Logging Hypercalls to Learn About the Behavior of Hyper-V

Lukas Beierlieb; Nicolas Bellmann; Lukas Iffländer; Samuel Kounev

doi:10.5220/0012768100003753

Logging Hypercalls to Learn About the Behavior of Hyper-V

Lukas Beierlieb, Nicolas Bellmann, Lukas Iffländer, Samuel Kounev

2024

Abstract

Hypervisors such as Xen, VMware ESXi, or Microsoft Hyper-V provide virtual machines used in data centers and cloud computing, making them a popular attack target. One potential attack vector is the hypercall interface, which exposes privileged operations as hypercalls. We present a hypercall logger for the Hyper-V hypercall interface that logs the inputs, outputs, and sequence of hypercalls. The logs should improve the testability of the hypercall interface by helping to construct test cases for the hypercall handlers. Related works in hypercall monitoring analyze less detailed hypercall invocation data with intrusion detection systems. Our logger extends the WinDbg debugger by adding additional commands to set software breakpoints on the hyper-call handler entry and exit within a debugging session with the Hyper-V hypervisor. The evaluation confirmed that the logs are correct and that the breakpoints slow hypercall execution by 100,000 to 200,000. A case study with the hypercall handler logger helps create test cases for evaluation and demonstrates the logger’s suitability.

Download

Paper Citation

in Harvard Style

Beierlieb L., Bellmann N., Iffländer L. and Kounev S. (2024). Logging Hypercalls to Learn About the Behavior of Hyper-V. In Proceedings of the 19th International Conference on Software Technologies - Volume 1: ICSOFT; ISBN 978-989-758-706-1, SciTePress, pages 411-418. DOI: 10.5220/0012768100003753

in Bibtex Style

@conference{icsoft24,
author={Lukas Beierlieb and Nicolas Bellmann and Lukas Iffländer and Samuel Kounev},
title={Logging Hypercalls to Learn About the Behavior of Hyper-V},
booktitle={Proceedings of the 19th International Conference on Software Technologies - Volume 1: ICSOFT},
year={2024},
pages={411-418},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012768100003753},
isbn={978-989-758-706-1},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 19th International Conference on Software Technologies - Volume 1: ICSOFT
TI - Logging Hypercalls to Learn About the Behavior of Hyper-V
SN - 978-989-758-706-1
AU - Beierlieb L.
AU - Bellmann N.
AU - Iffländer L.
AU - Kounev S.
PY - 2024
SP - 411
EP - 418
DO - 10.5220/0012768100003753
PB - SciTePress