Lecture 3: Shared Workspace Awareness Dr. Xiangyu WANG 11 th August 2008.
SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng,...
-
Upload
charles-parsons -
Category
Documents
-
view
212 -
download
0
Transcript of SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng,...
SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization
Zhui Deng, Xiangyu Zhang, and Dongyan XuDepartment of Computer Science and CERIAS, Purdue University
29th ACSAC(December, 2013)
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Outline• Introduction• Overview• Design• Implementation• Evaluation
2013
/10/
8
2
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Introduction• The ability to trap the execution of a binary program at desired
instructions is essential in many security scenarios.• malware analysis• attack provenance
• However, existing approaches are insufficient to support transparent, efficient, and flexible instruction-level trapping.
2013
/10/
8
3
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Related Work• In-Guest Approaches• Software Breakpoint (int 3), Hardware Breakpoint (DR0 ~ DR3)• Page-level mechanism• Dynamic Binary Instrumentation (DBI)
• Emulation Based Approaches
• Hardware Virtualization Based Approaches
• Hybrid Approaches
2013
/10/
8
4
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Overview• Our Goal• Flexibility• Efficiency• Transparency• Reliability
2013
/10/
8
5
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Background about Memory Virtualization• Old Memory Virtualization
2013
/10/
8
6
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Intel Extended Page Table (EPT)
2013
/10/
8
7
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Another Figure for EPT
2013
/10/
8
8
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Overview (cont.)
2013
/10/
8
9
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Design – Splitting Code and Data View
• Splitting Code and Data View• Spider splits the code and the data views of a guest physical page
by mapping it to two host physical pages with mutually exclusive attributes.• Code view: executable, not readable, no writable.• Data view: not executable, readable, no writable.
• Given a split page, although the corresponding EPT entry could only map one of its views at any given time, the mappings of the two views can exist simultaneously in the iTLB (instruction TLB) and dTLB (data TLB), respectively.
2013
/10/
8
10
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Split View
2013
/10/
8
11
Physical Page 2(Read-Only)
push ebp mov ebp, esp sub esp, 16
Physical Page 1(Execute-Only)
int 3mov ebp, esp sub esp, 16
iTLB
dTLB
Guest Page Table
Extended Page Table
EPT Violation
Execute
Read
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Design - Handling Breakpoints• Spider sets the hypervisor to intercept all #BP exceptions
generated by the guest.
• For single-stepping, Spider uses the monitor trap flag (MTF) which is a flag specifically designed for single-stepping in hardware virtualization.• the guest will trigger a VM Exit after executing each instruction.
2013
/10/
8
12
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Design - Monitoring Virtual-to-Physical Mapping
2013
/10/
8
13
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Design - Handling Code Modification
• When the guest tries to write to the page, an EPT violation will be triggered and captured.
2013
/10/
8
14
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Design - Data Watchpoint• Spider allows setting a data watchpoint at a specific physical
address. • adjusting the EPT entry of the guest physical page that contains
the memory address to read-only (to trap write access) or execute-only (to trap both read/write access)
2013
/10/
8
15
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Design - Handling Timing Side-Effect
• To maintain transparency, Spider needs to hide the CPU cycles cost by hypervisor (Th) and VMEntry/VMExit (Te) from the guest.
• Spider sets the TSC-offset field in virtual machine control structure (VMCS) to −(Th + Te) so the value is subtracted from the TSC seen by the guest.
2013
/10/
8
16
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Implementation• We have implemented a prototype of Spider on the KVM 3.5
hypervisor.
• Kernel Breakpoints• We could specify the address space of any process as the kernel
space is mapped in the same way for any process.• (init in Linux and System in Windows)
• Monitor Process Creation• In Windows, we set a breakpoint at the instruction right after the
call to PspCreateProcess.• In Linux, We set a breakpoint at the instruction right after the call
to copy_process.
2013
/10/
8
17
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Implementation (cont.)• Monitor Process Termination• In Windows, we set the breakpoint at the entry of the function PspProcessDelete.
• In Linux, we set the breakpoint at the entry of the function do_exit.
2013
/10/
8
18
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Evaluation• Environment• Hardware: Thinkpad T510 laptop with Intel Core i7-3720QM
2.6GHz CPU and 8GB RAM. • Host OS: Ubuntu Linux 12.10 64-bit• Guest OS (30GB virtual hard disk and 1GB memory):
• Windows XP SP2 32-bit• Ubuntu Linux 12.04 32-bit
2013
/10/
8
19
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Transparency
2013
/10/
8
20• “Fail”means the program fails to run properly in the environment even
without any trap.• “Fail HBP” and “Fail SBP”means the program fails to run properly after setting
hardware breakpoint or software breakpoint.
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Case Study I: Spider + BEEP
2013
/10/
8
21
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Performance Overhead
2013
/10/
8
22
A Se
min
ar a
t Adv
ance
d D
efen
se L
ab
Q & A
2013
/10/
8
23