Presentation is loading. Please wait.

Presentation is loading. Please wait.

29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.

Published byCharles Parsons Modified over 8 years ago

Similar presentations

Presentation on theme: "29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan."— Presentation transcript:

1 29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan Xu Department of Computer Science and CERIAS, Purdue University

2 Outline Introduction Overview Design Implementation Evaluation
2013/10/8 A Seminar at Advanced Defense Lab

3 Introduction The ability to trap the execution of a binary program at desired instructions is essential in many security scenarios. malware analysis attack provenance However, existing approaches are insufficient to support transparent, efficient, and flexible instruction-level trapping. 2013/10/8 A Seminar at Advanced Defense Lab

4 Related Work In-Guest Approaches Emulation Based Approaches
Software Breakpoint (int 3), Hardware Breakpoint (DR0 ~ DR3) Page-level mechanism Dynamic Binary Instrumentation (DBI) Emulation Based Approaches Hardware Virtualization Based Approaches Hybrid Approaches 2013/10/8 A Seminar at Advanced Defense Lab

5 Overview Our Goal Flexibility Efficiency Transparency Reliability
2013/10/8 A Seminar at Advanced Defense Lab

6 Background about Memory Virtualization
Old Memory Virtualization 2013/10/8 A Seminar at Advanced Defense Lab

7 Intel Extended Page Table (EPT)
2013/10/8 A Seminar at Advanced Defense Lab

8 Another Figure for EPT 2013/10/8 A Seminar at Advanced Defense Lab

9 Overview (cont.) 2013/10/8 A Seminar at Advanced Defense Lab

10 Design – Splitting Code and Data View
Spider splits the code and the data views of a guest physical page by mapping it to two host physical pages with mutually exclusive attributes. Code view: executable, not readable, no writable. Data view: not executable, readable, no writable. Given a split page, although the corresponding EPT entry could only map one of its views at any given time, the mappings of the two views can exist simultaneously in the iTLB (instruction TLB) and dTLB (data TLB), respectively. 2013/10/8 A Seminar at Advanced Defense Lab

11 Split View EPT Violation Physical Page 1 (Execute-Only) int 3
2013/10/8 Physical Page 1 (Execute-Only) int 3 mov ebp, esp sub esp, 16 Execute iTLB Guest Page Table Extended Page Table A Seminar at Advanced Defense Lab Physical Page 2 (Read-Only) push ebp mov ebp, esp sub esp, 16 dTLB Read

12 Design - Handling Breakpoints
Spider sets the hypervisor to intercept all #BP exceptions generated by the guest. For single-stepping, Spider uses the monitor trap flag (MTF) which is a flag specifically designed for single-stepping in hardware virtualization. the guest will trigger a VM Exit after executing each instruction. 2013/10/8 A Seminar at Advanced Defense Lab

13 Design - Monitoring Virtual-to-Physical Mapping
2013/10/8 A Seminar at Advanced Defense Lab

14 Design - Handling Code Modification
When the guest tries to write to the page, an EPT violation will be triggered and captured. 2013/10/8 A Seminar at Advanced Defense Lab

15 Design - Data Watchpoint
Spider allows setting a data watchpoint at a specific physical address. adjusting the EPT entry of the guest physical page that contains the memory address to read-only (to trap write access) or execute-only (to trap both read/write access) 2013/10/8 A Seminar at Advanced Defense Lab

16 Design - Handling Timing Side-Effect
To maintain transparency, Spider needs to hide the CPU cycles cost by hypervisor (Th) and VMEntry/VMExit (Te) from the guest. Spider sets the TSC-offset field in virtual machine control structure (VMCS) to −(Th + Te) so the value is subtracted from the TSC seen by the guest. 2013/10/8 A Seminar at Advanced Defense Lab

17 Implementation We have implemented a prototype of Spider on the KVM 3.5 hypervisor. Kernel Breakpoints We could specify the address space of any process as the kernel space is mapped in the same way for any process. (init in Linux and System in Windows) Monitor Process Creation In Windows, we set a breakpoint at the instruction right after the call to PspCreateProcess. In Linux, We set a breakpoint at the instruction right after the call to copy_process. 2013/10/8 A Seminar at Advanced Defense Lab

18 Implementation (cont.)
Monitor Process Termination In Windows, we set the breakpoint at the entry of the function PspProcessDelete. In Linux, we set the breakpoint at the entry of the function do_exit. 2013/10/8 A Seminar at Advanced Defense Lab

19 Evaluation Environment
Hardware: Thinkpad T510 laptop with Intel Core i7-3720QM 2.6GHz CPU and 8GB RAM. Host OS: Ubuntu Linux bit Guest OS (30GB virtual hard disk and 1GB memory): Windows XP SP2 32-bit Ubuntu Linux bit 2013/10/8 A Seminar at Advanced Defense Lab

20 Transparency 2013/10/8 A Seminar at Advanced Defense Lab “Fail”means the program fails to run properly in the environment even without any trap. “Fail HBP” and “Fail SBP”means the program fails to run properly after setting hardware breakpoint or software breakpoint.

21 Case Study I: Spider + BEEP
2013/10/8 A Seminar at Advanced Defense Lab

22 Performance Overhead 2013/10/8 A Seminar at Advanced Defense Lab

23 2013/10/8 Q & A A Seminar at Advanced Defense Lab

Download ppt "29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan."

Similar presentations

Live migration of Virtual Machines Nour Stefan, SCPD.

Live migration of Virtual Machines Nour Stefan, SCPD.
An Overview Of Virtual Machine Architectures Ross Rosemark.

An Overview Of Virtual Machine Architectures Ross Rosemark.
Hardware-assisted Virtualization

Hardware-assisted Virtualization
虛擬化技術 Virtualization Technique

虛擬化技術 Virtualization Technique
Virtualization Technology

Virtualization Technology
EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.

EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.
Programming Technologies, MIPT, April 7th, 2012 Introduction to Binary Translation Technology Roman Sokolov SMWare

Programming Technologies, MIPT, April 7th, 2012 Introduction to Binary Translation Technology Roman Sokolov SMWare
Virtualisation From the Bottom Up From storage to application.

Virtualisation From the Bottom Up From storage to application.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
E Virtual Machines Lecture 3 Memory Virtualization

E Virtual Machines Lecture 3 Memory Virtualization
Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,

Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,
Disco Running Commodity Operating Systems on Scalable Multiprocessors.

Disco Running Commodity Operating Systems on Scalable Multiprocessors.
1 Disco: Running Commodity Operating Systems on Scalable Multiprocessors Edouard Bugnion, Scott Devine, and Mendel Rosenblum, Stanford University, 1997.

1 Disco: Running Commodity Operating Systems on Scalable Multiprocessors Edouard Bugnion, Scott Devine, and Mendel Rosenblum, Stanford University, 1997.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #29-1 Chapter 33: Virtual Machines Virtual Machine Structure Virtual Machine.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #29-1 Chapter 33: Virtual Machines Virtual Machine Structure Virtual Machine.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
虛擬化技術 Virtualization and Virtual Machines

虛擬化技術 Virtualization and Virtual Machines
Virtualization A way To Begin with Virtual Reality… - Rahul Khanwani.

Virtualization A way To Begin with Virtual Reality… - Rahul Khanwani.
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.

CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.

Similar presentations

Ads by Google