VMwareDecoupling Dynamic Program Analysis from Execution in Virtual Environments

Analyzing the behavior of running programs has a wide variety of compelling applications, from intrusion detec- tion and prevention to bug discovery. Unfortunately, the high runtime overheads imposed by complex analysis techniques makes their deployment impractical in most settings. We present a virtual machine based architec- ture called Aftersight ameliorates this, providing a flex- ible and practical way to run heavyweight analyses on production workloads. Aftersight decouples analysis from normal execution by logging nondeterministic VM inputs and replaying them on a separate analysis platform. VM output can be gated on the results of an analysis for intrusion pre- vention or analysis can run at its own pace for intrusion detection and best effort prevention. Logs can also be stored for later analysis offline for bug finding or foren- sics, allowing analyses that would otherwise be unusable to be applied ubiquitously. In all cases, multiple anal- yses can be run in parallel, added on demand, and are guaranteed not to interfere with the running workload. We present our experience implementing Aftersight as part of the VMware virtual machine platform and using it to develop a realtime intrusion detection and prevention system, as well as an an offline system for bug detec- tion, which we used to detect numerous novel and seri- ous bugs in VMware ESX Server, Linux, and Windows applications.