Contents
What is the definition of virtual machine introspection?
Virtual machine introspection (VMI) is a term coined by Garfinkel and Rosenblum in 2003 in their paper “ A Virtual Machine Introspection Based Architecture for Intrusion Detection ” and they describe VMI as the “approach of inspecting a virtual machine from the outside for the purpose of analyzing the software running inside it”.
What can you do with a virtual machine?
Now VMI is a common term for different virtual machine forensics and analysis methods. VMI-based approaches are widely used for security applications, software debugging, and systems management.
Where can I find a virtual machine monitor?
VMI tools may be located inside or outside the virtual machine and act by tracking the events ( interrupts, memory writes, and so on) or sending the requests to the virtual machine. Virtual machine monitor usually provides low-level information like raw bytes of the memory.
How are virtual machines different from physical machines?
The physical machine is multiplexed into several virtual machines (VMs), on top of which unmodified OSs (referred to as guest OSs) can run. Since each VM can have its own OS, this allows multiple guest OSs to run in parallel on a single physical computer.
What do you need to know about virtual machine monitor?
Virtual machine monitor usually provides low-level information like raw bytes of the memory. Converting this low-level view into something meaningful for the user is known as the semantic gap problem. Solving this problem requires analysis and understanding of the systems being monitored.
What does a trap to the VMM do?
Going forward any time the guest OS writes to this register, the hardware hands control to the VMM. We refer to this as a trap to the VMM. This ability of the VMM enables VMI. VMI allows us to take advantage of the hardware and the VMM to inspect the guest.