VBD-MF: A Block Device to Monitor the File System of Virtual Machine

Rui LOU, Lie-hui JIANG, Yi-sen WANG


The virtual block device is the data carrier of virtual machine (VM) and user information, while the file system is the ultimate goal of many attackers. We proposed a security device named virtual block device mapping to file (VBD-MF) that can translate block-level operations into file-level ones by building a mapping from blocks to files. VBD-MF could provide an out-of-VM way to monitor the file system with no modification on the code of virtual machine monitor (VMM) and guest OS, and it also provided other security tools and methods with direct interface to operate the file system. We implemented a prototype on Linux and KVM. The evaluation shows that VBD-MF has a better capability of monitoring with some loss on performance of read and write. Compared to the traditional monitoring of host-based file system, VBD-MF has a better hidden and safety property.


Virtualization, Virtual block device, File system monitoring, File access control


