29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.

Slides:



Advertisements
Similar presentations
Live migration of Virtual Machines Nour Stefan, SCPD.
Advertisements

An Overview Of Virtual Machine Architectures Ross Rosemark.
Hardware-assisted Virtualization
虛擬化技術 Virtualization Technique
Virtualization Technology
EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.
Programming Technologies, MIPT, April 7th, 2012 Introduction to Binary Translation Technology Roman Sokolov SMWare
Virtualisation From the Bottom Up From storage to application.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
E Virtual Machines Lecture 3 Memory Virtualization
Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,
Disco Running Commodity Operating Systems on Scalable Multiprocessors.
1 Disco: Running Commodity Operating Systems on Scalable Multiprocessors Edouard Bugnion, Scott Devine, and Mendel Rosenblum, Stanford University, 1997.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #29-1 Chapter 33: Virtual Machines Virtual Machine Structure Virtual Machine.
Virtualization for Cloud Computing
虛擬化技術 Virtualization and Virtual Machines
Virtualization A way To Begin with Virtual Reality… - Rahul Khanwani.
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.
Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.
Tanenbaum 8.3 See references
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.
High Accuracy Attack Provenance via Binary-based Execution Partition Kyu Hyung Lee Xiangyu Zhang Dongyan Xu Department of Computer Science and CERIAS,
Disco : Running commodity operating system on scalable multiprocessor Edouard et al. Presented by Jonathan Walpole (based on a slide set from Vidhya Sivasankaran)
CS533 Concepts of Operating Systems Jonathan Walpole.
1 Xen and the Art of Virtualization Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, Andrew Warfield.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
Secure & flexible monitoring of virtual machine University of Mazandran Science & Tecnology By : Esmaill Khanlarpour January.
Xen I/O Overview. Xen is a popular open-source x86 virtual machine monitor – full-virtualization – para-virtualization para-virtualization as a more efficient.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Virtualization Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation is licensed.
Windows 2000 Course Summary Computing Department, Lancaster University, UK.
Our work on virtualization Chen Haogang, Wang Xiaolin {hchen, Institute of Network and Information Systems School of Electrical Engineering.
CS533 Concepts of Operating Systems Jonathan Walpole.
Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’
Disco: Running Commodity Operating Systems on Scalable Multiprocessors Edouard et al. Madhura S Rama.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Disco : Running commodity operating system on scalable multiprocessor Edouard et al. Presented by Vidhya Sivasankaran.
02/09/2010 Industrial Project Course (234313) Virtualization-aware database engine Final Presentation Industrial Project Course (234313) Virtualization-aware.
 Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar.
Operating Systems Security
Processes and Virtual Memory
Full and Para Virtualization
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
Virtualization One computer can do the job of multiple computers, by sharing the resources of a single computer across multiple environments. Turning hardware.
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Virtualizing a Multiprocessor Machine on a Network of Computers Easy & efficient utilization of distributed resources Goal Kenji KanedaYoshihiro OyamaAkinori.
Cloud Computing – UNIT - II. VIRTUALIZATION Virtualization Hiding the reality The mantra of smart computing is to intelligently hide the reality Binary->
Virtual Memory 1 Computer Organization II © McQuain Virtual Memory Use main memory as a “cache” for secondary (disk) storage – Managed jointly.
Running Commodity Operating Systems on Scalable Multiprocessors Edouard Bugnion, Scott Devine and Mendel Rosenblum Presentation by Mark Smith.
Unit 2 VIRTUALISATION. Unit 2 - Syllabus Basics of Virtualization Types of Virtualization Implementation Levels of Virtualization Virtualization Structures.
Qin Zhao1, Joon Edward Sim2, WengFai Wong1,2 1SingaporeMIT Alliance 2Department of Computer Science National University of Singapore
Virtualization for Cloud Computing
Virtualization.
CSC 482/582: Computer Security
Presented by Mike Marty
R
Disco: Running Commodity Operating Systems on Scalable Multiprocessors
CIT 480: Securing Computer Systems
Introduction to Operating Systems
OS Virtualization.
CSCI206 - Computer Organization & Programming
Virtualization Techniques
Chapter 33: Virtual Machines
Computer Security: Art and Science, 2nd Edition
Shielding applications from an untrusted cloud with Haven
CS295: Modern Systems Virtualization
Chapter 33: Virtual Machines
Presentation transcript:

29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan Xu Department of Computer Science and CERIAS, Purdue University

Outline Introduction Overview Design Implementation Evaluation 2013/10/8 A Seminar at Advanced Defense Lab

Introduction The ability to trap the execution of a binary program at desired instructions is essential in many security scenarios. malware analysis attack provenance However, existing approaches are insufficient to support transparent, efficient, and flexible instruction-level trapping. 2013/10/8 A Seminar at Advanced Defense Lab

