Hypervisor Introspection Redefines Security for Virtualized Environments

Reading time: 5 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

From 1960s mainframes to today’s cloud-centric evolution, data centers have undergone tremendous transformation. As applications became mission-critical, and desktop servers moved into formal data centers, the number of physical servers in a data center grew exponentially, making the job of managing this environment increasingly complex and expensive.

Today, data centers are moving from isolated systems to interconnected pools of virtualized resources shared between multiple locations. Once an aspiration, the prospect of a fully virtualized data center is becoming a reality.

The so-called "data centers without walls" help businesses cut costs and maximize IT efficiency, which is why companies are driving the rapid adoption of virtualized computing. In 2013, 77 percent of small and medium companies had some type of virtualization in place.

Yet, while the benefits of virtualizing applications, desktops, hardware or networks are self-evident, security failed, until now, to align to this new paradigm.

Revolutionary Security

A well-known problem in the cyber-security industry is that advanced malware attacks manage to evade traditional in-OS security. This happens because sophisticated malware like APTs executes in the same context and with the same privileges as anti-malware software.

That is why Bitdefender decided to address security from outside the guest operating system. The kernel introspection technology we have been working on analyzes the raw memory image of guest OS, services and user mode applications. It audits both kernel and user memory to identify threats such as known rootkit hooking techniques, zero-day or out-of-reach malware that runs below OS security solutions. It also protects user processes from attacks such as code injection, function detouring, unpacked malicious code and code execution from stack.

Hypervisor introspection ensures that the anti-malware software can live outside of the monitored guest, without relying on functionalities that can be rendered unreliable by advanced malware - no agent or any other type of special software needs to run inside the guest.

This technology was troublesome to implement until now because of compatibility issues with hardware, the need for adequate computing power and resources, as well as the semantic gap issue – the challenge to accurately extract semantic meaning from the hypervisor’s hardware level view of a guest OS. Nonetheless, the semantic gap remains a work in progress and the most demanding part to tackle.

While kernel introspection is known in academia, Bitdefender has advanced the idea, now providing real-time protection for virtual machines against a wide scale of threats.

Long-term Benefits

Hypervisor introspection is a giant leap towards revolutionizing security as we know it. Virtualization technology continues to evolve, with increased levels of automation and comprehensive frameworks for managing the virtualized environment more efficiently. In this context, the hypervisor-based introspection technology is a future-proof advancement with numerous applications in other fields and industries.

Server farms, businesses embracing BYOD and security for mobile devices are some of the fields where hypervisor introspection shows great potential, if applied. In the future, companies will be able to deploy it on mobile devices as well as computers to isolate and secure personal and corporate data from compromise.

Bitdefender Hypervisor Introspection was developed in close collaboration with Citrix. It integrates with the Direct Inspect API released by Citrix as part of XenServer 7, the first commercial hypervisor capable of virtual machine introspection.

“XenServer Direct Inspect APIs with Bitdefender GravityZone is a first and unique security feature for commercial hypervisors,” Citrix writes on its website. This is meant to complement existing disk-based protection solutions to provide “better than physical” protection, the company added. Find out more about the XenServer 7, here.

 continuous sec