Lukas Beierlieb, Alexander Schmitz, Raphael Springer, Christian Dietrich, Lukas Iffländer

• Abstract: Virtual Machine Introspection (VMI) is a powerful technology used to detect and analyze malicious software inside Virtual Machines (VMs) from outside. Asynchronously accessing the VM ’s memory can be insufficient for efficiently monitoring what is happening inside of a VM. Active VMI introduces breakpoints to intercept VM execution at relevant points. Especially for frequently visited breakpoints, and even more so for production systems, it is crucial to keep their performance overhead as low as possible. In this paper, we provide a systematization of existing VMI breakpoint implementation variants, propose workloads to quantify the different performance penalties of breakpoints, and implement them in the benchmarking application bpbench. We used this benchmark to measure that, on an Intel Core i5 7300U, SmartVMI’s breakpoints take around 81 μs to handle, and keeping the breakpoint invisible costs an additional 21 μs per read access. The availability of bpbench facilitates the comparison of disparate breakpoint mechanisms and their performance optimization with immediate feedback.