Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection

The growing complexity of modern malware drives security applications to leverage virtual machine introspection (vmi), which provides a complete and untainted view over the virtual machine state. To benefit from this ability, a vmi-aware virtual machine monitor (vmm) must be set up in advance underneath the target system; a constraint for the massive application of vmi. In this paper, we present whiterabbit, a vmi framework comprising a microkernel-based vmm that transparently virtualizes a running operating system, on-the-fly, for the purpose of forensic analysis. As a result, the systems to be analyzed do not have to be explicitly set up for vmi a priori. After its deployment, our framework exposes vmi services for remote applications: whiterabbit implements a libvmi interface that enables it to be engaged by popular vmi applications remotely. Our prototype employs intel as well as arm virtualization extensions to take over control of a running linux system. Whiterabbit’s on-the-fly capability and limited virtualization overhead constitute an effective solution for malware detection and analysis