Dynamic and Transparent Analysis of Commodity Production Systems

TL;DR

This paper introduces a transparent, virtualization-based framework for dynamic analysis of production systems, enabling safe, isolated, and non-intrusive kernel debugging and analysis without modifying the system internals.

Contribution

The framework leverages commodity hardware virtualization to perform transparent, isolated system analysis, including a novel interactive kernel debugger called HyperDbg.

Findings

Framework provides complete transparency and isolation.

HyperDbg enables debugging of kernel components and exception handlers.

System remains unaffected by analysis tools.

Abstract

We propose a framework that provides a programming interface to perform complex dynamic system-level analyses of deployed production systems. By leveraging hardware support for virtualization available nowadays on all commodity machines, our framework is completely transparent to the system under analysis and it guarantees isolation of the analysis tools running on its top. Thus, the internals of the kernel of the running system needs not to be modified and the whole platform runs unaware of the framework. Moreover, errors in the analysis tools do not affect the running system and the framework. This is accomplished by installing a minimalistic virtual machine monitor and migrating the system, as it runs, into a virtual machine. In order to demonstrate the potentials of our framework we developed an interactive kernel debugger, nicknamed HyperDbg. HyperDbg can be used to debug any critical kernel component, and even to single step the execution of exception and interrupt handlers.