»Hypervisor-level debugger: benefits and challenges«
2018-10-16, 10:30–10:50, Europe
In this talk I will review the benefits of having hypervisor-level debuggers, analyze the previous attempts at building such a tool, and present r2vmi, which aims to be a flexible VMI debugger built on top of libvmi and radare2.
Virtual Machine Introspection is a technique which leverages the hypervisor to allow the virtual machine hardware state (VCPU registers, virtual/physical memory) to be inspected in real-time. This technology has interested security researchers since a long time as the first scientific paper on the topic dates back to 2003. However, the complexity of hypervisors has restrained the existing attempts from gaining a wider audience. Furthermore, the semantic gap to be solved while interpreting the context of the virtual machine and the performance overhead induced by the introspection has prevented it from breaking out of the research sphere, despite his alleged benefits. This situation has persisted for many years until a set of meory introspection patches were submitted and later merged in Xen in 2009.
As of today, Xen is offering the most complete VMI API available, and successful projects such as a stealth malware analysis sandbox (Drakvuf) or an agentless cloud monitoring solution (BitDefender HVI) have been built on top of it. This is shifting our view of virtual machines, from opaque containers to transparent and monitorable systems.
Applying the same principle to our debuggers gives us huge benefits, among
them being the stealth and robustness required to analyze unknown samples. In
2017, FireEye released
rVMI, a rekall based full system analysis debugger,
leveraging VMI on top of KVM and demonstrating the effectiveness of such tools.
In this talk, I would like to present
r2vmi, a VMI debugger built on top of
radare2. Pursuing the research on the topic, it introduces 2 critical changes:
First, it has been build with libvmi and is therefore agnostic of the
underlying hypervisor (Xen or KVM). Second, it takes the opposite approach of
rVMI, by adding a semantic layer on top of a good and flexible
reverse-engineering framework, radare2.
The end goal of
r2vmi will be to be integrated into a VMI sandbox to create a
new kind of malware analysis framework, where the sandbox takes care of
extracting the classic information while giving to the analyst a fine grained
control and observation on the sample execution.