虚拟机自省中一种消除语义鸿沟的方法

虚拟机自省技术已经广泛应用于入侵检测和恶意软件分析等领域。但是由于语义鸿沟的存在，获取虚拟机内部信息时会导致其通用性和执行效率降低。通过分析现有语义鸿沟修复技术的不足，提出了一种称为ModSG的语义鸿沟消除方法。ModSG是一个模块化系统，将语义修复分为2部分：与用户直接交互的在线语义视图构建和与操作系统知识交互的离线高级语义解析。二者以独立的模块实现且后者为前者提供语义重构时必要的内核语义信息。针对不同虚拟机状态和不同内核版本操作系统的实验表明，ModSG在消除语义鸿沟上是准确和高效的。模块化设计和部署也使ModSG容易扩展到其他操作系统和虚拟化平台上。

Narrowing the semantic gap in virtual machine introspection

Virtual machine introspection(VMI) has been widely used in areas such as intrusion detection and malware analysis. However, due to the existence of semantic gap, the generality and the efficiency of VMI were partly influenced while getting internal information of a virtual machine. By analyzing the deficiencies of existing technology of semantic gap restoration, a method called ModSG was proposed to bridge the semantic gap. ModSG was a modularity system, it divided semantic restoration into two parts. One was online phase that interact directly with user to construct semantic views, the other was offline phase that only interact with operating system to parse high-level semantic knowledge. Both were implemented via independent module, and the latter provided the former with necessary kernel information during semantic view construction. Experiments on different virtual machine states and different kernel versions show that the ModSG is accurate and efficient in narrowing semantic gap. The modular design and deployment also make ModSG easily to be extended to other operating systems and virtualization platforms.