The document describes a project to bridge the semantic gap in virtualized environments. It aims to generate a complete view of a guest VM by connecting the Volatility memory forensics framework to QEMU. This allows leveraging Volatility plugins to live monitor the guest OS without modifying the guest. It implements a QEMU monitor command to dump VM memory and execute Volatility commands. Performance evaluation and malware analysis demonstrations are provided. The open problem of interpreting low-level VM state as high-level guest OS semantic information is discussed.

1. Advanced Topics in Systems Research
Final Project
資管碩二 R03725019 李士暄
資管碩二 R03725037 李奕德
1
Bridging the Semantic Gap in
Virtualized Environment

2. Outline
•Problem Definition
•Contribution
•Related Work – Volatility Framework
•QEMU Volatility Interface
•System DEMO
•Performance Evaluation
•Conclusion
2

3. Problem Definition – Semantic Gap
•In virtualization, it is difficult to
interpreting the low level state
of a VM into high level semantic
state of guest OS.
•This will be a obstacle for system
administrator to real-time
observe, inspect and detect the
runtime execution of a VM.
3
From low level data (memory
address) to high level semantic
data (DLL list)

4. Contribution
•The aim of project is to generate a complete
view of a guest VM to bridge the semantic gap.
•Features
1. No modification to guest VM, no additional
program installation in guest OS.
2. Support multiple versions of guest OS.
3. Runtime execution introspection to VM.
4

5. Related Work
•The Volatility is an open source memory
forensics framework.
• Written in Python
• Support Windows, Mac OS X, Linux OS.
• Reference Book - The Art of Memory Forensics
•The Volatility Framework extracts the digital artifacts
from volatile memory samples through some plugins.
• E.g. pslist, dlllist and driverscan etc.
5Volatility Foundation http://www.volatilityfoundation.org/

6. QEMU Monitor Console
• When QEMU is running, it provides a monitor console
for user to interact with QEMU.
• Commands are defined in hmp-commands.hx and monitor.c
under QEMU source code.
6
But, commands only
provide low level info,
not semantic state of VM.

7. QEMU-Volatility Interface
• We have developed a command into QEMU monitor
to connect Volatility framework.
• Usage : (QEMU) volatility [profile_OS] [plugin_com] [args]
• Volatility is a command line tool that we can easily
write a script to use it.
• With the function in QEMU, we can dynamically
dump a memory file for a running VM based on VM
memory size.
7

8. Interface Functionality
• Now, we can leverage volatility to live monitoring guest
OS, including all commands in volatility framework.
• imageinfo
• psscan
• dlldump
• modscan
• thrdscan
• netscan
• Hivedump
• Etc.
8https://code.google.com/p/volatility/wiki/CommandReference22

9. System DEMO (1/2)
• Example 1.
• “Dlllist” command display a process's loaded DLLs.
9

10. System DEMO (2/2)
• Example 2.
• “Driverscan” command finds all drivers in the guest OS.
10

11. Guest OS Support
Windows (32/64 bits) Linux (32/64 bits) Mac OS (32/64 bits)
Windows 2003 SP0,1,2
Linux Kernel
2.6.11 to 4.2.3
10.5.x Leopard
Windows 2008 SP0,SP1 OpenSuSE 10.6.x Snow Leopard
Windows XP SP2, SP3 Ubuntu 10.7.x Lion
Windows Vista SP0,1, 2 Debian 10.8.x Mountain Lion
Windows 7 SP0, SP1 CentOS 10.9.x Mavericks
Windows 8 ,8.1 Fedora 10.10.x Yosemite
Windows 10(init support) Mandriva 10.11.x El Capitan
11
• Volatility supports investigations of the following
memory images:
https://github.com/volatilityfoundation/volatility

12. Evaluation (1/2)
12
• We perform some testings to our interface.
CPU Intel® Core™ i3 2367M
RAM 6 GB DDR3 1600 MHz
HDD 120 GB SANDISK SSD
Host OS Ubuntu 14.04.1 Kernel 3.16.0
Guest OS Windows 7 SP1 Professional

13. Evaluation (2/2)
13
This command scan kernel space
memory to find KDBG structure.
• VM : 512 MB RAM

14. Malware Analysis
• We also perform malware analysis by executing a
malware in VM.
• Malware name : Virus.Win32.HLLP.Lassa.40960
• Trend Micro Engine classified it to worm.
14
http://www.trendmicro.com.ph/vinfo/ph/threat-encyclopedia/archive/malware/worm_lassa.a

