Hypervisor-based Memory Introspection at the Next Level: User-Mode Memory Introspection and Protection of Live VMs

We are living in an era when advanced malware and APTs are trying day-by-day to steal our money, get away with our confidential data, or allow unknown foreign state-sponsored entities to take full control over our systems. With the growing ineffectiveness of traditional anti-malware solutions, it became more than obvious that the industry needs to employ game-changing technologies: we need to get security to a next level. While the support for hardware virtualization becomes generally available on a large variety of platforms, security software taking advantage of it still needs to evolve to be ready for wide scale adoption. While kernel memory introspection, capable of providing rootkit protection is well known in the academia, we've taken the idea beyond the current state-of-the-art providing synchronous, real-time protection for live-VMs against a wide scale of threats. We provide advanced protection also for user-mode processes, while running our solution below the OS, securely isolated against kernel mode attacks. Among others, our approach features stacks & heaps execution prevention, detours prevention and code injection prevention inside protected processes. I will talk about the challenges we faced to get there, some of the key results we obtained, what are the remaining roadblocks, and finally, highlight also how I see the next few years.