Brussels / 1 & 2 February 2020


Rustifying the Virtual Machine Introspection ecosystem

Why Rust is the best language for introspection agents in the future

From stealth malware analysis to OS hardening through fuzzing, virtual machine introspection is expanding the possibilities offered by our hypervisors, shifting our view of virtual machines, from opaques containers to fully transparent and instrumentable systems.

Today the VMI ecosystem is made of a multitude of applications, targeting one hypervisor or emulator, with their own semantic library. (Examples includes Drakvuf, PANDA, PyREBox, icebox, etc...). If we want to make the most out of VMI in the future, we need to build the libraries that will unify this ecosystem and let the developers focus on what matters: building quality VMI apps.

This is where libmicrovmi comes into play. It aims to solve this problem, by providing a core, foundation library, written in Rust, to be cross-platform, hypervisor-agnostic and emulator-agnostic, on top of which higher-level libraries and apps can rebase.

Rust makes a lot of sense for VMI for 2 main reasons:

  • Rust is safe: considering that we are processing untrusted input from virtual machines, we cannot allow any crash or exploitation in the introspection agent. Also one of our use case is OS hardening, which needs an excellent level of trust
  • Rust is fast: processing an event requires to pause the VCPU. The longer the pause, the more delayed the guest execution will be, and when scaling to thousands of events per second this can dramatically influence how many breakpoints you are willing to put, especially on production systems. Speed matters.

Therefore Rust is the de facto choice for VMI apps in the future, and we are building it today, by providing libmicrovmi, a new foundation for VMI.

Libmicrovmi has drivers for:

  • Xen
  • KVM
  • Hyper-V (in progress)

What is VMI ?

Vrtual Machine Introspection is a concept born in a 2003 research paper titled "A Virtual Machine Introspection Based Architecture for Intrusion Detection". The idea resides in inspecting and understanding the real-time high-level state of a virtual machine, based on the hardware layer, for security purposes.

Since then the technology has made its way, from research and academic developments to being fully integrated and supported into mainstream hypervisors, like Xen.

What are the use-cases ?

The initial population who adopted VMI has been malware sandbox providers. Since common malware had a tendency to hide from debuggers, the level of stealth reached with this technology made it perfectly suited for this job, alongside the full system view.

Today VMI has grown to be applied in various domains:

  • Debugging
  • Malware Analysis
  • Live Memory Analysis
  • OS Hardening
  • Fuzzing

What is the state of the technology today ?

As of today, Xen is the leading hypevisor, haivng VMI APIs since 2011. And since 2017, both KVM and VirtualBox have patches available, and even reviewed on the mailing list for KVM.

Regarding the libraries available, LibVMI stands out, as it provides a unified, hypervisor-agnostic, VMI API to applications, and a well-known malware analysis framework (Drakvuf) is based on it.

However, most of VMI applications today do not share the same common set of core libraries, which makes the ecosystem fragmented and hard to deal with, where a lot of efforts is spent solving the same problems everyone has, isolated by their own stacks.

Why Rust ?

This is where Rust comes into play. The language itself combines 3 important features:

  • Safety: new VMI applications have a focus on OS hardening, rebasing your trust on an introspection agent to avoid a kernel compromise is a huge deal, especially when the agent has high-privileges.
  • Speed: the amount of hardware events that can you can handle per second will define how much impact your agent has on the guest execution. This has to be kept as low as possible, otherwise the technology's adoption won't go further than private malware analysis systems.
  • Cross-platform: Rust's build system and standard library allow to effortlessly build a cross-plaform library, which is a requirements to bring developers using KVM, Hyper-V or even VirtualBox to share the same library.

Building this core library that will unify the ecosystem is the goal of libmicrovmi.

Related work

I have been building a hypervisor-level debugger, based on LibVMI. It can introspect a Windows guest and debug a specific process, while providing a GDB stub to be plugged into your favorite GDB fronted (IDA, radare2, etc ....)

Expected knowledge

The audience will need a bit of familiarity with virtualization concepts, this will be enough to understand the idea of introspection.

They can be totally new to Rust, as I once was a few months ago.


Photo of Mathieu Tarral Mathieu Tarral