1 / 8

Xen and the Art of Binary Modification

Xen and the Art of Binary Modification. Lies, Damn Lies, and Page Frame Addresses. Greg Cooksey and Nate Rosenblum, March 2007. Motivation: Paranoid Programs. Programs can be designed to be tamper resistant Obfuscation of control flow Run-time decryption of executable code

bly
Download Presentation

Xen and the Art of Binary Modification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Xen and the Art of Binary Modification Lies, Damn Lies, and Page Frame Addresses Greg Cooksey and Nate Rosenblum, March 2007

  2. Motivation: Paranoid Programs • Programs can be designed to be tamper resistant • Obfuscation of control flow • Run-time decryption of executable code • Detection of static or dynamic modification • Goal: Subvert tamper prevention mechanisms • Enables reverse engineering (“what does this virus do?”) • Allows binary modification (“now this virus does something else”)

  3. Value of some computation depends on the bytes of the program text Allows detection of modifications (e.g. instrumentation, binary rewriting) Makes implicit assumption of von Neumann (single store) memory architecture Multiple overlapping checksums help prevent tampering Self-checksumming Code instruction fetch data read tamper- resistant process Von Neumann architecture

  4. Violating von Neumann assumption defeats protection Emulation Allows detection and redirection of data reads But… is slow, expensive Malicious Operating System Introduced in Wurster (2004) Utilizes virtual memory hardware But… requires modified OS Attacking Self-checksumming Code instruction fetch tamper- resistant process data read Harvard architecture

  5. Malicious Virtualization • Hypothesis: The Virtual Machine Monitor is a superior malicious agent • VMM is responsible for managing virtual memory • Able to modify virtual memory without operating system assistance • Allows attacks on commodity operating systems (e.g. Microsoft Windows) • Virtualization is significantly less expensive than emulation • Xen: Linux-based open source VMM

  6. Modern architectures are Harvard architectures E.g. x86: separate instruction/data translation lookaside buffers (TLBs) VMM can get notification of page accesses Instruction TLB points to modified code page On data read access, edit data TLB to point to unmodified page Overview of Approach Linear address [directory] [table] [offset] 32 0 yes fetch? no ITLB DTLB Mem Normally these addresses are the same!

  7. unmodified code modified code victim System Architecture target OS Igor Dyninst attach comm channel page correspondences hypervisor

  8. Current Status • Running modified Xen and XenLinux installations • Tracking of page faults in target program address space • Currently implemented with device driver that makes hypercalls to Xen • Remaining tasks: • TLB entry installation • Igor process • Communication channel from Igor to Xen hypervisor • Performance measurements

More Related