If you’ve been following announcements made recently at Citrix Synergy, then you’ve likely seen that Citrix has released a brand new version of XenServer. XenServer 7.0 not only contains loads of improvements to many of the features you already love, but it continues to lead the way in areas, such as graphics virtualization and security.

One of the big features announced was “Direct Inspect APIs,” which can be used by security vendors to provide better than physical protection from malware and sophisticated attacks for VMs. This is a truly revolutionary step forward in how security vendors are able to fight targeted attacks. Before we dive into the details, though, let’s take a step back and look at what people are using today.

Traditional end-point protection: focuses on finding malware

Up until now, security vendors have developed increasingly sophisticated solutions that aim to protect systems (physical or virtual) by trying to find malicious files. The key point here is find.

Malware needs to find a vehicle into the system. Typically, this would be a foreign file (downloaded, received by email, copied from a USB stick etc) that resides on the system’s disk. Therefore, the name of the game is to attempt to inspect each file that pops up on the system, and figure out if it’s bad (will do something malicious).

In order to do this, each system requires security software running as a privileged application inside the system it is protecting, carrying out the scanning and remediation using a global list of known bad signatures for files that have already been seen and are known to be malicious.

New malware is hard to spot

This approach worked quite well at blocking malicious files that were sent out to millions of people (so long as you weren’t patient zero…), but over time malware writers have gotten smarter, attacks are now more targeted, malware is more sophisticated and harder to trace. Security vendors have added increasing amounts of intelligence to attempt to combat techniques used by attackers to obfuscate their malware, but they still remain on the back foot in a constant game of cat and mouse.

How has virtualization helped?

Once we got over some initial headaches caused by virtualization (such as the dreaded ‘AV Storm’) virtualization has helped improve performance.


Security vendors introduced a new deployment model: rather than installing a full-fledged anti-malware tool in each VM, users would install something much smaller. This smaller agent could then offload scanning to a network appliance.

Some hypervisors then introduced their own APIs that communicated with a kernel module shipped with their guest tools. These APIs allowed security vendors to provide agentless integration, making use of the hypervisor’s kernel module rather than building and maintaining their own.

Both of these approaches meant that the security software were able to understand which blocks were shared between the VMs and therefore carry out some performance optimisations (e.g. not having to re-scan blocks shared with other VM images).

But while disk scanning performance was dramatically improved, the approach of attempting to find malware on disk remained the same. The approach also still relied on security software running inside the VM which is a target for attackers.

What are the problems with the traditional approach?

Although this traditional approach had some value, the increase in advanced attacks has highlighted a number of its deficiencies:

Attacks may only ever exist in memory

These solutions focus on protecting the filesystem. They assume that malware will enter the system through files. The truth is that an increasing number of attacks may only ever reside in memory, and specifically not rely on the filesystem. For such attacks, these traditional solutions become useless.

New malware is hard to identify

If an attacker considers it worthwhile to construct ‘custom’ malware for attacking your company, your existing security solutions are unlikely to detect it. That’s because these solutions rely on similarities between the malware and the vendor’s database of known bad files. Something entirely new is almost impossible to correctly identify as malicious.

Assumes you can see the malware

In order to spot something malicious, software inside the VM (whether a full agent or a lite agent/agentless kernel module) is required. Unfortunately, specific types of malware known as ‘rootkits’ are becoming increasingly common. The purpose of a rootkit is to ‘hide’ malicious activity from a system. Once such a rootkit is installed (perhaps using a zero-day kernel vulnerability), you can no longer trust software running inside the VM as it can no longer ‘see’ everything that’s going on.

This means that any time a zero-day vulnerability is discovered, the window of time in which the vulnerability was undisclosed may well have been used by attackers to infect your system such that even if you subsequently applied security patches, your security software can no longer tell whether your system has been compromised.

Direct Inspect APIs: a revolutionary approach

In XenServer 7.0, we’ve added a set of APIs that allow security vendors to take a revolutionary approach to protecting Virtual Machines in an entirely new way, using the hypervisor to improve security, not just performance.

