Secure Observation of Kernel Behavior

Operating system kernels are difficult to understand and mon itor. Hardware virtualization provides a layer where security tools can observe a kernel, but the gap between operating system abstractions and hard- ware accesses limits the ability of tools to comprehend the kernel's activity. Virtual machine introspection (VMI) builds knowledge of high-level kernel state by directly accessing the memory of an executing ker- nel. We show that implementations of introspection-based tools unsafely rely on operating system level data structures to provide meaningful information about a guest. We evade XenAccess, an open source implementation of introspection developed for Xen. We then develop Wizard, a Xen-based kernel moni- tor cognizant of the semantic correlation between events at a high-level kernel service interface and events at a low-level hardware device interface. In contrast to VMI, Wizard trusts no guest OS data, but its se- mantic understanding still identifies kernel-level attack s that alter the kernel's execution behavior. Wizard's monitoring imposes modest overheads of 0%-25% on guest applications.