`
`
`
`SANDIA REPORT
`SANDIA REPORT
`SAND2012-7818
`SAN D2012-7818
`Unlimited Release
`Unlimited Release
`Printed September 2012
`Printed September 2012
`
`
`
`Simplifying Virtual Machine
`Simplifying Virtual Machine
`Introspection Using LibVMI
`Introspection Using LibVMI
`
`
`Bryan D. Payne
`Bryan D. Payne
`
`
`
`
`
`Prepared by
`Prepared by
`Sandia National Laboratories
`Sandia National Laboratories
`Albuquerque, New Mexico 87185 and Livermore, California 94550
`Albuquerque, New Mexico 87185 and Livermore, California 94550
`
`Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation,
`Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation,
`a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy's
`a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy's
`National Nuclear Security Administration under contract DE-AC04-94AL85000.
`National Nuclear Security Administration under contract DE-AC04-94AL85000.
`
`Approved for public release; further dissemination unlimited.
`Approved for public release; further dissemination unlimited.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Sandia National laboratories
`
`
`
`
`WIZ, Inc. EXHIBIT - 1039
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Issued by Sandia National Laboratories, operated for the United States Department of Energy by
`Issued by Sandia National Laboratories, operated for the United States Department of Energy by
`Sandia Corporation.
`Sandia Corporation.
`
`NOTICE: This report was prepared as an account of work sponsored by an agency of the United
`NOTICE: This report was prepared as an account of work sponsored by an agency of the United
`States Government. Ne ither the United States Government, nor any agency thereof, nor any of
`States Government. Neither the United States Government, nor any agency thereof, nor any of
`their employees, nor any of their contractors, subcontractors, or their employees, make any
`their employees, nor any of their contractors, subcontractors, or their employees, make any
`warranty, express or implied, or assume any legal liability or responsibility for the accuracy,
`warranty, express or implied, or assume any legal liability or responsibility for the accuracy,
`completeness, or usefulness of any information, apparatus, product, or process disclosed, or
`completeness, or usefulness of any information, apparatus, product, or process disclosed, or
`represent that its use would not infringe privately owned rights. Reference herein to any specific
`represent that its use would not infringe privately owned rights. Reference herein to any specific
`commercial product, process, or service by trade name, trademark, manufacturer, or otherwise,
`commercial product, process, or service by trade name, trademark, manufacturer, or otherwise,
`does not necessarily constitute or imply its endorsement, recommendation, or favoring by the
`does not necessarily constitute or imply its endorsement, recommendation, or favoring by the
`United States Government, any agency thereof, or any of their contractors or subcontractors. The
`United States Government, any agency thereof, or any of their contractors or subcontractors. The
`views and opinions expressed herein do not necessarily state or reflect those of the United States
`views and opinions expressed herein do not necessarily state or reflect those of the United States
`Government, any agency thereof, or any of their contractors.
`Government, any agency thereof, or any of their contractors.
`
`Printed in the United States of America. This report has been reproduced directly from the best
`Printed in the United States of America. This report has been reproduced directly from the best
`available copy.
`available copy.
`
