamic Prediction and R an Res esil ilie ience C Cyb yberin infrastructure for Wild ildfir ires Monitoring Visualization Fire Modeling Data CA F Fires 10/2017 t 2017

447 views • 11 slides
Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare

Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare

Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare metal. Dedicated virtualization machine. Higher performance. Typical for servers. Type 2 Virtualization Hypervisor sits on

571 views • 17 slides
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to Provide Security Monitoring as a Service in Clouds?) Seungwon Shin Guofei Gu SUCCESS Lab SUCCESS Lab Texas A&M University Texas A&M

314 views • 6 slides
cooling circuit plumb line tubing joints sealing sheets temperature probes coffin casings and

cooling circuit plumb line tubing joints sealing sheets temperature probes coffin casings and

one of many types column steel reinforcement earth network of concrete piping for monitoring cooling circuit plumb line tubing joints sealing sheets temperature probes coffin casings and primary and secondary injection network OPTIMIZATION OF

358 views • 34 slides
! Apps Apps RAM ! Ring 0 - 2 OS / Hypervisor OS / Hypervisor Remote Attestation Protected

! Apps Apps RAM ! Ring 0 - 2 OS / Hypervisor OS / Hypervisor Remote Attestation Protected

Keystone : An Open Framework for Architecting Trusted Execution Environments Dayeol Lee , David Kohlbrenner, Shweta Shinde, Krste Asanovic, Dawn Song Dept. of Electrical Engineering and Computer Sciences University of California, Berkeley

599 views • 30 slides
Cosmological Probes of Cosmological Probes of Dark Matter Interactions Dark Matter Interactions

Cosmological Probes of Cosmological Probes of Dark Matter Interactions Dark Matter Interactions

Cosmological Probes of Cosmological Probes of Dark Matter Interactions Dark Matter Interactions Vera Gluscevic Vera Gluscevic Princeton / USC New Directions in the Search for Light Dark Matter Particles Fermilab/KICP (Jun 7, 2019) 1

627 views • 48 slides
Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 ,

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 ,

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 , Eugen Staab 3 , Volker Fusenig 3 , Michal Pechoucek 1,2 , Martin Grill 1 , Jan Stiborek 1 , and Karel Bartos 1 ( 1 ) Czech Technical University in

419 views • 24 slides
Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis Game Changing

Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis Game Changing

Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis Game Changing Hypervisor Based Malware Analysis and Visualization Danny Quist Danny Quist Lorie Liebrock New Mexico Tech Computer Science Dept. Offensive

898 views • 64 slides
Probes in holographic plasmas with unquenched quarks Liuba Mazzanti (University of Santiago de

Probes in holographic plasmas with unquenched quarks Liuba Mazzanti (University of Santiago de

Introduction D3/D7 plasma D7 probes End Probes in holographic plasmas with unquenched quarks Liuba Mazzanti (University of Santiago de Compostela) based on: A. Maga na, J. M as, LM, J. Tarr o [arXiv:1205.xxxx] University of

590 views • 30 slides
Higgs A monitoring JIT for JavaScript Maxime Chevalier-Boisvert Dynamic Language Team

Higgs A monitoring JIT for JavaScript Maxime Chevalier-Boisvert Dynamic Language Team

Higgs A monitoring JIT for JavaScript Maxime Chevalier-Boisvert Dynamic Language Team Universit de Montral Higgs Tracing JIT for JavaScript Written in D + JS Second iteration of Tachyon compiler Simpler, more straightforward

697 views • 35 slides
Monitoring and data filtering II. Dynamic Linear Models Advanced Herd Management Ccile Cornou,

Monitoring and data filtering II. Dynamic Linear Models Advanced Herd Management Ccile Cornou,

Monitoring and data filtering II. Dynamic Linear Models Advanced Herd Management Ccile Cornou, IPH Dias 1 Outline Introduction to the DLM (West and Harrison, chapter 2) Updating equations: Kalman Filter Discount factor as an aid

200 views • 17 slides
Back

Back

Compliance Week: The ABCs Of SEC Probes: 20 Questions And Answers The ABCs Of SEC Probes: 20 Questions And Answers By Derek M. Meisner November 23, 2004 he Securities and Exchange Commission is funded to take action; its budget for enforcement

300 views • 8 slides

More recommend