This paper presents a concurrent-computing approach—high-performance memory snapshotting—to improving security-introspection of virtual machine guest memory. Efficient introspection improves security monitoring in existing hypervisor systems with real-time, consistent memory introspection capabilities. Efficient introspection has three requirements that each must be met to provide protection against evasive threats: native memory introspection performance, accpetable guest performance, and consistent introspection view of guest memory. Existing introspection systems have provided one or two of these properties but not all three at once. High-performance memory snapshots are evaluated as a solution for meeting all three efficient introspection requirements. In this work we describe how existing system performance can be improved with high-performance snapshotting, present an efficient introspection prototype that has been released as an element of the open-source LibVMI introspection library1, evaluate the efficient introspection prototype on both applications and microbenchmarks, provide demonstrations of introspection application modules enabled by efficient introspection, and provide performance guidance for developing introspection applications utilizing efficient introspection.

中文翻译：

---

用于实时、一致、基于管理程序的监视器的高性能内存快照

本文提出了一种并发计算方法——高性能内存快照——来提高虚拟机客户内存的安全性。高效的自省通过实时、一致的内存自省功能改进了现有管理程序系统中的安全监控。有效的自省具有三个要求，每个要求都必须满足才能提供针对规避威胁的保护：本机内存自省性能、可接受的客户性能和客户内存的一致自省视图。现有的内省系统提供了这些属性中的一两个，但不是同时提供所有三个。高性能内存快照被评估为满足所有三个高效内省要求的解决方案。