
Summary:

This paper presents an architecture for intrusion detection systems (IDS)
based on virtual machine monitoring (VMM) and virtual machine
introspection (VMI). VMM virtualizes all hardware resources and allows
multiple virtual machines to transparently multiplex the resources of the
physical machine. The guest OS's and applications run inside virtual
machines, while the VMI IDS lives abreast with the VMM, and is in a
completely different hardware protection domain. This approach pulls IDS
outside of the monitored OS and provides a high confidence barrier between
the IDS and attackers' malicious code. At the same time, the IDS can
easily inspect a virtual machine's state through the VMI mechanism and
enjoys high visibility into the monitored OS's activities. This
architecture is feasible and practical as shown by the prototype
implementation.

Pros:

The paper clearly presents the concept of VMI based IDS. It also has a
good weakness and attack section, which goes through every component of
the IDS and explores its potential attacks and respective counter
measures.

The simplicity of the VMM makes the implementation less subject to bugs
and hence difficult for the attackers to compromise.

Putting IDS in a separate protection domain isolates it from the malicious
code.

The fail-closed property prevents further damage when the applications
running in the guest OS get compromised.

Cons:

VMM is still not a mature technology. The sample VMM runs as an
application on a Linux, and is thus potentially subject to all known
attacks to a regular application
.
The paper assumes that the code running inside a VM maybe totally
malicious, however, it also assumes that the guest OS will not be
compromised, which does not seem realistic.

The VMM IDS replies on the data structures and events inside the VM and
guest OS. By tampering these data, the intruders can elude the IDS without
directly attacking it.

Trapping hardware events as interrupts and memory access can be very
costly. VMM already slows down the system, and yes the proposed IDS adds
another layer to VMM, which makes performance a big concern for the
usability.

In the result section, the author only gives the performance figures from
running individual detectors independently, while in real world these
detections should be carried out concurrently to catch all possible
attacks.

Votes:

Strongly accept: 0
Accept: 13
Reject: 1
Strongly reject: 0