Under the Hood: How Actaeon Unveils Your Hypervisor presented at HITBSecConf Malaysia 2013

by Mariano Graziano, Andrea Lanzi,

Summary : In recent years virtualization has become really popular and used everywhere, in the domestic installations to run several Operating System on the same machine, or in the cloud to provide distributed services. In addition the word ‘hypervisor’ is well-known and everyone uses virtual machine monitors like VMware, KVM, Xen etc. In 2010 Christiaan Beek [1] asked the community to focus on Virtual Forensics, at the time the field needed more research and more tools. In particular we can consider the problem of searching an hypervisor in memory similar to the one of being able to automatically reconstruct information about an unknown Operating System in memory. In this presentation we want to fill such reversing engineering gap and give an explanation about a new forensics tool named Actaeon utilized for creating a new forensics environment for hypervisors analysis.
The main idea behind Actaeon is that, even though the code, internals and position in memory of the hypervisors may be unknown, there is still one important piece of information that we can use to discover the presence of an hypervisor. In fact, in order to utilize the virtualization support provided by most of the modern hardware architectures, the processor requires the use of particular data structure (VMCS) to store the information about the execution of each virtual machine. By first finding these data structures and then analyzing their content, we can reconstruct a precise representation of what was running in the system under test.
During the presentation we will explain technical details about the Actaeon internals. First, we will describe the reverse engineering effort we faced in order to devise VMCS (main Hypervisor Structure) offset fields. Find out the information about this memory structure is crucial for an accurate Hypervisors Forensics Task. We will then present a demo where we are going to reverse VMCS memory structure for a particular micro architecture. In the second part we will describe the limitations of Volatily tool for analyzing the virtual machines OS and Hypervisors and in particular we will show the impossibility for Volatily of an automatic analysis of virtual machines OS. In the third part we will describe how to change the core of Volatily in order to create a transparent memory forensics analyzer. In particular our goal is to be able to transparently support existing memory analysis techniques. For example, if a Windows user is running a second Windows OS inside a virtual machine, thanks to our techniques a memory forensic tool to list the running processes should be able to apply its analysis to either one or the other operating system. For this purpose we will introduce the main concepts of VT-technology, EPT (Extended Page Table) and Nested Virtualization and we will show a live demo where we will describe the way to modify Volatily tool for analyzing Hypervisors in memory.