Building a flexible hypervisor-level debugger by Mathieu Tarral (@mtarral)

Insomni'hack 2019
Title : Building a flexible hypervisor-level debugger

Virtual Machine Introspection is a technique which leverages the hypervisor to allow the virtual machine hardware state (VCPU registers, virtual/physical memory) to be inspected in real-time. This technology has interested security researchers since a long time as the first scientific paper on the topic dates back to 2003. However, the complexity of hypervisors has restrained the existing attempts from gaining a wider audience. Furthermore, the semantic gap to be solved while interpreting the context of the virtual machine and the performance overhead induced by the introspection has prevented it from breaking out of the research sphere, despite his alleged benefits. This situation has persisted for many years until a set of memory introspection patches were submitted and later merged in Xen in 2009.

As of today, Xen is offering the most complete VMI API available, and successful projects such as a stealth malware analysis sandbox (Drakvuf) or an agentless cloud monitoring solution (BitDefender HVI) have been built on top of it. This is shifting our view of virtual machines, from opaque containers to transparent and monitor-able systems.

Applying the same principle to our debuggers gives us huge benefits, among them being the stealth and robustness required to analyze unknown samples. In 2017, FireEye released rVMI, a rekall based full system analysis debugger, leveraging VMI on top of KVM and demonstrating the effectiveness of such tools.

In this talk, I would like to present pyvmidbg, a VMI debugger LibVMI. Pursuing the research on the topic, it introduces 2 critical changes: First, it has been build with libvmi and is therefore agnostic of the underlying hypervisor (Xen or KVM). Second, it relies on GDB protocol to keep the compatibility with our existing reverse-engineering frameworks.