TY - GEN
T1 - Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection
AU - Proskurin, Sergej
AU - Kirsch, Julian
AU - Zarras, Apostolis
PY - 2018
Y1 - 2018
N2 - The growing complexity of modern malware drives security applications to leverage virtual machine introspection (vmi), which provides a complete and untainted view over the virtual machine state. To benefit from this ability, a vmi-aware virtual machine monitor (vmm) must be set up in advance underneath the target system; a constraint for the massive application of vmi. In this paper, we present whiterabbit, a vmi framework comprising a microkernel-based vmm that transparently virtualizes a running operating system, on-the-fly, for the purpose of forensic analysis. As a result, the systems to be analyzed do not have to be explicitly set up for vmi a priori. After its deployment, our framework exposes vmi services for remote applications: whiterabbit implements a libvmi interface that enables it to be engaged by popular vmi applications remotely. Our prototype employs intel as well as arm virtualization extensions to take over control of a running linux system. Whiterabbit’s on-the-fly capability and limited virtualization overhead constitute an effective solution for malware detection and analysis.
AB - The growing complexity of modern malware drives security applications to leverage virtual machine introspection (vmi), which provides a complete and untainted view over the virtual machine state. To benefit from this ability, a vmi-aware virtual machine monitor (vmm) must be set up in advance underneath the target system; a constraint for the massive application of vmi. In this paper, we present whiterabbit, a vmi framework comprising a microkernel-based vmm that transparently virtualizes a running operating system, on-the-fly, for the purpose of forensic analysis. As a result, the systems to be analyzed do not have to be explicitly set up for vmi a priori. After its deployment, our framework exposes vmi services for remote applications: whiterabbit implements a libvmi interface that enables it to be engaged by popular vmi applications remotely. Our prototype employs intel as well as arm virtualization extensions to take over control of a running linux system. Whiterabbit’s on-the-fly capability and limited virtualization overhead constitute an effective solution for malware detection and analysis.
U2 - 10.1007/978-3-319-99828-2_19
DO - 10.1007/978-3-319-99828-2_19
M3 - Conference article in proceeding
BT - Proceedings of the 33rd International Conference on ICT Systems Security and Privacy Protection (IFIP SEC)
ER -