pavel dovgalyuk institute for system programming of the
play

Pavel Dovgalyuk Institute for System Programming of the Russian - PowerPoint PPT Presentation

Dec 26, 2022 •101 likes •387 views

Instrumenting, Introspection, and Debugging with QEMU Pavel Dovgalyuk Institute for System Programming of the Russian Academy of Sciences Our projects Working on QEMU projects since 2010 (version 0.13) Software analysis for x86

  1. Instrumenting, Introspection, and Debugging with QEMU Pavel Dovgalyuk Institute for System Programming of the Russian Academy of Sciences

  2. Our projects • Working on QEMU projects since 2010 (version 0.13) • Software analysis for x86 • Deterministic replay • Reverse debugging • Now working on introspection and debugging projects 2

  3. In-VM software development and debugging • Creating new kernels/drivers • Simulating new platforms • Reverse engineering 3

  4. Logging from QEMU -d in_asm,exec,nochain IN: 0x000ef407: lea 0x1(%esi),%eax 0x000ef40a: mov %eax,0x4(%esp) 0x000ef40e: jmp 0xef1c6 Trace 042113a0 [0: 000ef407] Trace 04211450 [0: 000ef1c6] Trace 04210f20 [0: 000ef1d5] Trace 04210f90 [0: 000ef278] Trace 04211040 [0: 000eda1b] Trace 04211170 [0: 000eda10] Trace 042112c0 [0: 000eda22] 4

  5. Analyzing dumps with Volatility • Scripts to extract information from the dumps • Only static analysis $ python vol.py -f win7.vmem --profile=Win7SP1x86 pslist Volatility Foundation Volatility Framework 2.4 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit 0x84133630 System 4 0 93 420 ------ 0 2011-10-20 15:25:11 UTC+0000 0x852add40 smss.exe 276 4 4 29 ------ 0 2011-10-20 15:25:11 UTC+0000 0x851d9530 csrss.exe 364 356 9 560 0 0 2011-10-20 15:25:15 UTC+0000 0x859c8530 wininit.exe 404 356 7 88 0 0 2011-10-20 15:25:16 UTC+0000 0x859cf530 csrss.exe 416 396 10 236 1 0 2011-10-20 15:25:16 UTC+0000 [snip] 5

  6. GDB • Remote debugging • Can load binaries and sources to get debug information – Not very easy with enabled ASLR • Guest system is executed as a single program • Process information is not available • Cannot break on interrupts/exceptions and other events • Single-stepping may change the execution result 6

  7. Deterministic and reverse debugging • It’s gonna take you back to the past • icount for deterministic timers • VM snapshots for faster rewind to the desired moment of execution • GDB reverse debugging commands – reverse-continue, step, next, finish • Still work-in-progress for mainline QEMU 7

  8. GDB protocol • GDB interacts with QEMU using complex packets • Conditional breakpoints lead to many VM stops and debugger-QEMU communication – stop, request registers, recover the context, evaluate equation, continue execution • Very slow for runtime analysis – Using conditional breakpoints inside the inner loops is not practical 8

  9. WinDbg • Support stealth Windows debugging with WinDbg • More information than in GDB • Communication is also slow • Submitted to qemu-devel • https://github.com/ispras/qemu/tree/windbg 9

  10. QEMU API for analysis • Instrumenting guest or TCG code • Callbacks for memory accesses, MSR/CR changes, and interrupts • Memory and CPU state query interface • Communication is faster than GDB, WinDbg , QMP, … 10

  11. QEMU-based dynamic analysis frameworks • PyREBox • PANDA • DECAF • ISP RAS • and other less mature systems 11

  12. PyREBox • PyREBox – Python scriptable Reverse Engineering sandbox • QEMU 2.10 • Uses Volatility memory forensics • Python scripting for automated analysis • https://github.com/Cisco-Talos/pyrebox/ 12

  13. PANDA • Platform for Architecture-Neutral Dynamic Analysis • QEMU 2.8.50 • VM introspection plugins • Taint analysis • CPU record-replay • https://github.com/panda-re/panda 13

  14. DECAF • Dynamic Executable Code Analysis Framework • QEMU 1.0 • VM introspection plugins • Taint analysis • https://github.com/sycurelab/DECAF 14

  15. ISP RAS • Our own approach • QEMU 2.8.50 • Subsystem for dynamically loaded plugins • Plugins for syscall and API logging in i386 Windows/Linux • https://github.com/ispras/qemu/tree/plugins 15

  16. Requirements for QEMU analysis API • Translation events • Memory operation events • Execution events • Exception events • Disk and DMA events • Keyboard and network events • TLB events • Monitor commands 16

  17. Instruction instrumentation • Instrument at translation – check whether callback is needed – Specific instructions – Specific addresses – Specific process • Get callbacks at execution 17