`Available to DOE and DOE contractors from
`Available to DOE and DOE contractors from
`
`U.S. Department of Energy
`U.S. Department of Energy
`Office of Scientific and Technical Information
`
`Office of Scientific and Technical Information
`P.O. Box 62
`
`P.O. Box 62
`Oak Ridge, TN 37831
`
`Oak Ridge, TN 37831
`
`
`
`
`
`
`Available to the public from
`Available to the public from
`
`U.S. Department of Commerce
`U.S. Department of Commerce
`National Technical Information Service
`
`National Technical Information Service
`5285 Port Royal Rd.
`
`5285 Port Royal Rd.
`Springfield, VA 22161
`
`Springfield, VA 22161
`
`
`
`
`
`
`
`
`(865) 576-8401
`Telephone:
`(865) 576-8401
`Telephone:
`(865) 576-5728
`Facsimile:
`(865) 576-5728
`Facsimile:
`reports@adonis.osti.gov
`E-Mail:
`reports(adonis.osti.gov
`E-Mail:
`Online ordering: http://www.osti.gov/bridge
`http://www.osti.gov/bridge
`Online ordering:
`
`Telephone:
`Telephone:
`Facsimile:
`Facsimile:
`E-Mail:
`E-Mail:
`Online order:
`Online order:
`
`(800) 553-6847
`(800) 553-6847
`(703) 605-6900
`(703) 605-6900
`orders@ntis.fedworld.gov
`orders@ntis.fedworld.gov
`http://www.ntis.gov/help/ordermethods.asp?loc=7-4-0#online
`http://www.ntis.gov/help/ordermethods.asp?loc=7-4-0#online
`
`
`
`
`
`2 2
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`SAND2012-7818
`SAND2012-7818
`Unlimited Release
`Unlimited Release
`Printed September 2012
`Printed September 2012
`
`Simplifying Virtual Machine
`Simplifying Virtual Machine
`Introspection Using LibVMI
`Introspection Using LibVMI
`
`Bryan D. Payne
`Bryan D. Payne
`Information Systems Analysis Center
`Information Systems Analysis Center
`Sandia National Laboratories
`Sandia National Laboratories
`P.O. Box 5800
`P.O. Box 5800
`Albuquerque, New Mexico 87185-1248
`Albuquerque, New Mexico 87185-1248
`
`Abstract
`Abstract
`
`Ensuring the security of a computer system requires the careful integration of many
`Ensuring the security of a computer system requires the careful integration of many
`components. Key among these is security monitoring. Recent research trends show
`components. Key among these is security monitoring. Recent research trends show
`an increasing acceptance of external host-based monitoring techniques such as virtual
`an increasing acceptance of external host-based monitoring techniques such as virtual
`machine introspection (VMI), a technique for viewing the runtime state of a virtual
`machine introspection (VMI), a technique for viewing the runtime state of a virtual
`machine (VM). VMI’s primary drawbacks include performance and the semantic gap
`machine (VM). VMI' s primary drawbacks include performance and the semantic gap
`problem (i.e., understanding the low-level information available through VMI). This
`problem (i.e., understanding the low-level information available through VMI). This
`report describes work performed under an Early Career Laboratory Directed Research
`report describes work performed under an Early Career Laboratory Directed Research
`and Development (LDRD) project that aimed to address these two key challenges.
`and Development (LDRD) project that aimed to address these two key challenges.
`Our results are promising, with significant performance improvements and a much
`Our results are promising, with significant performance improvements and a much
`more usable VMI programming environment. This work resulted in the creation and
`more usable VMI programming environment. This work resulted in the creation and
`release of LibVMI, an open source software project based on the author’s previous
`release of LibVMI, an open source software project based on the author's previous
`work with the XenAccess library.
`work with the XenAccess library.
`
`
`
`
`3 3
`
`
`

