MICROARCHITECTURE INDEPENDENT VM INTROSPECTION presented at Ruxcon 2015

by Shane "k2" Macaulay,

Summary : Mapping a physical memory dump back into virtual space is the first step in volatile memory forensics. Serious barrios have been broken down over several years by tools like volatility and recent forks. Cloud and virtualized environments have compounded these issues which has brought about the need for virtual machine introspection capabilities to be developed.
Current techniques, like Actaeon and Google’s ReKall have implemented methods for acquiring and analyzing physical memory which are hypervisor-agnostic (able to work with Hyper-V, Xen, VMWare, etc…). Unfortunately, both of these existing tools require specific profiles to be created/maintained (e.g. using ReKall’s vmcs_layout Linux kernel module) based on the platform architecture where the memory dump was acquired.
I will demonstrate with an extension of our earlier physical methods for hidden process detection which leverages the self-referencing PTE entry present in the page table for all Windows (and many other OS platforms). This capability is rooted in hardware and intimate interaction with the page fault handler and as such provides near perfect assurance that all virtual address space mappings be detected.
Google’s Rekall symbol enumeration extraction and profile generation to base their logical (OS level) capabilities to recover artifacts from memory dumps. Their ability to perform hypervisor introspection is however based on heuristics and signatures.
A revolutionary memory forensics analysis method based almost entirety in hardware defined (and required baselines, thus not able to be adjusted) hypervisor internals (VMCS/VMCB configuration) will be demonstrated. This capability ensures not only a high level of assurance in attesting that all physical pages are able to be addressed including arbitrary nesting depth of hypervisors, it can also vastly reduce the amount of time spent managing profile collections and overall headakes that come with trying to identify if any given cloud service provider uses Haswell, Ivy bridge, SkyLake.
This method is microarchitecture independent as well as hypervisor-agnostic.
I’ve also finished reviewing FreeBSD and will likely complete an update to include FreeBSD hidden process detection (physically detected) and VM introspection as well. I will sum up with a short list of possible attacks against systems which may not anticipate (Intel architecture manual Table 24-7 Secondary Processor-based VM-Execution Controls 0x80) , “Unrestricted guest” operation.