Citrix, Bitdefender in Xen-only virtual security double-team

'Hypervisor introspection' probes guest VMs for advanced malware from splendid isolation

Bitdefender and Citrix's hypervisor introspection in action
Bitdefender and Citrix's hypervisor introspection in action. Image: Citrix

Citrix and Bitdefender have revealed a security tool that runs inside the hypervisor – in this case, Citrix's own XenServer – to detect advanced persistent threats running in guest VMs.

The tool pulls off this trick by inspecting the state of memory used by guest VMs. If the “Hypervisor Introspection” (HVI) tool sees telltale signs of naughtyware like buffer overflows, heap sprays or other unexpected code execution, up goes the red flag and down comes the VM.

None of this disrupts a guest's security software, which will run as usual. But Bitdefender and others point out that plenty of advanced threats run for months without being detected, escaping the attention of security tools that focus on threats to user-space.

Citrix and Bitdefender are claiming this is a world-first, and it is at least in terms of in having a product to crow about. VMware is working on a similar effort called Project Goldilocks that also relies on the splendid isolation of the hypervisor, which in theory cannot be touched by guests and therefore leaves threats unable to evade detection or punitive action.

Microsoft's shielded VMs try something similar, by creating a virtual trusted platform module that ensures guests can't run unexpected workloads.

For now, HVI only works on XenServer, Citrix's virtualization stack that it now aims only at its own workloads. But XenServer is based on Xen, which is merrily open source and powers some of the world's larger clouds. Bitdefender also says Intel and the Linux Foundation helped it cook up HVI, so The Register's virtualization desk thinks it's likely we'll hear more about this before tool much time has passed. ®


Biting the hand that feeds IT © 1998–2017