`

`ACKNOWLEDGMENTS
`ACKNOWLEDGMENTS
`
`
`This work was made possible through the Early Career LDRD program at Sandia National Labs.
`This work was made possible through the Early Career LDRD program at Sandia National Labs.
`This program has proven to be an excellent tool for lab recruitment and for integrating new
`This program has proven to be an excellent tool for lab recruitment and for integrating new
`technical staff into the lab.
`technical staff into the lab.
`
` I
`
` would also like to thank Tan Thai for serving as a mentor for this project, and Matthew Leinhos
`I would also like to thank Tan Thai for serving as a mentor for this project, and Matthew Leinhos
`for helping with the software development of LibVMI.
`for helping with the software development of LibVMI.
`
`Finally, I’d like to thank the Cyber Security Early Career LDRD PI group for guidance and
`Finally, I'd like to thank the Cyber Security Early Career LDRD PI group for guidance and
`support on a variety of levels throughout this program.
`support on a variety of levels throughout this program.
`
`
`
`
`
`
`
`4 4
`
`
`

`

`CONTENTS
`CONTENTS
`
`1. Introduction ................................................................................................................................ 7
`7
`1. Introduction
`2. LibVMI ...................................................................................................................................... 9
`2. LibVMI
`9
`2.1 KVM Support................................................................................................................... 10
`2.1 KVM Support
`10
`2.2 API Improvements ........................................................................................................... 11
`2.2 API Improvements
`11
`2.3 Performance ..................................................................................................................... 12
`2.3 Performance
`12
`2.4 64-bit Guest Support ........................................................................................................ 14
`2.4 64-bit Guest Support
`14
`3. PyVMI and Volatility Integration ............................................................................................ 15
`3. PyVM1 and Volatility Integration
` 15
`3.1 PyVMI: A Python Wrapper for LibVMI ......................................................................... 15
`3.1 PyVMI: A Python Wrapper for LibVMI
`15
`3.2 PyVMI Address Space for Volatility ............................................................................... 15
`3.2 PyVMI Address Space for Volatility
` 15
`4. Future Work ............................................................................................................................. 17
`4. Future Work
`17
`5. Conclusions .............................................................................................................................. 18
`5. Conclusions
`18
`A1. Distribution ........................................................................................................................... 19
`Al. Distribution
`19
`
`
`
`FIGURES
`FIGURES
`
`
`Figure 1 LibVMI enables the creation of a single VMI application that runs in multiple
`Figure 1 LibVMI enables the creation of a single VMI application that runs in multiple
`virtualization contexts. LibVMI is extensible to support any virtualization platform, but
`virtualization contexts. LibVMI is extensible to support any virtualization platform, but
`currently supports Xen, KVM, and physical memory snapshots.................................................... 9
`9
`currently supports Xen, KVM, and physical memory snapshots
`Figure 2 LibVMI currently works with Xen, KVM, and physical memory snapshots. ................ 9
`Figure 2 LibVMI currently works with Xen, KVM, and physical memory snapshots.
` 9
`Figure 3 High-level view of the LibVMI software stack. The portions in blue represent code
`Figure 3 High-level view of the LibVMI software stack. The portions in blue represent code
`written for this project. .................................................................................................................. 10
`10
`written for this project
`
`Figure 4 Sampling of the current LibVMI API. The complete API contains a variety of
`Figure 4 Sampling of the current LibVMI API. The complete API contains a variety of
`additional convenience functions designed to make VMI development easier. ........................... 11
` 11
`additional convenience functions designed to make VMI development easier.
`Figure 5 LibVMI's page cache algorithm balances memory overhead with performance,
`Figure 5 LibVMI's page cache algorithm balances memory overhead with performance,
`ensuring that the related data structures never grow too large...................................................... 13
`13
`ensuring that the related data structures never grow too large
`Figure 6 LibVMI performance before our cache optimizations. ................................................. 13
`Figure 6 LibVMI performance before our cache optimizations.
` 13
`Figure 7 LibVMI performance after our cache optimizations. .................................................... 14
`Figure 7 LibVMI performance after our cache optimizations.
` 14
`Figure 8 While the details in this picture are too small to read, the key point is that significant
`Figure 8 While the details in this picture are too small to read, the key point is that significant
`work happens for each API call. In this case, the vmi_read_ksym call must handle reads around
`work happens for each API call. In this case, the vmi read ksym call must handle reads around
`page boundaries, resolve the kernel symbol, translate the kernel symbol to a physical address,
`page boundaries, resolve the kernel symbol, translate the kernel symbol to a physical address,
`and perform the actual read from the VMM. ................................................................................ 14
`14
`and perform the actual read from the VMNI
`Figure 9 Software stack with PyVMI wrapper on top of the C language LibVMI library. The
`Figure 9 Software stack with PyVMI wrapper on top of the C language LibVMI library. The
`portions in blue represent code written for this project. ............................................................... 15
` 15
`portions in blue represent code written for this project.
`Figure 10 Software stack with Volatility address space plugin. The portions in blue represent
`Figure 10 Software stack with Volatility address space plugin. The portions in blue represent
`code written for this project. ......................................................................................................... 16
` 16
`code written for this project.
`
`
`
`5 5
`
`
`

`

`
`
`API
`API
`LDRD
`LDRD
`KVM
`KVM
`PI
`PI
`VM
`VM
`VMI
`VMI
`VMM
`VMM
`Xen
`Xen
`
`NOMENCLATURE
`NOMENCLATURE
`
`application programming interface
`application programming interface
`laboratory directed research and development
`laboratory directed research and development
`kernel-based virtual machine (see www.linux-kvm.org)
`kernel-based virtual machine (see www.linux-kvm.org)
`principal investigator
`principal investigator
`virtual machine
`virtual machine
`virtual machine introspection
`virtual machine introspection
`virtual machine monitor, analogous to a hypervisor
`virtual machine monitor, analogous to a hypervisor
`open source hypervisor from Univ of Cambridge (see www.xen.org)
`open source hypervisor from Univ of Cambridge (see www.xen.org)
`
`6
`
`
`

