Christorfer Hoff, Chief Security Architect at Unisys, spotted a whitepaper presented in 2002 by Tal Garfienkel and Mendel Rosenblum (already co-founder of VMware at that time) about a project called LiveWire, a new approach to deliver host-based intrusion detection systems (IDS) through hardware virtualization:
Today’s architectures for intrusion detection force the IDS designer to make a difficult choice. If the IDS resides on the host, it has an excellent view of what is happening in that host’s software, but is highly susceptible to attack. On the other hand, if the IDS resides in the network, it is more resistant to attack, but has a poor view of what is happening inside the host, making it more susceptible to evasion. In this paper we present an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance. We achieve this through the use of a virtual machine monitor.
Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host’s state. The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware. We present a detailed study of our architecture, including Livewire, a prototype implementation. We demonstrate Livewire by implementing a suite of simple intrusion detection policies and using them to detect real attacks.
Six years later VMware is finally about to release a set of APIs called VMsafe, which seems to do exactly the same thing.
This implies that, until VMware releases more details about VMsafe, this is the most detailed documentation available about the upcoming architecture.
Read the whole paper at source.