»Hypervisor-level debugger: benefits and challenges«
2018-10-16, 10:30–10:50, Europe

In this talk I will review the benefits of having hypervisor-level debuggers, analyze the previous attempts at building such a tool, and present r2vmi, which aims to be a flexible VMI debugger built on top of libvmi and radare2.

Virtual Machine Introspection is a technique which leverages the hypervisor to allow the virtual machine hardware state (VCPU registers, virtual/physical memory) to be inspected in real-time. This technology has interested security researchers since a long time as the first scientific paper on the topic dates back to 2003. However, the complexity of hypervisors has restrained the existing attempts from gaining a wider audience. Furthermore, the semantic gap to be solved while interpreting the context of the virtual machine and the performance overhead induced by the introspection has prevented it from breaking out of the research sphere, despite his alleged benefits. This situation has persisted for many years until a set of meory introspection patches were submitted and later merged in Xen in 2009.

As of today, Xen is offering the most complete VMI API available, and successful projects such as a stealth malware analysis sandbox (Drakvuf) or an agentless cloud monitoring solution (BitDefender HVI) have been built on top of it. This is shifting our view of virtual machines, from opaque containers to transparent and monitorable systems.

Applying the same principle to our debuggers gives us huge benefits, among them being the stealth and robustness required to analyze unknown samples. In 2017, FireEye released rVMI, a rekall based full system analysis debugger, leveraging VMI on top of KVM and demonstrating the effectiveness of such tools.

In this talk, I would like to present r2vmi, a VMI debugger built on top of radare2. Pursuing the research on the topic, it introduces 2 critical changes: First, it has been build with libvmi and is therefore agnostic of the underlying hypervisor (Xen or KVM). Second, it takes the opposite approach of rVMI, by adding a semantic layer on top of a good and flexible reverse-engineering framework, radare2.

The end goal of r2vmi will be to be integrated into a VMI sandbox to create a new kind of malware analysis framework, where the sandbox takes care of extracting the classic information while giving to the analyst a fine grained control and observation on the sample execution.