As is the case with any research, this thesis both solves problems and introduces new prob- lems. Furthermore, since we are rethinking how security applications should be deployed, there are a variety of highly practical questions regarding the usefulness, the long-term vi- ability, and the benefits of the ideas presented in this thesis. Our research approach is to embrace these challenges as ideas for future work, rather than to view them as obstacles or even road blocks. Throughout this thesis we have described a variety of opportunities for future work. In this section, we take a high-level view of the research space related to external monitoring and identify the key open problems in this space. These problems are both large and challenging, but success could fundamentally change system security for the foreseeable future by allowing external monitoring techniques such as virtual machine introspection to be more readily deployed in commercial security products.
• Solve the Semantic Gap Problem: The semantic gap problem is currently the sin- gle largest obstacle to deploying VMI applications. In this thesis we investigated a piece of this problem using machine learning techniques, but we also acknowledge that this approach cannot achieve perfect accuracy and may not be suitable for all applications. There are a variety of possibilities for solving the semantic gap prob- lem. One option could be to partner with software companies to get the appropriate semantic information about each program to be exposed or made publicly available. Another option could be to develop software analysis techniques that can automati- cally extract the necessary semantic information from source code or, ideally, binary versions of software. A third option could be to create a public semantic repository where reverse engineers can deposit discovered semantic information using a well defined data format. There are potentially many other options, and the final solution may be a hybrid of these approaches. However, without a unified solution to this problem, VMI will never achive broad general acceptance.
• Simplify VMI Programming: VMI code is currently very messy. As an exam- ple, consider Listing 1. The problem is that the code is directly manipulating raw memory resulting in both the memory layout and the software logic being embed-
ded throughout the program. This creates code that is difficult to read and difficult
to maintain. This can be addressed using a programming language that specifically separates the code logic from the memory layout [187], or through a series of inter- faces that progressively build higher semantic abstractions on top of the raw memory. The correct path forward for addressing this problem is not obvious. A new language could provide more flexibility, but may require porting a lot of legacy code. How- ever, building new APIs can be a slow process because the end result is somewhat rigid and a successful API will need to account for a variety of competing interests. • Create a VMI-Specific Virtualization Platform: All of the work in this thesis was
performed on Xen, which is a server-class virtualization solution. This approach of- fered the benefit of being able to focus on VMI, without spending time building a new hypervisor. However, Xen may not be a practical long-term solution for VMI applications. First, Xen is too large to provide strong (i.e., verifiable) security guar- antees. Next, since Xen is not designed for desktop systems, its performance is poor in these settings when things such as video processing are critical. And, finally, Xen is challenging to install on many platforms including laptops and desktop systems. A solution to all of these problems is to build a hypervisor that is designed specifically to provide controlled isolation to a Security VM and to enable the Turret architecture to operate within that VM, without a challenging installation procedure. Additional virtualization features could be made available by allowing layered hypervisors, if needed.
• Create Audit-Aware Software: In addition to solving the semantic gap problem, as external monitoring becomes more popular it will become increasingly important to
build software so that it can more easily be audited. Ideally, this should not be left to the application developers. Instead, this should become a new feature in compilers. A compiler could generate a program such that its layout in memory at runtime is optimized for external monitoring. This goal could be achieved by controlling where and how data is laid out on each page of memory and embedding semantic infor- mation alongside data in memory. Compilers could also output all of the necessary semantic information needed to solve the semantic gap problem. This information could be placed in memory or added to a database repository used by VMI software. • Enhance and Generalize VMI Libraries: As a part of our research, we made the XenAccess library publicly available. However, this library only works on Xen and does not include any of our secure active monitoring technologies. VMWare provides its own VMI library, VMsafe [173], that only works on VMWare products and is incompatible with XenAccess. So currently application developers must chose which virtualization platform to work on at the start of their project, and changing that
decision later is difficult and costly. Ideally, we believe that XenAccess should be
expanded to include support for the secure active monitoring techniques discussed in this thesis. In addition, XenAccess should be ported to work on Xen and KVM, the two major open source virtualization platforms. And, finally, a common API should be implemented as a generic VMI library that works with both XenAccess and VMWare’s VMI library. These changes, taken together, will make VMI a commodity service that is available on all of the major virtualization platforms. Developers can then create one version of their VMI-enabled software and it would work on any of these platforms. While these steps do not represent major research challenges, they do represent important engineering challenges that will lead to the further acceptance and adoption of VMI.