HyperMonitor: a lightweight multi-platform monitor based on hardware virtualization

摘要

This paper presents the implementation and simulation benchmark of HyperMonitor, a lightweight multi-platform monitor based on hardware virtualization which allows a high-privileged and transparent execution environment to monitor various behaviors in operating systems. Taking advantage of X86 hardware virtualization and self-transparency technology, HyperMonitor provides a unified security monitoring to multiple operating systems including Linux and Windows XP without any modification. Our design is to establish a lightweight monitor which resides completely outside of the guest OS environments with a negligible overhead to the protected Operating Systems. According to the performance experiment result, our approach can effectively monitor applications and unmodified Operating Systems by the cost of only 0.9% average overhead in Windows XP and 2.6% average overhead in Linux. Leveraging hardware virtualization, a tool based on HyperMonitor detects debugging behavior by intercepting debug events on a higher privilege level than the conventional kernel space. In order to study the trend of overhead and achieve a better prediction of experimental results, we use the simulation benchmark to compare the difference between the actual results and the experimental fitting data with the help of least squares model.