rustifying the vm introspection ecosystem€¦ · wenzel/awesome-virtualization. vm introspection....
TRANSCRIPT
![Page 1: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/1.jpg)
Rustifyingthe VM
IntrospectionEcosystem
FOSDEM 2020
Mathieu TarralDorian Eikenberg
![Page 2: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/2.jpg)
Agenda
● What is VM Introspection ?
● VMI ecosystem today
● Rustifying the VM Introspection ecosystem
● Future work
![Page 3: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/3.jpg)
Virtualization Rust
● 2015:
○ Rust 1.0
● 2016:
○ rustyvisor
● 2017:
○ crosvm
○ Firecracker
● 2019:
○ rust-vmm
○ orange_slice
○ cloud-hypervisorWenzel/awesome-virtualization
![Page 4: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/4.jpg)
VM Introspection
![Page 5: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/5.jpg)
VM Introspection
“Deriving the execution context of a virtual machine, from the hypervisor interface, by
querying its hardware state, for security purposes”
![Page 6: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/6.jpg)
VM Introspection : Concepts
Virtual Machine
Hypervisor
Virtualization layer
IntrospectionAgent
VMI API
● Intercept hardware events
○ memory access (r/w/x)
○ interrupts
■ set breakpoints ! (int 3)
○ MSR registers
○ control registers
○ etc...
● Modify hardware state
○ VCPUs registers
○ physical memory
![Page 7: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/7.jpg)
VM Introspection : Core Strenghts
What VMI provides:
● VM hardware access
○ full system view at hypervisor-level privilege
● Interposition
○ control what hardware events to catch
○ manipulate what the OS should see of itself
![Page 8: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/8.jpg)
VM Introspection : Scenarios
● When detectability is an issue
○ stealth malware analysis
● Need a full-system approach
○ complex debugging scenarios (nested hypervisor)
○ advanced in-kernel fuzzing
● Can’t rely on guest OS
○ to give you a view of itself
○ assuming compromised kernel
○ Unikernel (!)
![Page 9: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/9.jpg)
VM Introspection : Complexity
Virtual Machine
Hypervisor
Virtualization layerIntrospection
Agent
VMI API
SemanticEngine
Virtual AddressTranslation
EventDispatcher
BreakpointManager
![Page 10: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/10.jpg)
VM Introspection : Complexity
Virtual Machine
Hypervisor
Virtualization layerIntrospection
Agent
VMI API
SemanticEngine
Virtual AddressTranslation
EventDispatcher
BreakpointManager
● Setup a breakpoint callback on “kernel32:WriteFile”
● Filter on process name for “cargo.exe”
● Callback: log function parameters
![Page 11: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/11.jpg)
VM Introspection : Complexity
Virtual Machine
Hypervisor
Virtualization layerIntrospection
Agent
VMI API
SemanticEngine
Virtual AddressTranslation
EventDispatcher
BreakpointManager
● Identify VM context: kernel and libraries
● Load debug symbols
● Identify current running process on VCPU
![Page 12: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/12.jpg)
VM Introspection : Complexity
Virtual Machine
Hypervisor
Virtualization layerIntrospection
Agent
VMI API
SemanticEngine
Virtual AddressTranslation
EventDispatcher
BreakpointManager
● write int3 in memory
● register interrupt callback
● write original opcode back
● singlestep
![Page 13: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/13.jpg)
VM Introspection : Complexity
Virtual Machine
Hypervisor
Virtualization layerIntrospection
Agent
VMI API
SemanticEngine
Virtual AddressTranslation
EventDispatcher
BreakpointManager
● Deliver hardware event to each registered callbacks
![Page 14: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/14.jpg)
VM Introspection : Complexity
Virtual Machine
Hypervisor
Virtualization layerIntrospection
Agent
VMI API
SemanticEngine
Virtual AddressTranslation
EventDispatcher
BreakpointManager
● Identify paging
● Walk paging structures
![Page 15: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/15.jpg)
VMI ecosystem in 2020
![Page 16: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/16.jpg)
VMI API: Hypervisor Support2007 2019
