2020-04-23 on Memory Forensics

da/sec scientific talk on Memory Forensics

Topic: Developing a hypervisor-agnostic VMI Framework

by Marcel Meuter, Lorenz Liebler
online Big Blue Button Room: D19/2.03a, April 23, 2020 (Thursday), 12.00 noon

Keywords — VMI, Memory Forensics

Abstract

Monitoring and analyzing an operating system as well as the running applications with the help of Virtual Machine Introspection (VMI) is a well known approach. By using VMI, the application stays isolated from the virtual machine while maintaining full control over the guest. Common use cases are the monitoring of memory accesses and executions of system calls. Depending on the implementation, the guest operating system, as well as security mechanism such as the Kernel Patch Protection (KPP), are not able to notice the presence of the hypervisor and the VMI application.
Existing solutions built on top of VMI are normally designed to support only a single hypervisor and make heavy use of hypervisor specific features. As a result approaches and implementations tend to be complex and hardly reusable. Extending the existing functionality quickly becomes time-consuming and slows down the development phase during research.
In this talk we introduce an intermediate framework built on top of LibVMI, which generalizes common and repetitive introspection tasks in a hypervisor-agnostic fashion. In terms of lightness, we adjusted the amount of features to be able to shrink the dependencies to a single abstraction layer between the framework and the hypervisors Xen and KVM. We additionally discuss the usability of the framework in the context of our current memory forensics research and give insights to our motiviation for developing such a framework.