Anti-This, Anti-That, getting into the Virtualization Security Game with Introspection

Virtualization Security vendors are starting to seriously investigate the possibilities of the various introspection APIs available to the hypervisors. Introspection APIs allow security groups to now investigate the security of a virtual network, virtual machine, and other components from without. In other words, why rely on an agent within the VM to protect your network, virtual machine, or components. Instead, we can use these APIs to peer into these components from without the system to be tested.

Why is this important?

Introspection is important due to the fact that one the first things attackers do is disable, bypass, or otherwise render harmless any security agents that live within the virtual machine under attack. Thereby making it difficult to track. You would think, the management tools for these agents can see that the agent may not be running, but intelligent attackers will keep the agent running, but they will be below its radar. The agent is rendered harmless to the attacker.

This is where introspection comes into play within the virtual environment. We have all known that an external firewall is often better than a software firewall running within a server. If you wish to investigate the security of a server today you do it from without the server. Forensic Scientists will take disk images, which allows them to investigate from outside the running environment. This is what introspection gives us, a way to run investigations without the attacker knowing about it.

Introspection can lead to authoritative security tools that know exactly what is happening within the VM, which means that they spend less time learning about their environment and more time securing their environment. The learning process is generally where there is an attack point as well.

The New Family of  Security Tools

We have now seen a new set of security tools that provide differing levels of anti-this, anti-that, and more introspection API integration, instead of just Plain-Jane network based introspection tools we have the following:

  • Trend Micro Core Protection for Virtual Machines provides external anti-virus scanning of VMware VMs using the VMware vStorage API to perform offline scans of dormant VMs as well as those currently running. There is no need for an agent within a VM.
  • IBM Virtual Server Security for VMware provides anti-rootkit functionality that detects rootkits within VMs by using the vMemory API to passively detect rootkits as they are installed. There is no offline rootkit detection. This tool registers a trigger within the vMemory API to fire when System Service Descriptor Table and Interrupt Service Descriptor Table memory is modified and at that time the memory is compared against known rootkits. This works only with Windows and Linux VMs and has no active actions such as quarantining or powering off an infected VM.

Improvements to the old Family of Tools

Even the Plain-Jane Network Introspection tools are getting a face-lift by bringing more of the introspection APIs to bear on the problem.

  • Altor Networks uses the vStorage API to determine what services are running on a VM in order to properly protect the vNIC of that VM.  Altor Networks is also looking into use the vMemory API to determine exactly which ports are necessary.

Instrospection for Everyone

Almost all the Virtualization Security vendors are concerned with the lack of a common instrospection API across all the hypervisors. This implies that development for each hypervisor is quite a bit different than the other and there is a claim that Hyper-V has no such API. The APIs break down to:

  • VMsafe which is the family of instrospection APIs from VMware
  • The open source Xen Instrospection API available for Xen and XenServer
  • The standard set of APIs available to Hyper-V which companies like Virsto have used to introduce their own products into the Hyper-V storage stack. Granted, this is not a direct Introspection API, but it does everything that one would do, it not quite a bit more.


What is really needed is a common introspection API that works across all hypervisors so that it is quite easy to write the necessary tools. Perhaps this is where an opensource group could develop an abstraction layer that hides all the individual complexity underneath.

We are now starting to see much more dynamic use of the breadth of introspection APIs and no longer just the low hanging fruit. This will force the APIs to become better, leaner, and faster which will drive more useful additions and ideas into virtualization security products.

The more authoritative tools become, the better we all are.

To see a complete discussion on the new tools check out the End-to-End Virtualization Security White Paper.