High-Performance Memory Snapshotting for Real-Time, Consistent, Hypervisor-Based Monitors

This paper presents a concurrent-computing approach-high-performance memory snapshotting-to improving security-introspection of virtual machine guest memory. Efficient introspection improves security monitoring in existing hypervisor systems with real-time, consistent memory introspection capabilities. Efficient introspection has three requirements that each must be met to provide protection against evasive threats: native memory introspection performance, accpetable guest performance, and consistent introspection view of guest memory. Existing introspection systems have provided one or two of these properties but not all three at once. High-performance memory snapshots are evaluated as a solution for meeting all three efficient introspection requirements. In this work we describe how existing system performance can be improved with high-performance snapshotting, present an efficient introspection prototype that has been released as an element of the open-source LibVMI introspection library(1), evaluate the efficient introspection prototype on both applications and microbenchmarks, provide demonstrations of introspection application modules enabled by efficient introspection, and provide performance guidance for developing introspection applications utilizing efficient introspection.