Virtual Machine Introspection - adava/DECAF-Selective GitHub Wiki

VMI functionality aims to provide a fresh view of the virtual machine. In particular, VMI gathers information about the following objects:

  • Processes
  • Threads
  • Module codes
  • Exported symbols In order to gather information about the above objects, DECAF follows two important principals. Firstly, DECAF collects information about an event as soon as the code is loaded into the memory. Secondly, DECAF employs an operating system independent way of applying VMI functionality. Both of the above principals are missing from the predecessor solutions to whole-system dynamic analysis tools.

DECAF implements the VMI functionality by tracking the cache misses. Translation lookahead buffer(TLB) maps process address space pages to the physical memory pages. Whenever a code module is absent in memory, a TLB execution cache miss event triggers. VMI tracks such event and collects information about the newly loaded codes when loading a page.

DECAF collects information about new processes and modules and retrieve symbols about every new module. Figure 10 shows the VMI functionality logic when a TLB Execute Cache Miss happens. DECAF knows the program counter of the guest and hence it can check whether the PC falls in Kernel space. If so, then the kernel was executing before the TLB miss. Afterwards, DECAF loads the data about the kernel and see whether the PC falls in any of the previously loaded modules. If not, the miss is the result of a kernel module absence. DECAF records the new module in the module list and retrieves the symbols for the module. The flowchart in Figure 10 shows a similar logic when the PC is not in kernel address space except that the logic takes into consideration when the process it being loaded for the first time. In such case, the process is added to the list of processes.

Figure 10. VMI flowchart

The VMI functionality is implemented through the DECAF callback binary instrumentation support; the above logic is called through a call back mechanism. DECAF supports a systematic way of registering callback for an event that we explain in detail in the Binary instrumentation page. Using this callback mechanism, DECAF registers a callback for DECAF_TLB_EXEC_CB event that translates to TLB Execute Cache Miss. The registered callback for this event is block_end_cb function that implements the above logic. VMI callback registration traces back to the initialization calls of Qemu. Qemu calls DECAF_init that in turn calls VMI_init that will call the DECAF_register_callback function to register block_end_cb for DECAF_TLB_EXEC_CB event. The trace to the DECAF_register_callback is shown in Figure 11. During execution, for x86, cpu_x86_handle_mmu_fault function handles the DECAF_TLB_EXEC_CB event and that’s where DECAF checks and calls the registered callbacks.

Figure 11. VMI initialization