Inter-domain Communication Protocol for
Real-time File Access Monitor of Virtual Machine
Ruo Ando1, Kazushi Takahashi2, and Kuniyasu
Suzaki3
1National Institute
of Information and Communications Technology
4-2-1 Nukui-Kitamachi, Koganei, Tokyo 184-8795 Japan
Tel: +81-42-327-5344, Fax: +81-42-327-6634
2Graduate School of
Information Science and Technology, The University of Tokyo
7-3-1 Hongo, Bunkyo-ku, Tokyo 113-8656, Japan
3National Institute
of Advanced Industrial Science and Technology
1-1-1 Umezono Central-2, Tsukuba, Ibaraki, 305-8568,
Japan
Abstract
Leveraging hypervisor for security purpose such as
malware analysis has been well researched. There
still remain two challenges for analyzing security
incidents on virtual machine: real-time monitoring
and semantic gap. First, current active monitoring
methods need to be improved for real-time protection
of virtual machine. Second, semantic gap between virtual
machine and hypervisor poses a
significant impediment on security analyst. In this
paper, we propose an interdomain communication
protocol for real-time monitoring of virtual machine and
bridging semantic gap. We have deployed
the interdomain communication module between a
guestWindows OS and a hypervisor in two ways.
While the one is a register based transfer using vCPU
context, the other is a shared memory based
communication. Our protocol is event driven, which makes
proposed system enable to monitor the
file access of a guest Windows OS in real-time without
suspending it. We have implemented our
system on XEN virtual machine monitor and KVM (Kernel
Virtual Machine). We have measured
the resource utilization of these two systems in the case
of decompressing files and receiving HTTP
requests. On the guest OS, the KVM based system
outperforms the processor idle time by about
30-50% in decompressing file and the memory usage by
about 35% in receiving HTTP requests. We
conclude that our system can monitor file access inside
virtual machine without suspension and also
with reasonable resource usage.
Keywords: Virtual machine monitoring, interdomain communication,
file system driver, Xen and
KVM
Journal of Wireless Mobile Networks,
Ubiquitous Computing, and Dependable Applications (JoWUA),
Vol. 3, No. 1/2, pp. 120-137, March
2012 [pdf]