  18. Instruction instrumentation 0xb7707010: mov %ebx,%edx ---- b770701f 00000000 movi_i64 tmp13,$0xb7707020 0xb7707012: mov 0x8(%esp),%ecx movi_i64 tmp14,$0x7fef9a788670 0xb7707016: mov 0x4(%esp),%ebx call start_system_call, $0x0,$0,tmp13,tmp14 0xb770701a: mov $0x21,%eax movi_i32 tmp3,$0xffffffffb770701f 0xb770701f: int $0x80 st_i32 tmp3,env,$0x20 movi_i32 tmp11,$0x2 movi_i32 tmp12,$0x80 call raise_interrupt, $0x0,$0,env,tmp12,tmp11 set_label $L0 exit_tb $0x7fef8e6dca13 18

  19. Instruction instrumentation requirements • Translation callback – cpu, pc, tcg_ctx • Memory read function • TCG functions – variable allocation, code generation 19

  20. TCG Instrumentation • Platform-independent instrumentation • Used for taint analysis in DECAF and PANDA • Not complete because of helpers – PANDA instruments them with LLVM 20

  21. Memory accesses instrumentation • Memory ops performed through softmmu-callbacks and translated code – From cpu_ldst_template.h – invoke the callback – From tcg_op.c – embed the callback into TB • Memory forensics through exported load functions 21

  22. Memory accesses instrumentation • Logging • Cache simulator • Forensics • Anomalies detection 22

  23. Memory log sample Load 0x84@8 virt:ef1cd phys:ef1cd Load 0xd2@8 virt:ef1ce phys:ef1ce Load 0xf@8 virt:ef1cf phys:ef1cf Load 0x84@8 virt:ef1d0 phys:ef1d0 Load 0x23e@32 virt:ef1d1 phys:ef1d1 ---------------- IN: 0x000ef1c6: mov 0x4(%esp),%esi 0x000ef1ca: movsbl (%esi),%edx 0x000ef1cd: test %dl,%dl 0x000ef1cf: je 0xef413 Trace 043b1450 [0: 000ef1c6] Load 0xf357d@32 virt:6fa4 phys:6fa4 Load 0x65@8 virt:f357d phys:f357d 23

  24. Generated code problems • TCG buffer overflow protection is weak OPC_MAX_SIZE Buffer Last instruction Instrumented last instruction #define MAX_OPC_PARAM (4 + (MAX_OPC_PARAM_PER_ARG * MAX_OPC_PARAM_ARGS)) #define OPC_BUF_SIZE 640 #define OPC_MAX_SIZE (OPC_BUF_SIZE - MAX_OP_PER_INSTR) 24

  25. Generated code problems /* XXX: make safe guess about sizes */ • TCG buffer overflow protection is weak OPC_MAX_SIZE Buffer Last instruction Instrumented last instruction #define MAX_OPC_PARAM (4 + (MAX_OPC_PARAM_PER_ARG * MAX_OPC_PARAM_ARGS)) #define OPC_BUF_SIZE 640 #define OPC_MAX_SIZE (OPC_BUF_SIZE - MAX_OP_PER_INSTR) 25

  26. Interrupts and exceptions • Only asynchronous callbacks • Logging peripheral interrupts • Detecting page mapping 26

  27. Instrumentation applications • Logging syscalls • Logging API • Logging memory accesses – for cache simulator – for complementing in_asm+exec log • Building more complex introspection tools 27

  28. QEMU instrumentation API • 10+ attempts to add instrumentation API • Does it have to be included into mainline? • QEMU interface may be very narrow – ~20 callbacks – ~50 exported functions Dynamically QEMU Dynamically API loaded plugin loaded plugin/tool 28

Recommend

NPFL103: Information Retrieval (5) Ranking, Complete search system, Evaluation, Benchmarks Pavel

NPFL103: Information Retrieval (5) Ranking, Complete search system, Evaluation, Benchmarks Pavel

Ranking Complete search system Evaluation Benchmarks NPFL103: Information Retrieval (5) Ranking, Complete search system, Evaluation, Benchmarks Pavel Pecina Institute of Formal and Applied Linguistics Faculty of Mathematics and Physics

995 views • 63 slides
Programming Android Client for Smart-M3 Applications Pavel Y. Kovyrshin, Dmitry G. Korzun

Programming Android Client for Smart-M3 Applications Pavel Y. Kovyrshin, Dmitry G. Korzun

Programming Android Client for Smart-M3 Applications Pavel Y. Kovyrshin, Dmitry G. Korzun Petrozavodsk State University Department of Computer Science Grant KA179 Complex development of regional cooperation in the field of open ICT

247 views • 11 slides
Bright Muon Sources Pavel Snopok Illinois Institute of Technology and Fermilab December 4, 2014

Bright Muon Sources Pavel Snopok Illinois Institute of Technology and Fermilab December 4, 2014

Bright Muon Sources Pavel Snopok Illinois Institute of Technology and Fermilab December 4, 2014 Pavel Snopok | MAP Winter Collaboration Meeting (SLAC, December 3-7, 2014) Outline Introduction Key progress Initial cooling 6D

