Skip to Main content Skip to Navigation
New interface
Conference papers

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection

Abstract : The growing complexity of modern malware drives security applications to leverage Virtual Machine Introspection (VMI), which provides a complete and untainted view over the Virtual Machine state. To benefit from this ability, a VMI-aware Virtual Machine Monitor (VMM) must be set up in advance underneath the target system; a constraint for the massive application of VMI. In this paper, we present WhiteRabbit, a VMI framework comprising a microkernel-based VMM that transparently virtualizes a running Operating System, on-the-fly, for the purpose of forensic analysis. As a result, the systems to be analyzed do not have to be explicitly set up for VMI a priori. After its deployment, our framework exposes VMI services for remote applications: WhiteRabbit implements a LibVMI interface that enables it to be engaged by popular VMI applications remotely. Our prototype employs Intel as well as ARM virtualization extensions to take over control of a running Linux system. WhiteRabbit’s on-the-fly capability and limited virtualization overhead constitute an effective solution for malware detection and analysis.
Document type :
Conference papers
Complete list of metadata

Cited literature [30 references]  Display  Hide  Download
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Thursday, February 21, 2019 - 4:41:39 PM
Last modification on : Thursday, January 6, 2022 - 11:38:05 AM
Long-term archiving on: : Wednesday, May 22, 2019 - 7:39:18 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Sergej Proskurin, Julian Kirsch, Apostolis Zarras. Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection. 33th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC), Sep 2018, Poznan, Poland. pp.263-277, ⟨10.1007/978-3-319-99828-2_19⟩. ⟨hal-02023739⟩



Record views


Files downloads