VMIFresh: Efficient and fresh caches for virtual machine introspection

Virtual machine introspection (VMI) is the process of extracting knowledge about the inner state of a virtual machine from the outside. Traditional passive introspection mechanisms have proved themselves ineffective in many application domains due to their low performance. As a remedy for this issue, caching at the level of the introspection application was introduced. However, this sacrificed the freshness of VMI and led to an inconsistent outside view. In this work, we propose a multi-purpose hybrid caching scheme with freshness and consistency guarantees that is interleaved with the guest's MMU. This scheme can easily be integrated into existing applications and frameworks such as libvmi and Volatility 3. We demonstrate its feasibility by developing a prototype for such applications. Furthermore, the experimental evaluation of our approach suggests that it even significantly exceeds the performance of previous inconsistent caches.