Community Effort Upstream integration Alternate EPT/RVI available
Xen
XenAccess LibVMI
2011
VirtualBox
Winbagility
2017
Hyper-V
LiveCloudKd
KVM
Nitro
KVM-VMI
FireEye rVMI
Bitdefender KVMi
QEMU
PyREBox
![Page 17: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/17.jpg)
VMI Projects : Silos
PyREBox
LibVMI
icebox
LiveCloudKd
rVMI
pyvmidbg
DRAKVUF
![Page 18: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/18.jpg)
The Idea :Unifying the ecosystem
![Page 19: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/19.jpg)
Unifying the ecosystem
PyREBox
LibVMI
icebox
LiveCloudKd
rVMI
pyvmidbg
DRAKVUF
![Page 20: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/20.jpg)
Unification : Constraints - Speed
PyREBox
LibVMI
icebox
LiveCloudKd
rVMI
pyvmidbg
DRAKVUF
abstraction layer == cost
![Page 21: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/21.jpg)
Unification : Constraints - Compatibility
PyREBox
LibVMI
icebox
LiveCloudKd
rVMI
pyvmidbg
DRAKVUF
Provide a C API
![Page 22: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/22.jpg)
Unification : Constraints - Cross-Platform
PyREBox
LibVMI
icebox
LiveCloudKd
rVMI
pyvmidbg
DRAKVUF
Be easy to maintain on Windows/Linux
![Page 23: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/23.jpg)
Desired Quality - Memory Safety
Hypervisor
Virtualization layer
IntrospectionAgent
VMI API
![Page 24: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/24.jpg)
Desired Quality - Memory Safety
Hypervisor
Virtualization layer
IntrospectionAgent
VMI API
Attack Surface
![Page 25: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/25.jpg)
Unifying the ecosystem
● Speed
● C compatibility
● Cross-platform
● Memory safety
![Page 26: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/26.jpg)
libmicrovmi : Playing lego with VMI
Unifiedlow-levelVMI API
AddressTranslation
SemanticEngine
BreakpointManager
https://github.com/Wenzel/libmicrovmi
Hypervisors
CustomHypervisor
Emulators
Dynamic Analysis● pyvmidbg● icebox● rVMI● LiveCloudKd● DECAF● PANDA● PyREBox● Drakvuf
Live-Memory Analysis● Volatility● Rekall
OS HardeningMonitoringFuzzing● ApplePie
VMI Apps
EventDispatcher
![Page 27: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/27.jpg)
libmicrovmi
![Page 28: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/28.jpg)
libmicrovmi : Status
● read physical memory
● r/w VCPU registers
● Subscribe on hardware events○ registers
■ mov CR0/CR3/CR4■ mov DRx■ r/w MSR
○ interrupts○ singlestep○ descriptors○ hypercalls○ memory
■ r/w/x on frame■ switch on alternate EPT views
● Utilities○ foreign memory mapping○ pagefault injection
● C API
● LibVMI integration
● Xen○ xenctrl / -sys○ xenstore / -sys○ xenforeignmemory / -sys
● KVM○ kvmi / -sys
● VirtualBox○ fdp / -sys
● Hyper-V○ vid-sys
● QEMU
![Page 29: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/29.jpg)
Demo: mem-dump on Xen / KVM / VirtualBox
![Page 30: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/30.jpg)
Demo : Intercepting context switch on KVM(CR3 events)
● Demo is running in nested virtualization
![Page 31: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/31.jpg)
Future - VM Introspection
● An OS-independent hooking framework
○ Hypervisor-based intrusion detection
○ Full-system view for debuggers
○ A new layer of hardening and defense in depth
○ Snapshot-based fuzzing capabilities
● Make VM Introspection a new commodity
![Page 32: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/32.jpg)
One Last Thing : GSoC
● We will propose libmicrovmi for the GSoC
● Part of the Honeynet organization
● Ideas
● Improve an existing driver
○ Xen / KVM / VirtualBox
● Add support for emulators
○ QEMU / Bochs / Unicorn
● Propose stealth breakpoints implementation based on EPT
● Add libloading support to rust-lang/bindgen #1541
![Page 33: Rustifying the VM Introspection Ecosystem€¦ · Wenzel/awesome-virtualization. VM Introspection. VM Introspection “Deriving the execution context of a virtual machine, from the](https://reader033.vdocuments.mx/reader033/viewer/2022051107/6027b6c65d5362720951eea4/html5/thumbnails/33.jpg)
Rustifyingthe VM
Introspectionecosystem
FOSDEM 2020 Mathieu TarralDorian Eikenberg
https://github.com/Wenzel/libmicrovmi
@mtarral@rageagainsthepc