A Low-overhead Kernel Object Monitoring Approach for Virtual Machine Introspection

TL;DR

This paper presents a low-overhead method for monitoring specific kernel objects in virtual machines by migrating them to protected memory, reducing unnecessary overhead compared to traditional page-level monitoring.

Contribution

It introduces a novel kernel object migration technique to enable targeted monitoring with minimal runtime overhead in virtual machine security.

Findings

Effective monitoring of kernel objects with very low overhead

Migration of kernel objects reduces false triggers and overhead

System successfully monitors target objects without affecting kernel services

Abstract

Monitoring kernel object modification of virtual machine is widely used by virtual-machine-introspection-based security monitors to protect virtual machines in cloud computing, such as monitoring dentry objects to intercept file operations, etc. However, most of the current virtual machine monitors, such as KVM and Xen, only support page-level monitoring, because the Intel EPT technology can only monitor page privilege. If the out-of-virtual-machine security tools want to monitor some kernel objects, they need to intercept the operation of the whole memory page. Since there are some other objects stored in the monitored pages, the modification of them will also trigger the monitor. Therefore, page-level memory monitor usually introduces overhead to related kernel services of the target virtual machine. In this paper, we propose a low-overhead kernel object monitoring approach to reduce the overhead caused by page-level monitor. The core idea is to migrate the target kernel objects to a protected memory area and then to monitor the corresponding new memory pages. Since the new pages only contain the kernel objects to be monitored, other kernel objects will not trigger our monitor. Therefore, our monitor will not introduce runtime overhead to the related kernel service. The experimental results show that our system can monitor target kernel objects effectively only with very low overhead.