This post introduces the project I worked on with Honeynet Project at Google Summer of Code this year. The project of TinyVMI is to port a library (LibVMI) into a tiny operating system (Mini-OS). After porting, LibVMI will have all its functionalities running inside a tiny virtual machine, which has a much smaller size as well as higher performance compared to the same library running on a Linux OS.

1. Milestone Goal: “Port input module and os support, event support, architecture support, and all examples of LibVMi into MiniOS” The goal of the second milestone is described in section 3.1.2 ~ 3.1.6 in the proposal to GSoC 2018. In brief, it includes a) reading configurations of target VM (libvmi.conf); b) parsing json files containing target VM; c) support introspecting both Linux and Windows virtual machines; d) architecture support for both x86 and arm; e) testing all examples of LibVMI in TinyVMI.

1. Milestone Goal: “Port the skeleton of LibVMI and system library dependencies” The goal of the first milestone is described as following in the proposal to GSoC 2018: Since the previous work of TinyVMI already proved the feasibility of porting LibVMI into MiniOS, we can take further steps to port as many modules as possible into MiniOS. We should a) try to keep the original LibVMI file/folder structure unless we have to change it to adopt the MiniOS features.

Port GQueue to TinyVMI. Ongoing LibVMI use multiple caches to temporarily store the fetched information (or reconstructed information) from the target virtual machine. This week a cache called memory_cache_lru is re-implemented in order to keep consistent with the original LibVMI code. memory_cache_lru is conceptually similar to TLB in an operating system, which stores the virtual address to phisical address mapping in an order of latest recent unused(LRU). LibVMI uses GQueue in GLib to manage the memory cache LRU list, and TinyVMI previously used a hand-crafted double linked list to store the LRU list.

The problem being addressed: The previous TinyVMI project[1] was a minimal portion of LibVMI with capability of reading a target VM’s memory pages when a kernel virtual address was given. Now we need to extend TinyVMI with events support, and other capabilities of LibVMI, such as support for both 32 & 64 bit systems, both Windows & Linux OS, etc.. Additionally, during the development, documentations need to be carefully written and progresses will be reported in a public blog site.