LO-PHI

LO-PHI is a distributed hardware and software platform that aims to instrument both physical and virtual machines through the use of novel sensors and accompanying data analysis tools. The current suite of capabilities includes memory introspection, disk activity monitoring, keyboard and mouse actuation, and power management. Future versions will also include CPU introspection.

For virtual hosts, these capabilities are provided in a popular open-source hypervisor, QEMU-KVM, by custom hooks inserted into the source code. Similarly, for physical hosts, there is custom hardware to provide the same sensor capabilities. For asynchronous memory introspection, we have both a PCI and PCI-Express card, which are both capable of direct memory access (DMA). For disk access monitoring, we developed a Serial ATA (SATA) interposer, which enables us to monitor any SATA-capable disk drives. These are implemented on various development field-programmable gate arrays (FPGAs). Finally, all of the sensors have accompanying application programming interfaces (APIs), written in Python, to facilitate end-user interaction as well as a suite of deployment and analytics tools for rapid deployment and prototyping using our sensors. The analytics tools are built on popular and powerful open-source forensics tools, i.e., Volatility and Sleuthkit, which enable a wide range of capabilities right out of the box, e.g., enumerate running processes and file system operations for popular operating systems.

Because of the numerous foreseeable applications of LO-PHI technologies, we developed the architecture in a modular way such that any set of our sensors and analytics tools can be used in isolation or in unison, thus providing end-users with the flexibility to fit a solution to their problem without any unnecessary hurdles.