Sarracenia: Enhancing the Performance and Stealthiness of SSH Honeypots Using Virtual Machine Introspection

Sentanoe, Stewart; Taubmann, Benjamin; Reiser, Hans P.

doi:10.1007/978-3-030-03638-6_16

Cited by 7 publications

(2 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…First, when tracing a process using VMI, e.g. to operate highinteraction honeypots [23], the VMI application has to translate the logical address where it wants to place a breakpoint to a physical memory page in which the instruction is injected. This target page may be part of multiple virtual address spaces, because it belongs either to a shared library, to an intentionally shared memory area, or to memory marked read-only (and duplicated later with a copyon-write strategy) after a fork system call.…”

Section: Introductionmentioning

confidence: 99%

“…Since this register is the page table base register (PTBR) in the x86 architecture, it must hold the currently active page table. By exiting on writes to this register, we can synchronize the VMI application with the guest's scheduler [23]. As this control register may only be updated in kernel mode, we can extract further information such as the current scheduler state from the kernel.…”

Section: Active Virtual Machine Introspectionmentioning

confidence: 99%

See 1 more Smart Citation

RapidVMI: Fast and multi-core aware active virtual machine introspection

Dangl

Taubmann

Reiser

2021

Proceedings of the 16th International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

Virtual machine introspection (VMI) is a technique for the external monitoring of virtual machines. Through previous work, it became apparent that VMI can contribute to the security of distributed systems and cloud architectures by facilitating stealthy intrusion detection, malware analysis, and digital forensics. The main shortcomings of active VMI-based approaches such as program tracing or process injection in production environments result from the side effects of writing to virtual address spaces and the parallel execution of shared main memory on multiple processor cores.In this paper, we present RapidVMI, a framework for active virtual machine introspection that enables fine-grained, multi-core aware VMI-based memory access on virtual address spaces. It was built to overcome the outlined shortcomings of existing VMI solutions and facilitate the development of introspection applications as if they run in the monitored virtual machine itself. Furthermore, we demonstrate that hypervisor support for this concept improves introspection performance in prevalent virtual machine tracing applications considerably up to 98 times. CCS CONCEPTS• Security and privacy → Virtualization and security.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Active Virtual Machine Introspectionmentioning

confidence: 99%