TUM Logo

Nitro: Hardware-based System Call Tracing for Virtual Machines

Virtual machine introspection (VMI) describes the method of monitoring and analyzing the state of a virtual machine from the hypervisor level. This lends itself well to security applications, though the hardware virtualization support from Intel and AMD was not designed with VMI in mind. This results in many challenges for developers of hardware-supported VMI systems. This paper describes the design and implementation of our prototype framework, Nitro, for system call tracing and monitoring. Since Nitro is a purely VMI-based system, it remains isolated from attacks originating within the guest operating system and is not directly visible from within the guest. Nitro is extremely flexible as it supports all three system call mechanisms provided by the Intel x86 architecture and has been proven to work in Windows, Linux, 32-bit, and 64-bit environments. The high performance of our system allows for real-time capturing and dissemination of data without hindering usability. This is supported by extensive testing with various guest operating systems. In addition, Nitro is resistant to circumvention attempts due to a construction called hardware rooting. Finally, Nitro surpasses similar systems in both performance and functionality.

Nitro: Hardware-based System Call Tracing for Virtual Machines

Advances in Information and Computer Security

Authors: Jonas Pfoh, Christian Schneider, and Claudia Eckert
Year/month: 2011/
Booktitle: Advances in Information and Computer Security
Volume: 7038
Series: Lecture Notes in Computer Science
Pages: 96--112
Publisher: Springer
Note: doi = {http://dx.doi.org/10.1007/978-3-642-25141-2_7}
Fulltext: PfohSchneider2011a.pdf

Abstract

Virtual machine introspection (VMI) describes the method of monitoring and analyzing the state of a virtual machine from the hypervisor level. This lends itself well to security applications, though the hardware virtualization support from Intel and AMD was not designed with VMI in mind. This results in many challenges for developers of hardware-supported VMI systems. This paper describes the design and implementation of our prototype framework, Nitro, for system call tracing and monitoring. Since Nitro is a purely VMI-based system, it remains isolated from attacks originating within the guest operating system and is not directly visible from within the guest. Nitro is extremely flexible as it supports all three system call mechanisms provided by the Intel x86 architecture and has been proven to work in Windows, Linux, 32-bit, and 64-bit environments. The high performance of our system allows for real-time capturing and dissemination of data without hindering usability. This is supported by extensive testing with various guest operating systems. In addition, Nitro is resistant to circumvention attempts due to a construction called hardware rooting. Finally, Nitro surpasses similar systems in both performance and functionality.

Bibtex:

@incolletion { Pfoh2011,
author = { Jonas Pfoh and Christian Schneider and Claudia Eckert},
title = { Nitro: Hardware-based System Call Tracing for Virtual Machines },
year = { 2011 },
booktitle = { Advances in Information and Computer Security },
volume = { 7038 },
publisher = { Springer },
series = { Lecture Notes in Computer Science },
note = { doi = {http://dx.doi.org/10.1007/978-3-642-25141-2_7} },
pages = { 96--112 },
url = {https://www.sec.in.tum.de/i20/publications/nitro-hardware-based-system-call-tracing-for-virtual-machines/@@download/file/PfohSchneider2011a.pdf}
}