Research Area:  Digital Forensics

Abstract:

While there are a variety of existing virtual machine introspection (VMI) techniques, their latency, overhead, complexity and consistency trade-offs are not clear. In this work, we address this gap by first organizing the various existing VMI techniques into a taxonomy based upon their operational principles, so that they can be put into context. Next we perform a thorough exploration of their trade-offs both qualitatively and quantitatively. We present a comprehensive set of observations and best practices for efficient, accurate and consistent VMI operation based on our experiences with these techniques. Our results show the stunning range of variations in performance, complexity and overhead with different VMI techniques.We further present a deep dive on VMI consistency aspects to understand the sources of inconsistency in observed VM state and show that, contrary to common expectation, pause-and-introspect based VMI techniques achieve very little to improve consistency despite their substantial performance impact.

Keywords:  

Author(s) Name:   Sahil Suneja , Canturk Isci , Eyal de Lara , Vasanth Bala

Publisher name:  ACM

DOI:  10.1145/2817817.2731196

Volume Information:  Volume 50,Issue 7,July 2015,pp 133–146

Paper Link:   https://dl.acm.org/doi/abs/10.1145/2817817.2731196