KVM interest in VM introspection

KVM interest in VM introspection

[Mathieu Tarral]

Dear KVM maintainers,

As I'm preparing a talk about the new introspection API proposed by BitDefender,
that you are currently reviewing, I wanted to better understand your opinion and
goals on offering VMI on KVM.

I'm asking you this because today, there is no consensus that hypervisor vendors
should provide this type of API and what benefits they might get.

Looking at the hypervisor support, we have the following situation:
- Xen: upstream since 2011 (and even before)
- KVM: patches under review since 2017
- VirtualBox: unofficial patches available, no interest for integration and
  support by Oracle
- VMware: no public interest
- Hyper-V: no public interest

Therefore I would like to better understand your point of view about this
technology:
- What are the concrete benefits for the KVM community ?
- What are your targeted users or use case ? (enabling OS research, advanced
  debugging, malware analysis, live forensics, OS hardening, cloud monitoring ?)
- What's your vision about this technology, considering that new trends like
  AMD's Secure Encrypted Virtualization and Intel's SGX wants to lock down the
  VM state, even for the hypervisor underneath ?

Note: The title of my talk is "Leveraging KVM as a debugging platform".

I have been working on LibVMI to rewrite the KVM driver[1], and I built a GDB stub
on top of it, improved with introspection capabilities to understand the
execution context.[2]

I'm planning to present a demo of my debugger running on top of KVM, and
debugging user processes.

Note2: I will be at the next KVM Forum, in Lyon, and I would be delighted to
continue our discussions in person !

[1] KVM-VMI:  https://github.com/KVM-VMI/kvm-vmi
[2] pyvmidbg: https://github.com/Wenzel/pyvmidbg


Thanks,
Mathieu Tarral