Process and Thread Detection in a Virtual Machine Monitor
Karthik Jayaraman and Suresh Sridharan
Abstract:
In this paper, we examine ways of reducing the semantic gap at the
virtual machine monitor (VMM) - virtual machine (VM) interface. We
explore methods to make the VMM aware of software abstractions within
the VM. Specifically, we present techniques for detection of
processes and threads in a virtual machine monitor. These techniques
are primarily based on inferences which can be derived from specific
events within the VM, observable inside the VMM. We have been able to
detect the creation, switch and termination of processes by observing
the privileged operations associated (directly or indirectly) with
them. We further extend these methods to detect similar events in the
case of light-weight processes (kernel-level threads). Our results
indicate a high degree of accuracy in detecting process-related events
and thread switches. We demonstrate that inaccuracies in thread
creation detection occur owing to the existence of kernel threads.
Thread termination, however, remains a hard problem because of the
lack of "observable" events. In the course of our experiments, we
were also able to detect the scheduling of the idle thread within a
VM.
Available as: Postscript
or PDF
Click here to download the files we modified (Xen + Linux).
Click here to download the trace files.