`

`1. INTRODUCTION
`1. INTRODUCTION
`
`
`Previous virtual machine introspection (VMI) research has focused on the underlying mechanics
`Previous virtual machine introspection (VMI) research has focused on the underlying mechanics
`(e.g, accessing memory pages) or extracting higher-level semantics from software (e.g., memory
`(e.g, accessing memory pages) or extracting higher-level semantics from software (e.g., memory
`analysis). The work performed on this LDRD addressed the practical problems associated with
`analysis). The work performed on this LDRD addressed the practical problems associated with
`VMI application development by bridging these two previous research areas. We approached
`VMI application development by bridging these two previous research areas. We approached
`the problem through the creation of LibVMI, a virtual machine introspection library based on the
`the problem through the creation of LibVMI, a virtual machine introspection library based on the
`related XenAccess library. In addition, we provided integration between LibVMI and Volatility,
`related XenAccess library. In addition, we provided integration between LibVMI and Volatility,
`a forensic memory analysis framework, to drastically simplify the creation of VMI applications.
`a forensic memory analysis framework, to drastically simplify the creation of VMI applications.
`
`LibVMI provides a useful application programming interface (API) for reading to and writing
`LibVMI provides a useful application programming interface (API) for reading to and writing
`from a virtual machine’s memory. It also provides a variety of utility functions that are useful to
`from a virtual machine's memory. It also provides a variety of utility functions that are useful to
`VMI developers. All of this functionality works for VMs running under either of the two most
`VMI developers. All of this functionality works for VMs running under either of the two most
`popular open source virtualization platforms: Xen and KVM. LibVMI programs can also use a
`popular open source virtualization platforms: Xen and KVM. LibVMI programs can also use a
`static memory snapshot as a data source. This flexibility allows developers to create VMI
`static memory snapshot as a data source. This flexibility allows developers to create VMI
`applications once and have them work in each of these settings without modification. We
`applications once and have them work in each of these settings without modification. We
`discuss LibVMI in Section 2.
`discuss LibVMI in Section 2.
`
`Volatility is an open source memory analysis framework. It is popular in the forensic memory
`Volatility is an open source memory analysis framework. It is popular in the forensic memory
`analysis community where the goal is to understand the information within a single, static
`analysis community where the goal is to understand the information within a single, static
`memory snapshot. Volatility can easily be extended to acquire its memory data from a source
`memory snapshot. Volatility can easily be extended to acquire its memory data from a source
`other than a file through a mechanism called address space plugins. We wrote an address space
`other than a file through a mechanism called address space plugins. We wrote an address space
`plugin for Volatility that enabled using LibVMI for memory access. Since Volatility is written
`plugin for Volatility that enabled using LibVMI for memory access. Since Volatility is written
`in Python, this required also writing a Python wrapper for the LibVMI API. With this
`in Python, this required also writing a Python wrapper for the LibVMI API. With this
`functionality in place, one can easily write new VMI applications using Volatility. We discuss
`functionality in place, one can easily write new VMI applications using Volatility. We discuss
`the Volatility – LibVMI integration in Section 3.
`the Volatility — LibVMI integration in Section 3.
`
`This LDRD ended earlier than scheduled because the principal investigator (PI) decided to leave
`This LDRD ended earlier than scheduled because the principal investigator (PI) decided to leave
`Sandia National Labs to pursue another job. This left some work unfinished. In Section 4, we
`Sandia National Labs to pursue another job. This left some work unfinished. In Section 4, we
`will talk about this unfinished work as potential future work.
`will talk about this unfinished work as potential future work.
`
`Finally, in Section 5 we provide some conclusions on this LDRD project.
`Finally, in Section 5 we provide some conclusions on this LDRD project.
`
`
`7 7
`
`
`

`

`
`
`
`8 8
`
`
`

`

`2. LIBVMI
`2. LIBVMI
`
`LibVMI provides a useful application programming interface (API) for reading to and writing
`LibVMI provides a useful application programming interface (API) for reading to and writing
`from a virtual machine’s memory. It also provides a variety of utility functions that are useful to
`from a virtual machine's memory. It also provides a variety of utility functions that are useful to
`VMI developers. All of this functionality works for VMs running under either of the two most
`VMI developers. All of this functionality works for VMs running under either of the two most
`popular open source virtualization platforms: Xen and KVM. LibVMI programs can also use a
`popular open source virtualization platforms: Xen and KVM. LibVM1 programs can also use a
`static memory snapshot as a data source. This flexibility allows developers to create VMI
`static memory snapshot as a data source. This flexibility allows developers to create VMI
`applications once and have them work in each of these settings without modification, as shown
`applications once and have them work in each of these settings without modification, as shown
`in Figures 1 and 2.
`in Figures 1 and 2.
`
`ar
`4 9
`
`I
`
`
`x
`s
`App 6
`
`&
`e
`e
`sb
`,„5:
`
`App 11
`
`a.
`At
`
`1 D
`o
`O
`I
`
`:S
`co
`3
`o
`1
`
`r•
`
`I 3
`0
`1
`4:
`i
`
`Xen
`
`APP
`
`APP
`
`KVM
`
`VMWare
`
`Hyper-V
`
`Single
`Application
`
`43.
`*
`e
`3
`
`..e
`
`tt-s
`APP 1
`App 2
`
`APP 3
`App 4
`
`App 5
`
`Xen _
`
`KVM
`
`VMWare
`
`Hyper-V _
`
`App 12
`App 13
`App 14
`APP
`I App 10 I I App 15
`Memory Snapshot
`Memory Snapshot
`
`Figure 1 LibVMI enables the creation of a single VMI application that runs in multiple
`Figure 1 LibVMI enables the creation of a single VMI application that runs in multiple
`virtualization contexts. LibVMI is extensible to support any virtualization platform, but
`virtualization contexts. LibVMI is extensible to support any virtualization platform, but
`currently supports Xen, KVM, and physical memory snapshots.
`currently supports Xen, KVM, and physical memory snapshots.
`
`
`z
`
`Xen
`
`Memory
`Analysis
`Application
`
`LibVMI
`
`KVM
`
`Memory
`Snapshot
`
`Xen PV
`Virtual
`Machine
`
`Xen HVM
`Virtual
`Machine
`
`KVM
`Virtual
`Machine
`
`VMWare
`Snapshot
`
`Memoryze
`Snapshot
`
`
`Figure 2 LibVMI currently works with Xen, KVM, and physical memory snapshots.
`Figure 2 LibVMI currently works with Xen, KVM, and physical memory snapshots.
`
`LibVMI evolved from the XenAccess project. XenAccess provided lower-level VMI
`LibVMI evolved from the XenAccess project. XenAccess provided lower-level VMI
`capabilities for VMs running in Xen. With XenAccess, only 32-bit VM operating systems were
`capabilities for VMs running in Xen. With XenAccess, only 32-bit VM operating systems were
`supported. Furthermore, access to memory required the VMI developer to use XenAccess to
`supported. Furthermore, access to memory required the VMI developer to use XenAccess to
`manually map guest VM pages, operate on the pages, and then unmap the pages. The last
`manually map guest VM pages, operate on the pages, and then unmap the pages. The last
`
`9 9
`
`
`

