Rust
Rustifying the Virtual Machine Introspection ecosystem
Why Rust is the best language for introspection agents in the future
TLDR: Even though VM Introspection has lots of applicable areas,
it has not gained it's full potential yet, due to a fragmented ecosystem.
This talk will quickly review the state of the technology and we
will present our solution: a Rust library aiming at solving the issue mentionned before,
in order to make VMI a commodity in the future for apps developers, enabling them to do:
Advanced Malware Analysis
Live-Memory Analysis
Complex debugging
OS Hardening
Snapshot-based fuzzing
Targeting any VMI compatible hypervisor or emulator.
From stealth malware analysis to OS hardening through fuzzing, virtual machine
introspection is expanding the possibilities offered by our hypervisors,
shifting our view of virtual machines, from opaques containers to fully
transparent and instrumentable systems.
Today the VMI ecosystem is made of a multitude of applications, targeting one
hypervisor or emulator, with their own semantic library. (Examples includes
Drakvuf, PANDA, PyREBox, icebox, etc...). If we want to make the most out of VMI
in the future, we need to build the libraries that will unify this ecosystem and
let the developers focus on what matters: building quality VMI apps.
This is where libmicrovmi comes into play. It aims to solve this problem, by
providing a core, foundation library, written in Rust, to be cross-platform,
hypervisor-agnostic and emulator-agnostic, on top of which higher-level
libraries and apps can rebase.
Rust makes a lot of sense for VMI for 2 main reasons:
Rust is safe: considering that we are processing untrusted input from virtual
machines, we cannot allow any crash or exploitation in the introspection
agent. Also one of our use case is OS hardening, which needs an excellent
level of trust
Rust is fast: processing an event requires to pause the VCPU. The longer the
pause, the more delayed the guest execution will be, and when scaling to
thousands of events per second this can dramatically influence how many breakpoints
you are willing to put, especially on production systems. Speed matters.
Therefore Rust is the de facto choice for VMI apps in the future, and we are
building it today, by providing libmicrovmi, a new foundation for VMI.
Libmicrovmi has drivers for:
Xen
KVM
Hyper-V (in progress)
What is VMI ?
Vrtual Machine Introspection is a concept born in a 2003 research paper titled
"A Virtual Machine Introspection Based Architecture for Intrusion Detection".
The idea resides in inspecting and understanding the real-time high-level state
of a virtual machine, based on the hardware layer, for security purposes.
Since then the technology has made its way, from research and academic
developments to being fully integrated and supported into mainstream
hypervisors, like Xen.
What are the use-cases ?
The initial population who adopted VMI has been malware sandbox providers. Since
common malware had a tendency to hide from debuggers, the level of stealth
reached with this technology made it perfectly suited for this job, alongside
the full system view.
Today VMI has grown to be applied in various domains:
Debugging
Malware Analysis
Live Memory Analysis
OS Hardening
Fuzzing
What is the state of the technology today ?
As of today, Xen is the leading hypevisor, haivng VMI APIs since 2011. And since
2017, both KVM and VirtualBox have patches available, and even reviewed on the
mailing list for KVM.
Regarding the libraries available, LibVMI stands out, as it provides a unified,
hypervisor-agnostic, VMI API to applications, and a well-known malware analysis
framework (Drakvuf) is based on it.
However, most of VMI applications today do not share the same common set of core
libraries, which makes the ecosystem fragmented and hard to deal with, where a lot
of efforts is spent solving the same problems everyone has, isolated by their
own stacks.
Why Rust ?
This is where Rust comes into play. The language itself combines 3 important features:
Safety: new VMI applications have a focus on OS hardening, rebasing your trust
on an introspection agent to avoid a kernel compromise is a huge deal,
especially when the agent has high-privileges.
Speed: the amount of hardware events that can you can handle per second will
define how much impact your agent has on the guest execution. This has to be
kept as low as possible, otherwise the technology's adoption won't go further
than private malware analysis systems.
Cross-platform: Rust's build system and standard library allow to effortlessly
build a cross-plaform library, which is a requirements to bring developers
using KVM, Hyper-V or even VirtualBox to share the same library.
Building this core library that will unify the ecosystem is the goal of libmicrovmi.
Related work
I have been building a hypervisor-level debugger, based on LibVMI. It can
introspect a Windows guest and debug a specific process, while providing a GDB
stub to be plugged into your favorite GDB fronted (IDA, radare2, etc ....)
Expected knowledge
The audience will need a bit of familiarity with virtualization concepts, this
will be enough to understand the idea of introspection.
They can be totally new to Rust, as I once was a few months ago.
Additional information
| Type | devroom |
|---|
More sessions
| 2/2/20 |
Complying with license obligations can incur a lot of hurdles. This results in developers skipping compliance or failing to achieve correct compliance. To compound this, package authors sometimes fail to describe the license of their package clearly or omit license information of included files. ClearlyDefined is a community curated repository of discovered license information for Crates packages, among other types. This talk will cover: the importance of the license obligations of the ...
|
| 2/2/20 |
A talk about cargo-deny, why we created it, and how it helps us manage our dependencies in the long term.
|
| 2/2/20 |
Rust is a language with a healthy ecosystem and a strong developer base. With built-in dependency management it's easy to build and install new programs even for those who have never used the language. But how is its adoption among Linux distros? Come with me as we figure out how best to package rust libraries and binaries in Linux distributions which demand total control over dependency management.
|
| 2/2/20 |
Rust compiler comes with a few tools, rustdoc is one of them. It is THE standard rust tool to generate documentation for your crates.
|
| 2/2/20 |
This talk will introduce the Muses project, which applies programming language theory and practice, physical computing, networking, and musicial theory to design and implementation of Digital Musical Instruments. Rust is a key ingredient in the Muses project, providing a robust and performant foundation for cross platform, desktop, and embedded system development. The talk will give a brief introdution to Muses project as a whole and then focus on the use of Rust in developing a selection of ...
|
| 2/2/20 |
rav1e is a fast AV1 encoder written in rust (and plenty of assembly), released monthly. Since the 0.1.0 release we try to make sure we provide an adequate speed or quality boost compared to the previous. This talk is about what tools are available in the rust ecosystem and what are the practices that worked best for us.
|
| 2/2/20 |
sled is an embedded database that takes advantage of modern lock-free indexing and flash-friendly storage. rio is a pure-rust io_uring library unlocking the linux kernel's new asynchronous IO interface. This short talk will cover techniques that have been used to take advantage of modern hardware and kernels while optimizing for long term developer happiness in a complex, correctness-critical Rust codebase.
|
