- Bitdefender contributes unique technology to the open-source community
- Hypervisor-based Memory Introspection (HVMI) is a sub-project of Xen Project
- We continue commercial support of GravityZone Hypervisor Introspection
Bitdefender Hypervisor Introspection has been in a class of its own since the solution was launched. The gist of it is this – get ahead of the results of an attack (malware in general; ransomware being a timely example) by using APIs within hypervisors – based on CPU instructions - to gain access to raw memory events within running virtual machines and apply security logic by taking advantage of the role of hypervisors in the workload stack to stop attacks.
That opening paragraph has quite a lot going-on. Breaking-down what is needed to prevent zero-day attacks from succeeding in a security-minded virtualization stack is helpful:
- Virtual Machine Introspection (VMI): these are open-source APIs within some hypervisors (today, Xen and KVM) which provide access to the raw memory of running VMs
- CPU Extensions: Bitdefender has worked with hypervisor projects and silicon vendors to extend capabilities such that security logic (buffer overflow is bad, heap spray is not good… injections, detours, and such) can be applied with security and performance in-mind
- Focusing on attack techniques: the successful use of a remote attack technique opens a door onto your systems. In simple terms, these techniques abuse memory, and those abuses are visible if you are looking for them and impossible to hide from hypervisor-based introspection
Bitdefender is Contributing Hypervisor-based Memory Introspection
There are hypervisors with VMI APIs which provide access to raw memory, but that doesn’t bridge the gap between capability and ability. Bitdefender has deep expertise in this area. For example:
Organizations don’t always have R&D teams focused on tackling these types of advanced attack structures. Bitdefender is going to help move the security industry into the post-virtualization age by open-sourcing how Bitdefender has been able to implement hypervisor-based introspection.
We are contributing our technologies as a sub-project of Xen Project.
Bitdefender has contributed valuable projects over the years. One of our most recent contributions (a short while before Hypervisor-based Memory Introspection) is:
“bddisasm is a fast, lightweight, x86/x64 instruction decoder. The project also features a fast, basic, x86/x64 instruction emulator, designed specifically to detect shellcode-like behavior.”
Bitdefender is open sourcing technology that bridges the gap between having access to the raw memory of virtual machines running on Xen and KVM, via Virtual Machine Introspection, and making use of that access.
To get into the details of the project, go here: https://github.com/hvmi
HVMI Project Goals
Hypervisors have been around for quite some time, yet the wider security industry has not taken full advantage of the security potential of hypervisors in the modern software stack across public and private datacenters. By open sourcing how Bitdefender takes advantage of open-source VMI APIs via HVMI, we anticipate new:
- Organizations focused on security, or other facets of hypervisor introspection, will be able to short circuit their efforts to take advantage of HVMI/VMI
- Use-cases built on features and functionality outside of security; the only limit is the imagination of the community
- Creations of a wider community of like-minded developers around this project, and Virtual Machine Introspection in general
How You Can Work with the HVMI Project
The HVMI project is licensed under Apache 2.0 – a permissive license. Anyone can contribute to the HVMI project, and anyone can use it. As a sub-project of Xen Project, the HVMI project is governed in the same way as Xen Project. Bitdefender experts will continue to be engaged, while we invite input from any and all individuals and organizations.
You can get involved using the following channels:
- Public HVMI Slack (https://kvm-vmi.herokuapp.com/) join to discuss ideas publicly, or privately, with both Bitdefender developers and other members of the community
- Bitdefender HVMI OSS team contact (firstname.lastname@example.org) – contact Bitdefender folks directly regarding any issue that is not well suited for public Slack discussions
- HVMI security (email@example.com) - report security issues and vulnerabilities; we kindly ask that you follow the guidelines
If you are new to Hypervisor-based Memory Introspection, or are looking at revolutionizing your security with GravityZone Hypervisor Introspection, have a look at: