Towards Implicitly Introspecting the Preinstalled Operating System with Local-Booting Virtualization Technology

The virtual machine (VM) based introspection on the operating system (OS) holds predominance over previous host-based introspectors for being more resistant to attack while suffering the difficulty of retrieving the semantic view of the OS. Previous approaches addressing this limitation highly depend on the explicit guest information which is still subvertable to the privileged malware. Moreover, they only deal with the OS deployed in the VM instead of our daily used native OS. In this paper, we present a new VM-based introspecting approach called Pisces which accurately reproduces the execution environment of the underlying preinstalled OS within the Pisces VM and provides an OS-level semantic view. With our novel local-booting virtualization technology, Pisces VM just boots from the underlying host OS but not a newly installed OS image. Thus, Pisces provides a feasible way to introspect on the existing OS. In addition, instead of relying on the explicit guest information, Pisces adopts a set of unique techniques to implicitly construct the semantic view of the OS from within the virtualized hardware layer. The evaluation results demonstrate its practicality and effectiveness.