This project has been a real collaboration between a number of organizations: Citrix, Intel, the Xen Project and most notably Bitdefender who have been working on this project for several years and are the first vendor to deliver a security solution that makes use of these APIs (check out Bitdefender Hypervisor Introspection).

It really is revolutionary

Calling something revolutionary is a big claim – but it is warranted because with the Direct Inspect APIs, security vendors can now build a new class of security solution that hasn’t been seen before and protects against real threats that traditional approaches are not equipped to deal with.

With XenServer 7.0’s Direct Inspect APIs it is now possible for security vendors to:

Protect guest memory

Traditional technologies focus on protecting your filesystem (offloading real-time memory access is not performant enough). These APIs restore a security vendors’ ability to protect virtual machine memory, guarding against attacks that may never touch the filesystem.

Protect against attack techniques

Instead of trying to find malware this approach aims to block malware from ever executing. This is an important distinction because although an attacker can create a lot of different malware variants, they must use the same handful of techniques to abuse memory (e.g. buffer overflows, heap spray, function detouring, code injection).

This means that by focusing on blocking these techniques, a security vendor can now effectively protect against the class of ‘not yet seen’ advanced attacks.

As an example of this, Bitdefender has verified using their Hypervisor Introspection (HVI) product, that with the Direct Inspect APIs they could have caught a number of high profile advanced attacks, from day zero: APT28, Energetic Bear, Darkhotel, Erpic Turla, Regin, Zeus, Dyreza and Gameover (to name a few).

Protect without relying on software inside the VM

Relying on software inside the VM is problematic because some malware such as rootkits can (using zero-day vulnerabilities) completely compromise your ability to tell whether a system has been infected.

The Direct Inspect APIs allow protection to take place from the outside – using the hypervisor to provide hardware-enforced isolation. This means the attacker can no longer directly attack the security software.

It complements your existing security software

New technology is great, particularly when it comes to protecting your most valuable assets, however adopting it can be expensive. In this case, you might fear that in order to use this new technology you would have to swap out your existing EPP software for something entirely new.

The good news is that you don’t have to! This new approach has been designed to complement to your existing traditional EPP software (Bitdefender’s HVI solution is compatible with any other EPP provider on the market). Whether for compliance or defense in-depth, these traditional solutions will continue to focus on protecting your filesystem from the appearance of known malware.

What does it look like?


Very simply, it’s now possible to import a new type of virtual appliance provided by a security vendor that is able to protect critical regions of virtual machine memory, from the outside – using just the hypervisor and extensions in hardware.

This means no guest agents or hypervisor tools extensions are required or depended upon.

See it in action

To give you a feel for what this actually looks like here’s a short demo of a real attack (simulated using Metasploit) which makes use of a Flash plugin/Firefox vulnerability discovered last year (CVE-2015-3113) to gain remote access to a Windows 7 desktop that visits a compromised web page.

To demonstrate how dangerous this type of vulnerability is, the demo shows first what an attack looks like on a traditional system, which isn’t protected by Bitdefender HVI. The user only has to visit the web page, and unbeknown to them, a plugin which might be loaded in the background has established a remote session and is now able to completely control the machine.

If, however, the attack is simulated again, this time using Bitdefender HVI to protect the system – at the point where the malicious flash file is loaded by the browser, and carries out a malicious technique to execute its payload, HVI immediately stops the plugin from executing, protecting the user from the attack. It also subsequently responds by injecting (using the Direct Inspect APIs) its own forensics tool which can be used to collect further information about the attack (this is configurable).

Give it a go yourself!

Seeing a demo is one thing, but putting it through its paces in YOUR environment is quite another. The good news is that this is technology you can get your hands on today.

Bitdefender has announced a tech preview of their HVI product which you access today. To register and find out more information check out their site:


And of course if you don’t yet have a XenServer 7.0 license, you can register online for a free trial:


Stay tuned…

With the new Direct Inspect APIs there is a lot more to be said – so stay tuned for more from us on this.

In the meantime, you can watch the Synergy Breakout session SYN209: Deliver applications securely: how the hypervisor can help which covers content mentioned in this blog in more detail.

Citrix Mobilize Windows Banner 1_728x90-061715