Sergej Proskurin1 , Julian Kirsch1, and Apostolis Zarras2
1 Technical University of Munich
2 Maastricht University
Abstract. The growing complexity of modern malware drives security applications to leverage Virtual Machine Introspection (VMI), which provides a complete and untainted view over the Virtual Machine state. To benefit from this ability, a VMI-aware Virtual Machine Monitor (VMM) must be set up in advance underneath the target system; a constraint for the massive application of VMI. In this paper, we present WhiteRabbit, a VMI framework comprising a microkernel-based VMM that transparently virtualizes a running Operating System, on-the-fly, for the purpose of forensic analysis. As a result, the systems to be analyzed do not have to be explicitly set up for VMI a priori. After its deployment, our framework exposes VMI services for remote applications: WhiteRabbit implements a LibVMI interface that enables it to be engaged by popular VMI applications remotely. Our prototype employs Intel as well as ARM virtualization extensions to take over control of a running Linux system. WhiteRabbit's on-the-fly capability and limited virtualization overhead constitute an effective solution for malware detection and analysis.
The paper published in the IFIP SEC 2018 confeence proceedings by Springer Verlag