Portal de Periódicos da CAPES

Blue-Pill Oxpecker: A VMI Platform for Transactional Modification

2021; Institute of Electrical and Electronics Engineers; Volume: 11; Issue: 1 Linguagem: Inglês

10.1109/tcc.2021.3067829

2372-0018

Seyed Mohammad Ali Aghamirmohammadali, Behnam Momeni, Solmaz Salimi, Mehdi Kharrazi,

Digital and Cyber Forensics

Although multiple techniques have been proposed with the goal of minimizing the semantic gap in virtual machine introspection, most concentrate on passive observation of the internal state, while there are also a number of proposals with which active modification of the VM's internal state is made possible. However there are issues when modifications are applied, such as keeping a consistent kernel state and avoiding a crash. In this article we propose Oxpecker, a VMI platform for transactional modification. The out-of-VM read access allows an introspector to detect malware in the guest OS (e.g., rootkit) and the transactional write access allows Oxpecker to reliably neutralize the detected threats. To begin a transaction, Oxpecker monitors VM state changes waiting for an idle moment which is free of possible race-conditions in the guest kernel memory. Thereafter, it invokes a VMI client's callback to proceed with reading/writing in its memory. Upon user request or possible exceptions, transaction is rolled back while the transaction ACID properties are maintained at all times. Oxpecker is implemented and evaluated under different real-world workloads. Additionally and as a practical example, a tool is developed, and open sourced, based on Oxpecker with which guest VM processes could be killed.