3. Virtual Machine Introspection
✗
In-guest agents are easily detected
✗
In-guest agents are vulnerable to rootkits
Move security stack outside of VMs!
✔
Increased isolation
✔
Complete view of the system
4. Virtual Machine Introspection
1. Isolation
✔
Security stack outside of VM
2. Interpretation
✔
LibVMI, Volatility, Rekall
3. Interposition
✔
Xen on Intel & ARM
8. Rant about Dynamic Analysis
It's not a good augmentation to your
firewall!
●
It's already too late by the time it finishes
It's not a good replacement of humans!
●
“Threat level: over 9000!!!”
It can help AntiVirus vendors but that
doesn't really help anyone..
Focusing too much on a particular sample is
a bad approach!
9. What you should use it for
●
Identify attack surface
●
Identify attacker infrastructure
●
Create behavioral signature
– Very noisy and very verbose
– It's still better than dumbed down
and sparse
– Yet to see how that is usable
10. Conclusion
●
DRAKVUF supports large-scale, automated
malware collection/analysis
●
Malware authors will likely adapt by
switching from sandbox detection to stall-
tactics
●
Dynamic analysis yet to find its right place
●
Stay tuned: TOTEM
Thanks!