Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection

Sergej Proskurin, Julian Kirsch, Apostolis Zarras

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingAcademicpeer-review

Abstract

The growing complexity of modern malware drives security applications to leverage virtual machine introspection (vmi), which provides a complete and untainted view over the virtual machine state. To benefit from this ability, a vmi-aware virtual machine monitor (vmm) must be set up in advance underneath the target system; a constraint for the massive application of vmi. In this paper, we present whiterabbit, a vmi framework comprising a microkernel-based vmm that transparently virtualizes a running operating system, on-the-fly, for the purpose of forensic analysis. As a result, the systems to be analyzed do not have to be explicitly set up for vmi a priori. After its deployment, our framework exposes vmi services for remote applications: whiterabbit implements a libvmi interface that enables it to be engaged by popular vmi applications remotely. Our prototype employs intel as well as arm virtualization extensions to take over control of a running linux system. Whiterabbit’s on-the-fly capability and limited virtualization overhead constitute an effective solution for malware detection and analysis.
Original languageEnglish
Title of host publicationProceedings of the 33rd International Conference on ICT Systems Security and Privacy Protection (IFIP SEC)
DOIs
Publication statusPublished - 2018

Cite this