Memory Introspection Thread

Quser59 · March 7, 2022, 6:59pm

As per this Issue on Github:

Consider supporting Xen's Virtual Machine Introspection / DRAKVUF

opened 02:07AM - 05 Nov 16 UTC

T: enhancement help wanted C: Xen security P: default

[On 2016-11-04 02:35, Zrubi wrote:](https://groups.google.com/d/msgid/qubes-user…s/890bc090-fc22-9d91-b8bc-a8f55b1fa665%40zrubi.hu) > Intrusion/virus detection inside the affected VM not really makes sense. > > However newer Xen versions has a nice feature: > https://wiki.xenproject.org/wiki/Virtual_Machine_Introspection > > And already a real project using this feature: > https://drakvuf.com/ > > > That feature wound really make sense and would fit in Qubes philosophy > pretty nicely. >

I’ve created this thread here to ask, and such we can discuss, if there are any updates or formal timeline/release-schedule for memory introspection.

I personally think that a memory introspection VM template would add far more practical security to Qubes than any other measure I can think of (aside from those outside control of qubes, e.g. firmware etc).
For those who aren’t aware, memory introspection is essentially the IDS/IPS that actually works. It operates outside of the potentially infected VM, analysing OS calls to the hypervisor, hence can detect behaviour that shouldn’t be there that an infected OS would hide from inside the OS abstraction layer.

As bounties are a thing, what sort of bounty would get a working memory introspection VM which:
is user-friendly to configure isolation (simple cmdline or gui to set XSM policy limiting memory introspection VM to respective VM)
automatically works with existing qubes templates (without need for manually configuring loads of rules)
leverages disposable VMs

armchairshaman · November 30, 2023, 12:19am

I wrote a guide on how to use DRAKVUF with Qubes r4.2.0-rc5 here: GitHub - scrubbedha/Qubes_Drakvuf: Repository of Qubes How-To Guides (requires patching qubes-vmm-xen)