BlueGuard: Accelerated Host and Guest Introspection Using DPUs

Virtual Machine Introspection (VMI) is an essential technique for monitoring the runtime state of a virtual machine. VMI systems are widely used by major cloud providers as they enable a range of applications, such as malware detection. Unfortunately, existing VMI systems suffer from several shortcomings: they either compete with the introspected VMs for shared CPU resources or report poor performance. Further, they cannot introspect hypervisors or bare metal machines. We propose BlueGuard, a system that leverages the physically isolated Data Processing Unit (DPU) commonly found on data center servers to efficiently run full system introspection by both host and guest introspection (HGI). BlueGuard facilitates the creation of hardware-accelerated HGI applications and frees the CPU while providing performance isolation. As a beneficial side effect, BlueGuard is capable of introspecting even bare metal servers that are usually out of scope for VMI systems. Furthermore, BlueGuard abstracts the DPU accelerators and provides kernel bypassing, non-blocking memory access, and user-level threading to achieve µs-scale introspection latency. Finally, we introduce delta introspection to accelerate the detection of state changes with BlueGuard and demonstrate the ability to isolate infected machines on a network layer. We implement and extensively evaluate BlueGuard on an NVIDIA BlueField-2 DPU. Our system achieves a 4.3× detection speedup compared to prior work and is capable of monitoring tens of VMs concurrently without hindering the host performance.