Prototype for logging system calls and its overhead analysis

With the capability of the virtual machine monitor, a novel approach for logging system activities is designed. In the design, the guest operating system runs on the virtual machine monitor as non-privileged mode. The redirecting and monitoring modules are added into the virtual machine monitor. When a guest application is calling a system call, it is trapped and redirected from the least privileged level into the virtual machine monitor running in the most privileged level. After logging is finished, it returns to the guest operating system running in the more privileged level and starts the system call. Compared with the traditional methods for logging system activities, the novel method makes it more difficult to destroy or tamper the logs. The preliminary evaluation shows that the prototype is simple and efficient.