240 likes | 530 Views
29 th ACSAC (December, 2013). SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization. Zhui Deng, Xiangyu Zhang, and Dongyan Xu Department of Computer Science and CERIAS, Purdue University. Outline. Introduction Overview Design Implementation
E N D
29th ACSAC(December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and DongyanXu Department of Computer Science and CERIAS, Purdue University
Outline • Introduction • Overview • Design • Implementation • Evaluation A Seminar at Advanced Defense Lab
Introduction • The ability to trap the execution of a binary program at desired instructions is essential in many security scenarios. • malware analysis • attack provenance • However, existing approaches are insufficient to support transparent, efficient, and flexible instruction-level trapping. A Seminar at Advanced Defense Lab
Related Work • In-Guest Approaches • Software Breakpoint (int 3), Hardware Breakpoint (DR0 ~ DR3) • Page-level mechanism • Dynamic Binary Instrumentation (DBI) • Emulation Based Approaches • Hardware Virtualization Based Approaches • Hybrid Approaches A Seminar at Advanced Defense Lab
Overview • Our Goal • Flexibility • Efficiency • Transparency • Reliability A Seminar at Advanced Defense Lab
Background about Memory Virtualization • Old Memory Virtualization A Seminar at Advanced Defense Lab
Intel Extended Page Table (EPT) A Seminar at Advanced Defense Lab
Another Figure for EPT A Seminar at Advanced Defense Lab
Overview (cont.) A Seminar at Advanced Defense Lab
Design – Splitting Code and Data View • Splitting Code and Data View • Spider splits the code and the data views of a guest physical page by mapping it to two host physical pages with mutually exclusive attributes. • Code view: executable, not readable, no writable. • Data view: not executable, readable, no writable. • Given a split page, although the corresponding EPT entry could only map one of its views at any given time, the mappings of the two views can exist simultaneously in the iTLB (instruction TLB) and dTLB (data TLB), respectively. A Seminar at Advanced Defense Lab
Split View EPT Violation Physical Page 1 (Execute-Only) int 3 movebp, esp sub esp, 16 Execute iTLB Guest Page Table Extended Page Table A Seminar at Advanced Defense Lab Physical Page 2 (Read-Only) push ebp movebp, esp sub esp, 16 dTLB Read
Design - Handling Breakpoints • Spider sets the hypervisor to intercept all #BP exceptions generated by the guest. • For single-stepping, Spider uses the monitor trap flag (MTF) which is a flag specifically designed for single-stepping in hardware virtualization. • the guest will trigger a VM Exit after executing each instruction. A Seminar at Advanced Defense Lab
Design - Monitoring Virtual-to-Physical Mapping A Seminar at Advanced Defense Lab
Design - Handling Code Modification • When the guest tries to write to the page, an EPT violation will be triggered and captured. A Seminar at Advanced Defense Lab
Design - Data Watchpoint • Spider allows setting a data watchpoint at a specific physicaladdress. • adjusting the EPT entry of the guest physical page that contains the memory address to read-only (to trap write access) or execute-only (to trap both read/write access) A Seminar at Advanced Defense Lab
Design - Handling Timing Side-Effect • To maintain transparency, Spider needs to hide the CPU cycles cost by hypervisor (Th) and VMEntry/VMExit (Te) from the guest. • Spider sets the TSC-offset field in virtual machine control structure (VMCS) to −(Th+ Te) so the value is subtracted from the TSC seen by the guest. A Seminar at Advanced Defense Lab
Implementation • We have implemented a prototype of Spider on the KVM 3.5 hypervisor. • Kernel Breakpoints • We could specify the address space of any process as the kernel space is mapped in the same way for any process. • (init in Linux and System in Windows) • Monitor Process Creation • In Windows, we set a breakpoint at the instruction right after the call to PspCreateProcess. • In Linux, We set a breakpoint at the instruction right after the call to copy_process. A Seminar at Advanced Defense Lab
Implementation (cont.) • Monitor Process Termination • In Windows, we set the breakpoint at the entry of the function PspProcessDelete. • In Linux, we set the breakpoint at the entry of the function do_exit. A Seminar at Advanced Defense Lab
Evaluation • Environment • Hardware: Thinkpad T510 laptop with Intel Core i7-3720QM 2.6GHz CPU and 8GB RAM. • Host OS: Ubuntu Linux 12.10 64-bit • Guest OS (30GB virtual hard disk and 1GB memory): • Windows XP SP2 32-bit • Ubuntu Linux 12.04 32-bit A Seminar at Advanced Defense Lab
Transparency A Seminar at Advanced Defense Lab • “Fail”means the program fails to run properly in the environment even without any trap. • “Fail HBP” and “Fail SBP”means the program fails to run properly after setting hardware breakpoint or software breakpoint.
Case Study I: Spider + BEEP A Seminar at Advanced Defense Lab
Performance Overhead A Seminar at Advanced Defense Lab
Q & A A Seminar at Advanced Defense Lab