BSidesSF 2019 has ended
Back To Schedule
Sunday, March 3 • 3:30pm - 4:00pm
High Performance VM Introspection Using Virtualization Exceptions

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Hypervisor memory introspection is a security solution isolated from the protected virtual machine's operating system by leveraging hardware virtualization technologies. It relies on the second-level address translation (SLAT) mechanism, in order to enforce restrictions on certain memory areas of the protected VM. In some scenarios this can have a high performance impact, especially due to accesses inside the guest paging structures done by the CPU page walker or the OS memory manager. Most of these accesses are not relevant to the HVI logic. This presentation addresses these issues, promoting an innovative approach on filtering the page-table accesses directly from the guest VM. The filtering is done by a small in-guest agent that uses the virtualization exception (#VE) mechanism: relevant accesses are reported to the main HVI module via a hypercall, while the other accesses are discarded with minimal performance impact. We also discuss a method of protecting the in-guest agent from possible malicious guests by isolating it inside a different physical address space.

avatar for Cristinel-Ionel Anichitei

Cristinel-Ionel Anichitei

Sr. Team Lead, Bitdefender SRL
Cristinel-Ionel Anichitei is a team leader for the Windows HVI team at BitDefender who joined the team 4 years ago. Since then they played a key role in ensuring the success of the project. Their efforts are mainly focused towards Windows reverse engineering, security, and performance... Read More →
avatar for Raul Tosa

Raul Tosa

Senior Manager, Bitdefender
Raul has been working with Bitdefender since 2005, building a strong technical background in fields like malware research, kernel driver development and virtualization. In the past years he's been researching how hardware virtualization technologies can be leveraged to strengthen... Read More →

Sunday March 3, 2019 3:30pm - 4:00pm PST
Theater 15 (overflow in #11)