15. Scan for the malicious process
• (QMEU)volatility Win7SP1x64 psscan
15
PID : 1896

16. Display DLLs loaded by malware
• (QMEU)volatility Win7SP1x64 ldrmodules
16

17. Detect API hooking
• (QMEU)volatility Win7SP1x64 –p 1896 apihooks
17
Hooked
Information

18. File/Registry Key used by malware
• (QMEU)volatility Win7SP1x64 handles –p 1896 –t key
• (QMEU)volatility Win7SP1x64 handles –p 1896 –t File
18

19. Conclusion
• We believed that our interface between QEMU and
volatility is a powerful capability for runtime
inspecting to VM, offering system administrator a
visibility to the state of VM.
19

20. Open Problem – Semantic Gap
• In virtualization, it is difficult to
interpreting the low level state of a
VM into high level semantic state of
guest OS.
• View exposed by hypervisor is low-level
state (binary state, CPU state, memory
address)
• What we want is high-level state
(processes, files, DLL information)
• It is difficult for security administrator
to real-time observe, inspect and
detect the runtime execution of a VM.
20
From low level data(memory
address) to high level
semantic data (DLL list)

21. Introduction (1/2)
• Virtual machine (VM) is first proposed in the 1960s and
experiences a revival in the commercial and research
communities.
• With virtual machine technology arises, it provides OS
developer and security researcher a new opportunity to
deploy innovation solution.
• Virtual machine provides many features including
• Equivalent execution: programs running in virtual machine
must run identically to running natively.
• Efficiency: a “statistically dominant” subset of instructions
must be executed directly on the CPU.
• Isolation: a virtual machine must completely control system
resource.
21

22. Volatility Windows Profiles
• In Volatility source code, it has lots of windows OS profiles
for each version.
• Support Windows 2003, XP, Vista, Win 7, Win 8 profiles.
22

23. Introduction (2/2)
•Chen, Peter M. and Noble, Brian D.[1] state that
current virtualization technologies are sufferring
from two main challenges.
• One is performance.
• The other is semantic gap.
•Virtual machine introspection (VMI) technique is
the method of inspecting a VM from the “outside”
for analyzing the software running in the machine.
23
Chen, Peter M., and Brian D. Noble. "When virtual is better than real" Hot Topics in Operating
Systems, 2001. Proceedings of the Eighth Workshop on. IEEE, 2001.

24. Implementation Environment
•Host OS : Ubuntu-14.04.1
• Linux kernel : 3.16.0
•Guest OS : Windows 7 SP1 x64
•We will implement some forensics functionalities
into QEMU-2.3 to traverse guest OS memory.
• A free open-source emulator that performs system
virtualization .
• May use KVM as accelerator.
24

25. Related Work (2/2)
• LibVMI is an introspection library focused on reading
and writing memory from running VM.
• Support multiple hypervisor, such as Xen, KVM/Qemu.
• Support multiple guest, like x86 and x64 Windows /Linux
• Provides many APIs to access the memory of a VM.
• Libvmi patch QEMU source code to create a server
socket inside QEMU.
• When libvmi need to access VM memory , it uses qemu
monitor command to get the corresponding mapped pages
back.
• With low system performance.
25LibVMI http://libvmi.com/

26. Process data structure in Window
• E.g. Win7_sp1_x64_vtypes.py (total 9147 Lines)
26

27. EPROCESS Doubly Linked List
27
• KDBG (Kernel Debugger Block) is kernel symbol
structure maintained by Windows kernel for debugging
purposes.
• KDBG has a reference to the PsActiveProcessHead
which is the list head of all processes required for
process listing.
(Kernel Debugger Block)

28. Kernel Debugger Block
Data Structure
 KDBG Header will be a constant
signatures in hex value.
 Use windbg in guest OS
to reverse engineering
windows internal.
28

29. KBDG constant pattern for Win7 x64
• Use kdbgscan plugin to find KDBG address
• Use volshell to hexdump the KDBG
OwnerTag : set to KDBG size : /x40/x03
LISTENTRY64 : last bytes
29

30. EPROCESS data structure
30
// PID
// Doubly linked list chains active
processes together.
// kernel process control block (contains CR3)
// Process enivornment block
// Process name
// Doubly linked list chains all
the process’ threads together.
// PPID