ninja towards transparent tracing and debugging on arm
play

Ninja: Towards Transparent Tracing and Debugging on ARM Zhenyu Ning - PowerPoint PPT Presentation

Ninja: Towards Transparent Tracing and Debugging on ARM Zhenyu Ning & Fengwei Zhang Wayne State University {zhenyu.ning, fengwei}@wayne.edu Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 1 Outline Introduction


  1. Ninja: Towards Transparent Tracing and Debugging on ARM Zhenyu Ning & Fengwei Zhang Wayne State University {zhenyu.ning, fengwei}@wayne.edu Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 1

  2. Outline • Introduction • Background • System Overview • Evaluation • Conclusion Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 2

  3. Outline • Introduction • Background • System Overview • Evaluation • Conclusion Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 3

  4. Evasion Malware Analyzer Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 4

  5. Evasion Malware Analyzer Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 5

  6. Malware Analysis Applications App App Malware Operating System Hypervisor/Emulator Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 6

  7. Malware Analysis Applications App App Malware Operating System Malware Hypervisor/Emulator Analyzer Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 7

  8. Malware Analysis Applications App App Malware Limitation: • Unarmed to anti- Operating System virtualization or anti- emulation techniques Malware Hypervisor/Emulator Analyzer Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 8

  9. Malware Analysis Applications App App Malware Malware Operating System Analyzer Hypervisor/Emulator Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 9

  10. Malware Analysis Applications App App Malware Limitation: Malware • Unable to handle Operating System Analyzer malware with high privilege (e.g., Hypervisor/Emulator rootkits) Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 10

  11. Malware Analysis Applications App App Malware Operating System Hypervisor/Emulator MalT Hardware S&P 15 Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 11

  12. Malware Analysis Limitations: Applications App App Malware • High performance overhead on mode Operating System switch • Unprotected modified Hypervisor/Emulator registers MalT Hardware • Vulnerable to external S&P 15 timing attack Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 12

  13. Transparency Requirements • An Environment that provides the access to the states of the target malware • An Analyzer which is responsible for the further analysis of the states Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 13

  14. Transparency Requirements • An Environment that provides the access to the states of the target malware • It is isolated from the target malware • It exists on an off-the-shelf (OTS) bare-metal platform • An Analyzer which is responsible for the further analysis of the states Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 14

  15. Transparency Requirements • An Environment that provides the access to the states of the target malware • It is isolated from the target malware • It exists on an off-the-shelf (OTS) bare-metal platform • An Analyzer which is responsible for the further analysis of the states • It should not leave any detectable footprints to the outside of the environment Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 15

  16. Outline • Introduction • Background • System Overview • Evaluation • Conclusion Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 16

  17. Background - TrustZone ARM TrustZone technology divides the execution environment into secure domain and non-secure domain. • The RAM is partitioned to secure and non-secure region. • The interrupts are assigned into secure or non-secure group. • Secure-sensitive registers can only be accessed in secure domain. • Hardware peripherals can be configured as secure access only. Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 17

  18. Background - TrustZone • In ARMv8 architecture, exceptions are delivered to Non-secure Domain Secure Domain different Exception Levels EL0 EL0 (ELs). ( Applications ) ( Applications ) EL1 EL1 • The only way to enter the (Rich OS) ( Secure OS ) secure domain is to trigger a EL3 exception. EL2 (Hypervisor) • The exception return instruction EL3 (ERET) can be used to switch ( Secure Monitor ) back to the non-secure domain. Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 18

  19. Background – PMU and ETM • The Performance Monitor Unit (PMU) leverages a set of performance counter registers to count the occurrence of different CPU events. • The Embedded Trace Macrocell (ETM) traces the instructions and data of the system, and output the trace stream into pre-allocated buffers on the chip. • Both PMU and ETM exist on ARM Cortex-A5x and Cortex-A7x series CPUs, and do NOT affect the performance of the CPU. Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 19

  20. Outline • Introduction • Background • System Overview • Evaluation • Conclusion Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 20

  21. Overview Non-secure Domain Rich OS App App Target Malware Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 21

  22. Overview Non-secure Secure Domain Domain Rich OS Secure Interrupt App Secure Interrupt Handler App Target Malware Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 22

  23. Overview Non-secure Secure Domain Domain Rich OS Trace Subsystem: Secure Interrupt App Secure Interrupt Handler • Instruction Trace • System Call Trace App Trace • Android API Trace Target Subsystem Malware Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 23

  24. Overview Non-secure Secure Domain Domain Rich OS Debug Subsystem: Secure Interrupt App Secure Interrupt Handler • Single Stepping • Breakpoints App Trace Debug • Memory R/W Target Subsystem Subsystem Malware Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 24

  25. Overview Non-secure Secure Domain Domain Rich OS Secure Interrupt App Secure Interrupt Handler App Remote Trace Debug Debugging Target Secure Port Subsystem Subsystem Client Malware Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 25

  26. Overview Non-secure Secure Domain Domain Rich OS Secure Interrupt App Secure Interrupt Handler App Remote Trace Debug Debugging Target ERET Secure Port Subsystem Subsystem Client Malware Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 26

  27. Hardware Traps Non-secure Domain …… MRS X0, PMCR_EL0 MOV X1, #1 AND X0, X0, X1 …… Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 27

  28. Hardware Traps Non-secure Domain Secure Domain MDCR_EL3.TPM = 1 …… Analyzing the instruction MRS X0, PMCR_EL0 MOV X1, #1 AND X0, X0, X1 …… Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 28

  29. Hardware Traps Non-secure Domain Secure Domain MDCR_EL3.TPM = 1 …… Analyzing the instruction MRS X0, PMCR_EL0 MOV X0, #0x41013000 MOV X1, #1 AND X0, X0, X1 …… Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 29

  30. Hardware Traps Non-secure Domain Secure Domain MDCR_EL3.TPM = 1 …… Analyzing the instruction MRS X0, PMCR_EL0 MOV X0, #0x41013000 MOV X1, #1 Modifying saved ELR_EL3 AND X0, X0, X1 …… Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 30

  31. Hardware Traps Non-secure Domain Secure Domain MDCR_EL3.TPM = 1 …… Analyzing the instruction MRS X0, PMCR_EL0 MOV X0, #0x41013000 MOV X1, #1 Modifying saved ELR_EL3 AND X0, X0, X1 ERET …… Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 31

  32. Outline • Introduction • Background • System Overview • Evaluation • Conclusion Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 32

  33. Evaluation - Transparency • Environment: • Analyzer: Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 33

  34. Evaluation - Transparency • Environment: ü Isolated • Analyzer: Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 34

  35. Evaluation - Transparency • Environment: ü Isolated ü Exists on OTS platforms • Analyzer: Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 35

  36. Evaluation - Transparency • Environment: ü Isolated ü Exists on OTS platforms • Analyzer: ü No detectable footprints? Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 36

  37. Evaluation - Transparency • Environment: We believe that the hardware-based ü Isolated approach provides better transparency. ü Exists on OTS platforms To build a fully transparent system, we may need additional hardware support. • Analyzer: ü No detectable footprints? Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 37

  38. Evaluation – Performance of the TS • Testbed Specification • ARM Juno v1 development board • A dual-core 800 MHZ Cortex-A57 cluster and a quad-core 700 MHZ Cortex-A53 cluster • ARM Trusted Firmware (ATF) v1.1 and Android 5.1.1 Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 38

Recommend


More recommend