Download presentation
Presentation is loading. Please wait.
Published byMillicent Burns Modified over 8 years ago
1
1 Xen and the Art of Binary Modification Lies, Damn Lies, and Page Frame Addresses Greg Cooksey and Nate Rosenblum, March 2007
2
2 Motivation: Paranoid Programs Programs can be designed to be tamper resistant Obfuscation of control flow Run-time decryption of executable code Detection of static or dynamic modification Goal: Subvert tamper prevention mechanisms Enables reverse engineering (“what does this virus do?”) Allows binary modification (“now this virus does something else”)
3
3 Self-checksumming Code Value of some computation depends on the bytes of the program text Allows detection of modifications (e.g. instrumentation, binary rewriting) Makes implicit assumption of von Neumann (single store) memory architecture Multiple overlapping checksums help prevent tampering tamper- resistant process data read instruction fetch Von Neumann architecture
4
4 Attacking Self-checksumming Code Violating von Neumann assumption defeats protection Emulation Allows detection and redirection of data reads But… is slow, expensive Malicious Operating System Introduced in Wurster (2004) Utilizes virtual memory hardware But… requires modified OS tamper- resistant process data read instruction fetch Harvard architecture
5
5 Malicious Virtualization Hypothesis: The Virtual Machine Monitor is a superior malicious agent VMM is responsible for managing virtual memory Able to modify virtual memory without operating system assistance Allows attacks on commodity operating systems (e.g. Microsoft Windows) Virtualization is significantly less expensive than emulation Xen: Linux-based open source VMM
6
6 Overview of Approach Modern architectures are Harvard architectures E.g. x86: separate instruction/data translation lookaside buffers (TLBs) VMM can get notification of page accesses Instruction TLB points to modified code page On data read access, edit data TLB to point to unmodified page [directory][table][offset] fetch? ITLBDTLB Linear address 320 Mem Normally these addresses are the same! yesno
7
7 System Architecture target OS hypervisor Igor victim modified code unmodified code comm channel Dyninst attach page correspondences
8
8 Current Status Running modified Xen and XenLinux installations Tracking of page faults in target program address space Currently implemented with device driver that makes hypercalls to Xen Remaining tasks: TLB entry installation Igor process Communication channel from Igor to Xen hypervisor Performance measurements
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.