Leveraging KVM as a debugging platform
2019-10-23, 10:30–10:50, Europe

Virtual Machine Introspection keeps opening new possibilities to interact with
Virtual Machines, from sandboxing (VMRay), to cloud monitoring solutions
(BitDefender HVI).

Our debuggers needs to benefit from this approach too, and so far we have seen
multiple open source projects trying to leverage the hypervisor as a new
debugging platform. However, most of these solutions are tied to one
hypervisor.

The VMI ecosystem can only grow if it can bring all developers under the same
roof, and provide the core libraries that will be the foundation for all VMI
applications.

Keeping this vision in mind, pyvmidbg is a GDB stub built on top of LibVMI, a
hypervisor-agnostic VMI library. It can introspect Windows VMs and explore the
execution context to target and debug a specific process running on the system.

One of the goals of pyvmidbg is to attract developers and users by writing the
missing layers that prevent VMI from gaining a wider adoption as of today.

The lack of VMI APIs available on KVM has made of LibVMI a Xen centric library,
despite its flexible architecture. However, the situation recently changed in
2017, thanks to BitDefender proposing a new set of APIs for introspection.

This talk will demonstrate the new KVM introspection subsystem proposed by
BitDefender, its integration in LibVMI, and how pyvmidbg is running on top of
KVM today.