Virtual machine introspection (VMI) has been widely used for stealthy monitoring of guest systems. However, context switching between monitoring system and monitored target introduces considerable overhead, especially for tracing common system calls, and deployment of VMI-based setups is complex. This work investigates whether extended Berkeley Packet Filter (eBPF) based tracing, a low-overhead kernel-level monitoring technique, can serve as an alternative. We compare the two paradigms in terms of performance, stealthiness, and practical applicability. Using micro-benchmarks and a prototype high-interaction SSH honeypot, we evaluate the capabilities and limitations of eBPF-based monitoring in adversarial settings. Our results highlight advantages and limitations of both, providing insights for the design of future security monitoring systems.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Evaluating eBPF as an Alternative to Virtual Machine Introspection for High-Interaction Honeypot Implementation

  • Niku Waltteri Saulinpoika Nuutinen,
  • Miguel Faísco,
  • Milan Petrusic,
  • Ibéria Medeiros,
  • Hans P. Reiser

摘要

Virtual machine introspection (VMI) has been widely used for stealthy monitoring of guest systems. However, context switching between monitoring system and monitored target introduces considerable overhead, especially for tracing common system calls, and deployment of VMI-based setups is complex. This work investigates whether extended Berkeley Packet Filter (eBPF) based tracing, a low-overhead kernel-level monitoring technique, can serve as an alternative. We compare the two paradigms in terms of performance, stealthiness, and practical applicability. Using micro-benchmarks and a prototype high-interaction SSH honeypot, we evaluate the capabilities and limitations of eBPF-based monitoring in adversarial settings. Our results highlight advantages and limitations of both, providing insights for the design of future security monitoring systems.