Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection [chapter]

Sergej Proskurin, Julian Kirsch, Apostolis Zarras
2018 IFIP Advances in Information and Communication Technology  
The growing complexity of modern malware drives security applications to leverage Virtual Machine Introspection (VMI), which provides a complete and untainted view over the Virtual Machine state. To benefit from this ability, a VMI-aware Virtual Machine Monitor (VMM) must be set up in advance underneath the target system; a constraint for the massive application of VMI. In this paper, we present WhiteRabbit, a VMI framework comprising a microkernel-based VMM that transparently virtualizes a
more » ... ing Operating System, on-the-fly, for the purpose of forensic analysis. As a result, the systems to be analyzed do not have to be explicitly set up for VMI a priori. After its deployment, our framework exposes VMI services for remote applications: WhiteRabbit implements a LibVMI interface that enables it to be engaged by popular VMI applications remotely. Our prototype employs Intel as well as ARM virtualization extensions to take over control of a running Linux system. WhiteRabbit's on-the-fly capability and limited virtualization overhead constitute an effective solution for malware detection and analysis.
doi:10.1007/978-3-319-99828-2_19 fatcat:5zcbqng5l5c53cz7jayzgzfmjq