Inter-domain Communication Protocol for

Real-time File Access Monitor of Virtual Machine

 

Ruo Ando¹, Kazushi Takahashi², and Kuniyasu Suzaki³

 

¹National Institute of Information and Communications Technology

4-2-1 Nukui-Kitamachi, Koganei, Tokyo 184-8795 Japan

Tel: +81-42-327-5344, Fax: +81-42-327-6634

ruo@nict.go.jp

 

²Graduate School of Information Science and Technology, The University of Tokyo

7-3-1 Hongo, Bunkyo-ku, Tokyo 113-8656, Japan

arena431@gmail.com

 

³National Institute of Advanced Industrial Science and Technology

1-1-1 Umezono Central-2, Tsukuba, Ibaraki, 305-8568, Japan

k.suzaki@aist.go.jp

 

 

Abstract

 

Leveraging hypervisor for security purpose such as malware analysis has been well researched. There

still remain two challenges for analyzing security incidents on virtual machine: real-time monitoring

and semantic gap. First, current active monitoring methods need to be improved for real-time protection

of virtual machine. Second, semantic gap between virtual machine and hypervisor poses a

significant impediment on security analyst. In this paper, we propose an interdomain communication

protocol for real-time monitoring of virtual machine and bridging semantic gap. We have deployed

the interdomain communication module between a guestWindows OS and a hypervisor in two ways.

While the one is a register based transfer using vCPU context, the other is a shared memory based

communication. Our protocol is event driven, which makes proposed system enable to monitor the

file access of a guest Windows OS in real-time without suspending it. We have implemented our

system on XEN virtual machine monitor and KVM (Kernel Virtual Machine). We have measured

the resource utilization of these two systems in the case of decompressing files and receiving HTTP

requests. On the guest OS, the KVM based system outperforms the processor idle time by about

30-50% in decompressing file and the memory usage by about 35% in receiving HTTP requests. We

conclude that our system can monitor file access inside virtual machine without suspension and also

with reasonable resource usage.

 

Keywords: Virtual machine monitoring, interdomain communication, file system driver, Xen and

KVM

 

Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA),

Vol. 3, No. 1/2, pp. 120-137, March 2012 [pdf]