Haskell Library for Safer Virtual Machine Introspection (Experience Report)

What is it about?

Virtual machine introspection (VMI) is a technique for inspecting a virtual machine from the outside, typically to analyze the operating system (guest OS) running on it. For instance, the program that uses VMI, which we call "VMI program," can scan the guest OS for malicious processes and terminate them. LibVMI is a C library for VMI; it provides interfaces (APIs) that enable the VMI program written in C to read/write guest OS's memory. However, using LibVMI directly is prone to introduce fatal errors that the C compiler cannot detect, such as a crash of the guest OS. This paper presents HaVMI, a Haskell library that facilitates VMI programming by detecting such errors statically. By using HaVMI, the programmer can write safer VMI programs easily.

Featured Image

Why is it important?

In using the LibVMI APIs directly in C, the programmer must compute target addresses in the guest memory and then access them with their exact bit widths and types. This is an enormous burden for the programmer and is prone to introduce statically undetected but fatal errors. HaVMI alleviates the problems with directly using LibVMI by utilizing Haskell's meta-programming facility and type checking mechanism. The meta-programming facility generates code at compile time, which makes it easy to write safer VMI programs. The type checking mechanism supports HaVMI's compile-time detection of the programmer's errors.