VE-VMI: High-Performance Virtual Machine Introspection Based on Virtualization Exception

Abstract

Virtual machine introspection (VMI) mostly relies on memory virtualization mechanisms to enforce access restrictions on certain areas of the virtual machine (VM)’s physical memory, including the page tables managed by the guest OS. Consequently, the CPU will generate exceptions on any in-VM memory access not complying with the restrictions imposed by the VMI, switching from the VM to the hypervisor (HV) (in a so-called “VM-exit”), giving the VMI module the possibility to analyze the faulty memory access and take the needed decision to protect the VM. Such a protection strategy could suffer significant performance penalties, as a large number of VM-exits could be generated, though most of them being irrelevant to VMI, like changes of accessed or dirty bits made by the hardware page-table walker. We propose an approach to consistently reduce the number of irrelevant memory-related VM-exits: by using the Intel virtualization exception (#VE) extension, the faulty memory accesses can be handled directly inside the VM, filtering out the ones irrelevant for the VMI, while calling the HV (i.e. generate VM-exits) only for the remaining ones. The in-guest filtering agent is protected against attacks from a compromised VM, by isolating it inside a separate guest physical address space, different by and inaccessible from the one used by the VM while running its own code. We implemented our #VE-based solution in the Xen hypervisor, obtaining performance improvements between 30% and 80% for the applications protected by our VE-VMI module.