Abstract
The growing complexity of modern malware drives security applications to leverage Virtual Machine Introspection (VMI), which provides a complete and untainted view over the Virtual Machine state. To benefit from this ability, a VMI-aware Virtual Machine Monitor (VMM) must be set up in advance underneath the target system; a constraint for the massive application of VMI. In this paper, we present WhiteRabbit, a VMI framework comprising a microkernel-based VMM that transparently virtualizes a running Operating System, on-the-fly, for the purpose of forensic analysis. As a result, the systems to be analyzed do not have to be explicitly set up for VMI a priori. After its deployment, our framework exposes VMI services for remote applications: WhiteRabbit implements a LibVMI interface that enables it to be engaged by popular VMI applications remotely. Our prototype employs Intel as well as ARM virtualization extensions to take over control of a running Linux system. WhiteRabbit’s on-the-fly capability and limited virtualization overhead constitute an effective solution for malware detection and analysis.
Highlights
Malware can be executed with the same privileges as sensitive parts of the Operating System (OS)
Intel VT-x contains a set of Virtual Machine Extensions (VMX) that simplifies the process of virtualization
If ptrace fails, the caller is aware of a tracing application; if it succeeds, no other tracer will be able to attach itself to this process
Summary
Malware can be executed with the same privileges as sensitive parts of the Operating System (OS) Once installed, it can hide itself from the OS and security applications. Virtualization adds a software layer, the Virtual Machine Monitor (VMM), that implements a virtual hardware interface. This interface, the Virtual Machine (VM), manages an execution environment for guest OSes. A VMM has a complete view over the entire VM state and provides isolation from guest VMs. A VMM has a complete view over the entire VM state and provides isolation from guest VMs This forbids malware inside a VM to deceive applications executing as part of the VMM. Conventional approaches require the systems to have a VMI-aware VMM before operation. We design and implement WhiteRabbit, a framework for forensic analysis that can be transparently deployed on general purpose systems by moving the live OS into a dynamically initialized virtual environment. We make the following main contributions: – We elaborate the design and architecture of the WhiteRabbit VMI framework, a microkernel-based VMM that transparently shifts a live OS into a VM on-the-fly without leaving any traces. – We implement a prototype that is able to virtualize Linux OSes on-the-fly by leveraging virtualization extensions of Intel as well as ARM architectures. – We develop a LibVMI interface to facilitate remote VMI through existing LibVMI applications
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