`

`XenAccess release was version 0.5. LibVMI used this release as a starting point. Note that the
`XenAccess release was version 0.5. LibVMI used this release as a starting point. Note that the
`PI for this LDRD, Bryan D. Payne, is also the creator of XenAccess.
`PI for this LDRD, Bryan D. Payne, is also the creator of XenAccess.
`
`VLibVMI
`(C language API)
`
`patch
`KVM
`
`Xen
`
`Other VMM
`
`Memory
`Snapshot
`
`
`Figure 3 High-level view of the LibVMI software stack. The portions in blue represent
`Figure 3 High-level view of the LibVMI software stack. The portions in blue represent
`code written for this project.
`code written for this project.
`
`The key areas of improvement for LibVMI under the LDRD program include:
`The key areas of improvement for LibVMI under the LDRD program include:
` Refactoring the code to support KVM, and to make supporting other virtualization
`• Refactoring the code to support KVM, and to make supporting other virtualization
`platforms very simple.
`platforms very simple.
`Improving the API to greatly simplify VMI development. Specifically, replace manual
`• Improving the API to greatly simplify VMI development. Specifically, replace manual
`
`memory mapping with read and write functions that behave as expected to a POSIX
`memory mapping with read and write functions that behave as expected to a POSIX
`developer.
`developer.
`Improving the overall performance of the library.
`• Improving the overall performance of the library.
`
` Adding support for 64-bit VM guest operating systems.
`• Adding support for 64-bit V1\4 guest operating systems.
` Adding the pyvmi wrapper library (discussed in Section 3)
`• Adding the pyvmi wrapper library (discussed in Section 3)
`Improving Volatility integration (discussed in Section 3)
`• Improving Volatility integration (discussed in Section 3)
`
` Fixing a variety of bugs ranging from correctness to memory leaks.
`• Fixing a variety of bugs ranging from correctness to memory leaks.
`
`
`We discuss the first four bullet points in more detail below.
`We discuss the first four bullet points in more detail below.
`
`2.1 KVM Support
`2.1 KVM Support
`While Xen is a widely deployed hypervisor, KVM has quickly grown in popularity. Many
`While Xen is a widely deployed hypervisor, KVM has quickly grown in popularity. Many
`people prefer KVM due to the ease of installation that comes from being a Type-2 VMM (i.e., it
`people prefer KVM due to the ease of installation that comes from being a Type-2 VMM (i.e., it
`is integrated into the host operating system and can leverage the OS hardware support).
`is integrated into the host operating system and can leverage the OS hardware support).
`Therefore, it makes sense to enable introspection capabilities for KVM. Moving in this direction
`Therefore, it makes sense to enable introspection capabilities for KVM. Moving in this direction
`is what motivated the library name change from XenAccess to LibVMI.
`is what motivated the library name change from XenAccess to LibVMI.
`
`The original XenAccess software was built specifically for Xen – as the name implies.
`The original XenAccess software was built specifically for Xen — as the name implies.
`Therefore, function calls to interface with Xen were scattered throughout the code. In order to
`Therefore, function calls to interface with Xen were scattered throughout the code. In order to
`support KVM, we first refactored the code to contain all Xen-specific interactions in a single
`support KVM, we first refactored the code to contain all Xen-specific interactions in a single
`“driver”. Next, we wrote a new driver to support KVM. And, finally, we setup LibVMI to
`"driver". Next, we wrote a new driver to support KVM. And, finally, we setup LibVMI to
`dynamically determine which virtualization platform is available at startup; choosing the correct
`dynamically determine which virtualization platform is available at startup; choosing the correct
`driver at that time.
`driver at that time.
`
`The other piece of the puzzle was to actually access the VM memory for KVM. Unlike Xen,
`The other piece of the puzzle was to actually access the VM memory for KVM. Unlike Xen,
`KVM does not provide any APIs to facilitate this access. So, to support LibVMI, we created a
`KVM does not provide any APIs to facilitate this access. So, to support LibVMI, we created a
`patch for KVM that enabled memory access through a unix domain socket. We used the libvirt
`patch for KVM that enabled memory access through a unix domain socket. We used the libvirt
`library to gain the additional access that we needed (e.g., pausing and resuming the VM). Since
`library to gain the additional access that we needed (e.g., pausing and resuming the VM). Since
`the patch is somewhat challenging for users to deploy, we also enabled a technique to access
`the patch is somewhat challenging for users to deploy, we also enabled a technique to access
`memory through a KVM VM’s GDB stub. GDB is the GNU Debugger. It provides a rich set of
`memory through a KVM VM's GDB stub. GDB is the GNU Debugger. It provides a rich set of
`capabilities for viewing a running process or system. In this case, we could dump memory
`capabilities for viewing a running process or system. In this case, we could dump memory
`10 10
`
`
`

