Virtual machine introspection (VMI) allows security tools to be run externally to virtual machines for improved isolation, visibility, and control. VMI provides full interpretation of the virtual hardware and memory to detect malware. It can actively monitor VM events and memory through techniques like EPT trap interposition. The speaker demonstrated these capabilities using open source tools like LibVMI and DRAKVUF for dynamic malware analysis. VMI is presented as an important approach for cloud and mobile security going forward.

1. Virtual Machine Introspection
to Detect and Protect
Tamas K. Lengyel
tklengyel@sec.in.tum.de
tamas.lengyel@zentific.com
https://github.com/tklengyel

2. Agenda
1. Motivation & Cloud security
2. Xen
3. Virtual Machine Introspection
I. Isolation
II. Interpretation
III. Interposition
4. Demo
5. Public release of new tools

3. Motivation
This is my PhD topic
● Malware collection & analysis
DARPA Cyber Fast Track
● Cloud IDS/IPS prototype
Up-and-coming field

4. Cloud Security?
● Virtualization is a magic box of invulnerability
● Why bother if Cloud instances are short-lived
and easily wiped?
● Isn't worth the cost of overhead
● It's not going to happen to me
● I'll just use my existing tools and be fine
Wrong!

5. Cloud Security
● In-guest AV / HIDS
✗ No isolation
● Network IDS
✗ Limited or no context
● Scan VM disk and memory
✗ No interposition
Better than nothing

6. Cloud Security!
● Move protection out from the VM
✔ Hypervisor based isolation
● Full view of the VM state
✔ Interpret virtual hardware to see processes,
users, connections, files..
● Actively monitor & control
✔ Interposition

7. Xen
Bare-metal VMM
Runs in VMX root
Minimal interface
Everything else is a domain, with one being special
(dom0)

8. Isolation
We could move the security stack to dom0..
.. or move it into its own domain!
Xen allows for advanced disaggregation and role
delegation
With some caveats..

9. Access control in Xen
Xen Security Modules (XSM)
– Disabled by default.
– Only usable starting with 4.3
In the guest kernel!
– if (!xen_initial_domain())
return -EPERM;
– We patched that in Linux 3.8
In XenStore (ignore for now)
– Domain meta info is only a plus

10. Access control in Xen
Security is no longer part
of the TCB
Can be 1:1, 1:many or
many:many
Designed for multi-tenant cloud deployments
Security doesn't mean the same thing for everyone

11. Interpretation
Interpreting the guest virtual hardware
– Memory
– VCPU
Memory interpretation:
– Paging, paging, paging
OS interpretation:
– Debug symbols!

12. LibVMI + Rekall
LibVMI
– Xen and KVM support
– Paging support for
● x86, x86+PAE, x86_64 & ARM
– OS support
● Windows, Linux
Rekall
– Generates nice debug profiles
– ..and lots of other fancy stuff

13. Finding Windows
Volatility: brute-force search
● “KDBG” scan
● Easily hidden + lots of false positives
LibVMI + Rekall: use hardware info!
● VCPU0 FS/GS register → KPCR
● KPCR – relative offset = Windows!
● It is binding, malware can't touch it

14. Understanding Windows
Volatility: use the in-memory KDBG struct.
– Can be tampered with
– Heavily encoded in Windows 8 64-bit
LibVMI + Rekall: use the pre-generated debug
profiles!
– Works with Windows 8 64-bit as well
– Different attacker model

15. Interposition
Scanning VM memory gets you a lot
– Volatility's pooltag scans
But it's not bulletproof and introduces TOCTOU
issues
Interposition: induce & trap VMEXITs
Forward to security domain

16. Interposition
Intel to the rescue:
CPUID, GETSEC, INVD, XSETBV, INVEPT, INVVPID, VMCALL, VMCLEAR,
VMLAUNCH, VMPTRLD, VMPTRST, VMRESUME, VMXOFF, VMXON
And optionally:
CLTS, HLT, IN, INS/INSB/INSW/INSD, OUT, INVLPG, INVPCID, LGDT, LIDT,
LLDT, LTR, SGDT, SIDT, SLDT, STR, LMSW, MONITOR, MOV from CR3, MOV
from CR8, MOV to CR0, MOV to CR3, MOV to CR4, MOV to CR8, MOV DR,
MWAIT, INT3, INT0, MTF ….
See the full list in Intel SDM 3c 25.1.3

17. Interposition with LibVMI
● MOV-TO-CR0/3/4
– New process being scheduled, CPU feature
enabled/disabled, TLB flush, etc.
● EPT violation
– Trap R/W/X of any memory page in the guest
– Invisible to the guest
– Needs to be reset after hit
● Singlestepping
– Intel Monitor Trap Flag (MTF)
● Debug events (INT3)

18. Demo time!
http://goo.gl/XMSJ7y

19. DKOM no more!
It's still on the heap!

20. Demo time!
http://goo.gl/XMSJ7y

21. DRAKVUF
“Scalability, Fidelity and Stealth in the DRAKVUF
Dynamic Malware Analysis System” - ACSAC 2014
http://drakvuf.com
Anyone gets the name reference?

22. Conclusion
● Cloud security requires new tools and new
approaches
● VMI is rapidly maturing to fill the gap
● Dealing with rootkits is easier externally
● Tools are open-source (GPL/LGPL)
● Patches are welcome ;)

23. What's ahead
VMI gets you a lot.. but there are blind-spots
– Virt-DMA, emulation..
● Who watches the watcher?
– SMM/AMT based VMM integrity check
● Xen on ARM
– “Cloud” security for your phone/car!

24. Shout-out
Cheers to the Zentific crew
– Steve, Matt & Russ
To the Volatility crew
– MHL, Andrew, Gleeda & Moyix
To the Rekall crew
– Scudette
To Mudge
– Thanks for the CFT!

25. Thanks!