Speaker: Andrea Lanzi (Institute Eurecom, FR)
Andrea Lanzi is a Senior Researcher at Eurecom Graduate School and Research Center, located in Sophia Antipolis on the French riviera. He’s interested in several aspects of Computer Security. In particular, his main area of research deals with Host Intrusion Detection Systems (HIDS), exploitation techniques for memory errors, reverse engineering and virtualization techniques for detecting cyber attacks. He got his Ph.D in 2008 from University of Milan, during his Ph.D he was employed, for over 2 years, as a visiting Ph.D student at Georgia Tech as visiting PhD student at Georgia Tech University GATech (GA) USA, In the GTISC Lab lead by Prof. Wenke Lee where he was main working on malware analysis.
Title: Under the Hood: How Actaeon Unveils Your Hypervisor
Memory forensics is the branch of computer forensics that aims at extracting artifacts from memory snapshots taken from a running system. Even though it is a relatively recent field, it is rapidly growing and it is attracting considerable attention from both industrial and academic researchers. In particular we can consider the problem of searching an hypervisor in memory similar to the one of being able to automatically reconstruct information about an unknown Operating System in memory.
In this talk, we present a set of techniques to extend the field of memory forensics toward the analysis of hypervisors and virtual machines. By exploiting the techniques presented in this talk, our tool can reconstruct the address space of a virtual machine in order to transparently support any existing Volatility plugin - allowing analysts to reuse their code for the analysis of virtual environments.
The main idea behind Actaeon (our tool) is that, even though the code, internals and position in memory of the hypervisors may be unknown, there is still one important piece of information that we can use to discover the presence of an hypervisor. In fact, in order to utilize the virtualization support provided by most of the modern hardware architectures, the processor requires the use of particular data structure (VMCS) to store the information about the execution of each virtual machine. By first finding these data structures and then analyzing their content, we can reconstruct a precise representation of what was running in the system under test.