With the advance of hardware, network, and virtualization technologies, cloud computing has prevailed and become the target of security threats such as the cross virtual machine (VM) side channel attack, with which malicious users exploit vulnerabilities to gain information or access to other guest virtual machines. Among the many virtualization technologies, the hypervisor manages the shared resource pool to ensure that the guest VMs can be properly served and isolated from each other. However, while managing the shared hardware resources, due to the presence of the virtualization layer and different CPU modes (root and non-root mode), when a CPU is switched to non-root mode and is occupied by a guest machine, a hypervisor cannot intervene with a guest at runtime. Thus, the execution status of a guest is like a black box to a hypervisor, and the hypervisor cannot mediate possible malicious behavior at runtime. To rectify this, we propose a hardware-assisted VMI (virtual machine introspection) based in-guest process monitoring mechanism which supports monitoring and management applications such as process profiling. The mechanism allows hooks placed within a target process (which the security expert selects to monitor and profile) of a guest virtual machine and handles hook invocations via the hypervisor. In order to facilitate the needed monitoring and/or management operations in the guest machine, the mechanism redirects access to in-guest memory space to a controlled, self-defined memory within the hypervisor by modifying the extended page table (EPT) to minimize guest and host machine switches. The advantages of the proposed mechanism include transparency, high performance, and comprehensive semantics. To demonstrate the capability of the proposed mechanism, we develop an API profiling system (APIf) to record the API invocations of the target process. The experimental results show an average performance degradation of about 2.32%, far better than existing similar systems.

中文翻译：

---

硬件辅助的MMU重定向，用于来宾监控和API分析

随着硬件，网络和虚拟化技术的发展，云计算已经普及并成为诸如跨虚拟机（VM）侧通道攻击等安全威胁的目标，恶意用户利用该漏洞利用漏洞获取信息或访问其他来宾虚拟机。在许多虚拟化技术中，虚拟机监控程序管理共享资源池，以确保可以正确提供来宾VM并使其相互隔离。但是，在管理共享硬件资源时，由于存在虚拟化层和不同的CPU模式（root和非root模式），当将CPU切换到非root模式并由来宾计算机占用时，系统管理程序无法在运行时干预来宾。因此，来宾的执行状态对于管理程序来说就像黑匣子，虚拟机管理程序无法在运行时调解可能的恶意行为。为了解决这个问题，我们提出了一种基于硬件辅助的VMI（虚拟机自检）的来宾内部过程监视机制，该机制支持监视和管理应用程序（例如过程概要分析）。该机制允许将挂钩放置在来宾虚拟机的目标进程（安全专家选择监视和分析）中，并通过管理程序处理挂钩调用。为了促进来宾计算机中所需的监视和/或管理操作，该机制通过修改扩展页表（EPT）来最大程度地减少来宾，从而将对来宾内存储器空间的访问重定向到虚拟机管理程序内受控的自定义存储器和主机开关。拟议机制的优势包括透明度，高性能，和全面的语义。为了演示所提出机制的功能，我们开发了一个API分析系统（APIf）来记录目标进程的API调用。实验结果表明，平均性能下降了约2.32％，远优于现有的类似系统。