Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection

  title={Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection},
  author={Sergej Proskurin and Julian Kirsch and Apostolis Zarras},
The growing complexity of modern malware drives security applications to leverage Virtual Machine Introspection (VMI), which provides a complete and untainted view over the Virtual Machine state. To benefit from this ability, a VMI-aware Virtual Machine Monitor (VMM) must be set up in advance underneath the target system; a constraint for the massive application of VMI. In this paper, we present WhiteRabbit, a VMI framework comprising a microkernel-based VMM that transparently virtualizes a… 
HyperLeech: Stealthy System Virtualization with Minimal Target Impact through DMA-Based Hypervisor Injection
HyperLeech is presented, the first approach which uses DMA to stealthily inject a thin hypervisor into the memory of a target host, transparently shifting its operation into a hardware-accelerated virtual machine.
xMP: Selective Memory Protection for Kernel and User Space
The approach, called xMP, provides (in-guest) selective memory protection primitives that allow VMs to isolate sensitive data in user or kernel space in disjoint xMP domains, and takes advantage of virtualization extensions, but after initialization, it does not require any hypervisor intervention.
Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection
The stealthy operation of Virtual Machine Introspection (VMI) is an obligation to successfully analyze and proactively mitigate this growing threat of malware on ARM.
SEVerity: Code Injection Attacks against Encrypted Virtual Machines
The SEVerity attack is introduced; a missing puzzle piece in the series of attacks against AMD SEV and SEV-ES and renders the present implementation as incapable of protecting against a curious, vulnerable, or malicious Hypervisor.


Process Implanting: A New Active Introspection Framework for Virtualization
This paper presents Process Implanting, a new active VM introspection framework, to narrow the semantic gap by implanting a process from the host into the guest VM and executing it under the cover of an existing running process.
Nitro: Hardware-Based System Call Tracing for Virtual Machines
The design and implementation of the prototype framework, Nitro, for system call tracing and monitoring is described, which is extremely flexible as it supports all three system call mechanisms provided by the Intel ×86 architecture and has been proven to work in Windows, Linux, 32-bit, and 64-bit environments.
X-TIER: Kernel Module Injection
While previous approaches bridge the semantic gap by reading kernel objects from memory, X-TIER goes beyond such work and allows the injected code to manipulate the guest operating system (OS) state and even call kernel functions without sacrificing the overall security.
A formal model for virtual machine introspection
The main contribution of this work is the definition of a formal model for describing VMI techniques, broken down in such a way that allows for thorough discussion of any VMI approach with regard to each of the three challenges.
The Threat of Virtualization: Hypervisor-Based Rootkits on the ARM Architecture
This paper evaluates the vulnerability to hypervisor-based rootkits of ARM-based platforms, considering both ARMv7 and ARMv8, and details the anatomy of an attack wherein a hypervisor rootkit and a userspace process collaborate to undermine the isolation properties enforced by the Linux kernel.
SoK: Introspections on Trust and the Semantic Gap
Overall, this paper aims to create an essential checkpoint in the broader quest for meaningful trust in virtualized environments through VM introspection by observing portions of the VMI design space which have been under-explored, as well as potential adaptations of existing techniques to bridge the semantic gap without trusting the guest OS.
KVM/ARM: the design and implementation of the linux ARM hypervisor
KVM/ARM, the first full system ARM virtualization solution that can run unmodified guest operating systems on ARM multicore hardware, has been successfully merged into the mainline Linux kernel, ensuring that it will gain wide adoption as the virtualization platform of choice for ARM.
SubVirt: implementing malware with virtual machines
This paper evaluates a new type of malicious software that gains qualitatively more control over a system, which is called a virtual-machine based rootkit (VMBR), and implements a defense strategy suitable for protecting systems against this threat.
Spotless Sandboxes: Evading Malware Analysis Systems Using Wear-and-Tear Artifacts
A novel class of sandbox evasion techniques that exploit the "wear and tear" that inevitably occurs on real systems as a result of normal use are presented and statistical models that capture a system's age and degree of use are developed that can be used to aid sandbox operators in creating system images that exhibit a realistic wear-and-tear state.
Live and Trustworthy Forensic Analysis of Commodity Production Systems
HyperSleuth provides a trusted execution environment that guarantees four fundamental properties: an attacker controlling the system cannot interfere with the analysis and cannot tamper the results, the framework can be installed as the system runs, without a reboot and without loosing any volatile data.