Virtuoso: Narrowing the semantic gap in virtual machine introspection

Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, Wenke Lee

    Research output: Chapter in Book/Report/Conference proceedingConference contribution


    Introspection has featured prominently in many recent security solutions, such as virtual machine-based intrusion detection, forensic memory analysis, and low-artifact malware analysis. Widespread adoption of these approaches, however, has been hampered by the semantic gap: in order to extract meaningful information about the current state of a virtual machine, detailed knowledge of the guest operating system's inner workings is required. In this paper, we present a novel approach for automatically creating introspection tools for security applications with minimal human effort. By analyzing dynamic traces of small, in-guest programs that compute the desired introspection information, we can produce new programs that retrieve the same information from outside the guest virtual machine. We demonstrate the efficacy of our techniques by automatically generating 17 programs that retrieve security information across 3 different operating systems, and show that their functionality is unaffected by the compromise of the guest system. Our technique allows introspection tools to be effortlessly generated for multiple platforms, and enables the development of rich introspection-based security applications.

    Original languageEnglish (US)
    Title of host publicationProceedings - 2011 IEEE Symposium on Security and Privacy, SP 2011
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Number of pages16
    ISBN (Print)9780769544021
    StatePublished - 2011

    Publication series

    NameProceedings - IEEE Symposium on Security and Privacy
    ISSN (Print)1081-6011

    ASJC Scopus subject areas

    • Safety, Risk, Reliability and Quality
    • Software
    • Computer Networks and Communications


    Dive into the research topics of 'Virtuoso: Narrowing the semantic gap in virtual machine introspection'. Together they form a unique fingerprint.

    Cite this