Related Work In-Guest Approaches Emulation Based Approaches Software Breakpoint (int 3), Hardware Breakpoint (DR0 ~ DR3) Page-level mechanism Dynamic Binary Instrumentation (DBI) Emulation Based Approaches Hardware Virtualization Based Approaches Hybrid Approaches 2013/10/8 A Seminar at Advanced Defense Lab

Overview Our Goal Flexibility Efficiency Transparency Reliability 2013/10/8 A Seminar at Advanced Defense Lab

Background about Memory Virtualization Old Memory Virtualization 2013/10/8 A Seminar at Advanced Defense Lab

Intel Extended Page Table (EPT) 2013/10/8 A Seminar at Advanced Defense Lab

Another Figure for EPT 2013/10/8 A Seminar at Advanced Defense Lab

Overview (cont.) 2013/10/8 A Seminar at Advanced Defense Lab

Design – Splitting Code and Data View Spider splits the code and the data views of a guest physical page by mapping it to two host physical pages with mutually exclusive attributes. Code view: executable, not readable, no writable. Data view: not executable, readable, no writable. Given a split page, although the corresponding EPT entry could only map one of its views at any given time, the mappings of the two views can exist simultaneously in the iTLB (instruction TLB) and dTLB (data TLB), respectively. 2013/10/8 A Seminar at Advanced Defense Lab

Split View EPT Violation Physical Page 1 (Execute-Only) int 3 2013/10/8 Physical Page 1 (Execute-Only) int 3 mov ebp, esp sub esp, 16 Execute iTLB Guest Page Table Extended Page Table A Seminar at Advanced Defense Lab Physical Page 2 (Read-Only) push ebp mov ebp, esp sub esp, 16 dTLB Read

Design - Handling Breakpoints Spider sets the hypervisor to intercept all #BP exceptions generated by the guest. For single-stepping, Spider uses the monitor trap flag (MTF) which is a flag specifically designed for single-stepping in hardware virtualization. the guest will trigger a VM Exit after executing each instruction. 2013/10/8 A Seminar at Advanced Defense Lab

Design - Monitoring Virtual-to-Physical Mapping 2013/10/8 A Seminar at Advanced Defense Lab

Design - Handling Code Modification When the guest tries to write to the page, an EPT violation will be triggered and captured. 2013/10/8 A Seminar at Advanced Defense Lab

Design - Data Watchpoint Spider allows setting a data watchpoint at a specific physical address. adjusting the EPT entry of the guest physical page that contains the memory address to read-only (to trap write access) or execute-only (to trap both read/write access) 2013/10/8 A Seminar at Advanced Defense Lab

Design - Handling Timing Side-Effect To maintain transparency, Spider needs to hide the CPU cycles cost by hypervisor (Th) and VMEntry/VMExit (Te) from the guest. Spider sets the TSC-offset field in virtual machine control structure (VMCS) to −(Th + Te) so the value is subtracted from the TSC seen by the guest. 2013/10/8 A Seminar at Advanced Defense Lab

Implementation We have implemented a prototype of Spider on the KVM 3.5 hypervisor. Kernel Breakpoints We could specify the address space of any process as the kernel space is mapped in the same way for any process. (init in Linux and System in Windows) Monitor Process Creation In Windows, we set a breakpoint at the instruction right after the call to PspCreateProcess. In Linux, We set a breakpoint at the instruction right after the call to copy_process. 2013/10/8 A Seminar at Advanced Defense Lab

Implementation (cont.) Monitor Process Termination In Windows, we set the breakpoint at the entry of the function PspProcessDelete. In Linux, we set the breakpoint at the entry of the function do_exit. 2013/10/8 A Seminar at Advanced Defense Lab

Evaluation Environment Hardware: Thinkpad T510 laptop with Intel Core i7-3720QM 2.6GHz CPU and 8GB RAM. Host OS: Ubuntu Linux 12.10 64-bit Guest OS (30GB virtual hard disk and 1GB memory): Windows XP SP2 32-bit Ubuntu Linux 12.04 32-bit 2013/10/8 A Seminar at Advanced Defense Lab

Transparency 2013/10/8 A Seminar at Advanced Defense Lab “Fail”means the program fails to run properly in the environment even without any trap. “Fail HBP” and “Fail SBP”means the program fails to run properly after setting hardware breakpoint or software breakpoint.

Case Study I: Spider + BEEP 2013/10/8 A Seminar at Advanced Defense Lab

Performance Overhead 2013/10/8 A Seminar at Advanced Defense Lab

2013/10/8 Q & A A Seminar at Advanced Defense Lab

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.