Xen hardens up with zero-footprint guest introspection code

Anti-virus software can now peer into VMs running on open source hypervisor

The Xen Project's had a nasty run with security of late, thanks to a run of five bad bugs, but has revealed plans to improve matters in the forthcoming version 4.6 of its open-source hypervisor.

The Project's new weapon is called libbdvmi and addresses the fact that running security software on a guest virtual machine can be tricky. For one thing, security software adds an overhead that's not welcome, and that overhead can get nasty when a whole bunch of VMs go looking for their new virus signatures at the same time. For another, advanced threats are very good at hiding from security software. Then there's the fact that security software isn't always tuned to understand the vagaries of virtualisation, so a virtual machine doesn't fully “comprehend” that its resources belong to its physical host.

The Xen Project's therefore enhanced its “guest introspection” code. Guest introspection is a method of interrogating the memory a VM occupies. If you can do that, you can then use security software running outside the VM to check if there are any nasties resident in RAM, or to look for signs of other oddities that signal danger.

Of course you don't want that process of sniffing VM RAM to impose an overhead either, which is why in 2014 the Xen project embarked on a project to create “zero overhead” guest introspection. Said code, libbdvmi, is now ready to roll. But not ready to use: you'll need Xen 4.6 (due to arrive no later than October 9th) to make it work. Releasing the code now, as the Project did today, means the curious or those who wish to commercialise it for use in security products can now start exploring how to do so.

Xen's had similar features for a while, thanks to LibVMI. This time around, the folks at the Project think they've done a better job of it by ensuring libbdvmi touches VMs even more lightly, thanks to the following features.

  • it only connects an introspection logic component to the guest, leaving on-the-fly OS detection and decision-making to it;
  • provides a xenstore-based way to know when a guest has been started or stopped;
  • has as few external library dependencies as possible – to that end, where LibVMI has used Glib for caching, we’ve only used STL containers, and the only other dependencies are libxenctrl and libxenstore;
  • allows mapping guest pages from userspace, with the caveat that this implies mapping a single page for writing, where LibVMI’s buffer-based writes would possibly touch several non-contiguous pages;
  • it works as fast as possible – we get a lot of events, so any unnecessary userspace / hypervisor context switches may incur unacceptable penalties (this is why one of our first patches had vm_events carry interesting register values instead of querying the quest from userspace after receiving the event);
  • last but not least, since the Xen vm_event code has been in quite a bit of flux, being able to immediately modify the library code to suit a new need, or to update the code for a new Xen version, has been a bonus to the project’s development pace.

libbdvmi is substantially based on work conducted by Bitdefender, with help from Intel.

libbdvmi can be found here on GitHub if you fancy taking it for a whirl. ®

Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022