`

`through a GDB network protocol. But the resulting access is slower than using our KVM source
`through a GDB network protocol. But the resulting access is slower than using our KVM source
`code patch. Users can now choose between a harder to install software patch that provides faster
`code patch. Users can now choose between a harder to install software patch that provides faster
`memory access, and an easier to install GDB connection that provides slower memory access.
`memory access, and an easier to install GDB connection that provides slower memory access.
`
`The end result is that LibVMI now support both Xen and KVM. Furthermore, it would now be
`The end result is that LibVM1 now support both Xen and KVM. Furthermore, it would now be
`very easy to write a driver to support another virtualization platform in the future.
`very easy to write a driver to support another virtualization platform in the future.
`
`2.2 API Improvements
`2.2 API Improvements
`The older XenAccess API required developers to manually map and unmap VM memory pages.
`The older XenAccess API required developers to manually map and unmap VM memory pages.
`This turned out to be arduous and error prone. Furthermore, developers often wrote code that
`This turned out to be arduous and error prone. Furthermore, developers often wrote code that
`abused this interface, resulting in large performance degradation. The new LibVMI API
`abused this interface, resulting in large performance degradation. The new LibVMI API
`abstracts this low-level page mapping away from the developers and instead provides a more
`abstracts this low-level page mapping away from the developers and instead provides a more
`intuitive API based on familiar feeling read and write functions. Figure 4 shows a sampling of
`intuitive API based on familiar feeling read and write functions. Figure 4 shows a sampling of
`the current LibVMI API.
`the current LibVMI API.
`
`
`status t vmiinit (vmi instance t *vmi, uint32 t flags, char *name)
`status_t vmi_init (vmi_instance_t *vmi, uint32_t flags, char *name)
`
`status t vmi destroy (vmi instance t
`status_t vmi_destroy (vmi_instance_t vmi)
`
`addr t vmi translate kv2p (vmi instance t vmi, addr t vaddr)
`addr_t vmi_translate_kv2p (vmi_instance_t vmi, addr_t vaddr)
`
`addr t vmi translate uv2p (vmi instance t vmi, addr t vaddr, int pid)
`addr_t vmi_translate_uv2p (vmi_instance_t vmi, addr_t vaddr, int pid)
`
`addr t vmi translate ksym2v (vmi instance t vmi, char symbol)
`addr_t vmi_translate_ksym2v (vmi_instance_t vmi, char *symbol)
`
`addr t vmipidtodtb (vmi instance t vmi, int pid)
`addr_t vmi_pid_to_dtb (vmi_instance_t vmi, int pid)
`
`size t vmi read ksym (vmi instance t vmi, char *sym, void *buf, size t count)
`size_t vmi_read_ksym (vmi_instance_t vmi, char *sym, void *buf, size_t count)
`
`size t vmireadva (vmi instance t vmi, addrt vaddr, int pid, void *buf, size t count)
`size_t vmi_read_va (vmi_instance_t vmi, addr_t vaddr, int pid, void *buf, size_t count)
`
`size t vmi read pa (vmi instance t vmi, addrt paddr, void *buf, size t count)
`size_t vmi_read_pa (vmi_instance_t vmi, addr_t paddr, void *buf, size_t count)
`
`size t vmi write ksym (vmi instance t vmi, char *sym, void *buf, size t count)
`size_t vmi_write_ksym (vmi_instance_t vmi, char *sym, void *buf, size_t count)
`
`size t vmiwriteva (vmi instance t vmi, addr t vaddr, int pid, void *buf, size t count)
`size_t vmi_write_va (vmi_instance_t vmi, addr_t vaddr, int pid, void *buf, size_t count)
`
`size t vmi write pa (vmi instance t vmi, addr t paddr, void *buf, size t count)
`size_t vmi_write_pa (vmi_instance_t vmi, addr_t paddr, void *buf, size_t count)
`
`void vmi print hex (unsigned char *data, unsigned long length)
`void vmi_print_hex (unsigned char *data, unsigned long length)
`
`unsigned long vmi get memsize (vmi instance t i)
`unsigned long vmi_get_memsize (vmi_instance_t vmi)
`
`gt *value, registerst reg, unsigned long
`status_t vmi_get_vcpureg (vmi instance_t
`status_t vmi_get_vcpureg (vmi_instance_t vmi, reg_t *value, registers_t reg, unsigned long
`vcpu)
`vcpu)
`
`status t vmipausevm (vmi instance t
`status_t vmi_pause_vm (vmi_instance_t vmi)
`
`status t vmi resume vm (vmi instance t
`status_t vmi_resume_vm (vmi_instance_t vmi)
`
`void vmi v2pcache flush (vmi instance t vmi)
`void vmi_v2pcache_flush (vmi_instance_t vmi)
`
`void vmi_v2pcache_add (vmi_instance_t vmi, addr_t va, addr_t dtb, addr_t pa)
`Figure 4 Sampling of the