Bitdefender’s hypervisor introspection

Pro
(Image: Stockfresh)

6 July 2016

Security specialist Bitdefender has developed a new approach to security in virtualised environments with its Hypervisor Introspection (HVI) framework.

Developed in conjunction with Citrix and Intel, the new approach operates at the hypervisor level, where it has deep insights within a virtual machine’s (VM) memory, while remaining completely isolated from potential attacks. This, says Bitdefender, brings a higher level of security visibility and actionability than has heretofore been possible in virtual environments.

Hypervisor Introspection, said Bogdan Botezatu, senior e-threat analyst, Bitdefender, speaking to TechPro, takes a new approach to scanning virtualised environments. Till now, security in virtualised environments relied on an agent that facilitated communication to know what was going on inside a VM. This, said Botezatu, was not only vulnerable to attack from malware, but also lacking in scalability due to resources required.

“We went back to the drawing board and tried to figure out a solution that not only offloads security from the VM,” said Botezatu, “but also to make it impossible for a system threat to kill the AV and leave your machine unprotected.”

HVI is a set of APIs that sit at the hypervisor level, below the OS, that analyses raw memory pages of what is happening in the VM and forwarding it to the security virtual appliance.

“That way, you don’t have to have an agent in every VM, because you are extracting that information you need from the HV level,” said Botezatu. “It is very good for performance and because you are running in a hardware enforced security layer, you cannot kill the AV solution. This was a breakthrough.”

“It looks simple, but it was very challenging to implement. For one, it was very difficult to create a context for what you are seeing in the raw memory pages. You don’t have the visibility that you would running inside the VM.”

The framework was some five years in development, Botezatu reports, as it took a huge effort “to make sense of the noise,” requiring help from vendors, which is where Citrix came in with their open source experience. Citrix is very friendly to the research community, said Botezatu, and has done a lot of work on this with us.

HVI, he reports, has no issues with scalability, nor any need for modifications, it just needs other hypervisor vendors to open up the same APIs as Citrix did. As soon as other HV vendors open up the APIs, anyone can take advantage, he said.

“The good thing is that if we can convince vendors to join us in our mission, those APIs will be available to all other security vendors. It will open up new opportunities for the entire security industry,” said Botezatu.

Intel has also worked with the project and its 4th generation Intel CPUs will have hardware level introspection.

Botezatu said that plans are already underway for KVM implementation, thus giving back to the OS community.

“By working with Bitdefender, Citrix XenServer has become the first commercial hypervisor with virtual machine introspection, enabling customers to easily detect and block sophisticated security threats at the hypervisor level,” said Marc Trouard-Riolle, principal product marketing manager, Core Infrastructure, Citrix. “Hypervisor Introspection is truly a game-changer in the world of cyber security. It’s a sophisticated solution for our customers yet easy to use as part of XenServer deployment.”

 

TechCentral Reporters

Read More:


Back to Top ↑

TechCentral.ie