648 views • 23 slides
Android Smartphone as a Microphone in SmartRoom System Pavel Y. Kovyrshin, Dmitry G. Korzun

Android Smartphone as a Microphone in SmartRoom System Pavel Y. Kovyrshin, Dmitry G. Korzun

Android Smartphone as a Microphone in SmartRoom System Pavel Y. Kovyrshin, Dmitry G. Korzun Petrozavodsk State University Department of Computer Science Grant KA179 Complex development of regional cooperation in the field of open ICT

576 views • 11 slides
Performance evaluation of Linux CAN-related system calls Michal Sojka , Pavel P sa,

Performance evaluation of Linux CAN-related system calls Michal Sojka , Pavel P sa,

Performance evaluation of Linux CAN-related system calls Michal Sojka , Pavel P sa, Zden ek Hanz alek Czech Technical University in Prague, Faculty of Electrical Engineering Email: { sojkam1,pisa,hanzalek } @fel.cvut.cz SESAMO

595 views • 38 slides
Quantum BV theories on manifolds with boundary Pavel Mnev Max Planck Institute for Mathematics,

Quantum BV theories on manifolds with boundary Pavel Mnev Max Planck Institute for Mathematics,

Quantum BV theories on manifolds with boundary Pavel Mnev Max Planck Institute for Mathematics, Bonn Notre Dame University, October 28, 2015 Joint work with Alberto S. Cattaneo and Nikolai Reshetikhin Introduction BV-BFV formalism, outline

1.2k views • 101 slides
Dynamics of change in logic Pavel Arazim Philosophical Institute of Czech Academy of Sciences

Dynamics of change in logic Pavel Arazim Philosophical Institute of Czech Academy of Sciences

Dynamics of change in logic Pavel Arazim Philosophical Institute of Czech Academy of Sciences PhDs in Logic, Prague May 2, 2018 Pavel Arazim Dynamics of change in logic Plurality of logics as philosophical problem There are many logical

597 views • 23 slides
Building blocks of the future fissile material (cut-off) treaty Pavel Podvig UN Institute for

Building blocks of the future fissile material (cut-off) treaty Pavel Podvig UN Institute for

Building blocks of the future fissile material (cut-off) treaty Pavel Podvig UN Institute for Disarmament Research UN First Committee Side Event United Nations, New York 20 October 2016 Issues to consider Key elements of the treaty

947 views • 29 slides
Introduction to eXtreme Programming (XP) Rochester Institute of Technology Software Engineering

Introduction to eXtreme Programming (XP) Rochester Institute of Technology Software Engineering

Introduction to eXtreme Programming (XP) Rochester Institute of Technology Software Engineering Department Extreme Programming (XP) Kent Beck C3 Project Chrysler Comprehensive Compensation system. XP Values:

753 views • 25 slides
NPFL103: Information Retrieval (10) Document clustering Pavel Pecina Institute of Formal and

NPFL103: Information Retrieval (10) Document clustering Pavel Pecina Institute of Formal and

Introduction K -means Evaluation How many clusters? Hierarchical clustering Variants NPFL103: Information Retrieval (10) Document clustering Pavel Pecina Institute of Formal and Applied Linguistics Faculty of Mathematics and Physics

1.44k views • 114 slides
Search Problems in Groups Pavel Morar Stevens Institute of Technology Geometric and Asymptotic

Search Problems in Groups Pavel Morar Stevens Institute of Technology Geometric and Asymptotic

Search Problems in Groups Pavel Morar Stevens Institute of Technology Geometric and Asymptotic Group Theory with Applications, May 30, 2013 Joint work with Sasha Ushakov Wagner-Magyarik Public Key Cryptosystem (1984) Private key: A finite

826 views • 38 slides
Perturbative topological field theory with Segal-like gluing Pavel Mnev Max Planck Institute for

Perturbative topological field theory with Segal-like gluing Pavel Mnev Max Planck Institute for

Perturbative topological field theory with Segal-like gluing Pavel Mnev Max Planck Institute for Mathematics, Bonn ICMP, Santiago de Chile, July 27, 2015 Joint work with Alberto S. Cattaneo and Nikolai Reshetikhin Introduction BV-BFV

897 views • 67 slides
Spectra of magnetic chain graphs Pavel Exner Doppler Institute for Mathematical Physics and

Spectra of magnetic chain graphs Pavel Exner Doppler Institute for Mathematical Physics and

Spectra of magnetic chain graphs Pavel Exner Doppler Institute for Mathematical Physics and Applied Mathematics Prague in collaboration with Stepan Manko and Daniel Va sata A talk at the workshop Operator Theory and Indefinite Inner Product

1.38k views • 98 slides
Random Resolution Refutations ak and Neil Thapen 1 Pavel Pudl Mathematical Institute, Academy

Random Resolution Refutations ak and Neil Thapen 1 Pavel Pudl Mathematical Institute, Academy

Random Resolution Refutations ak and Neil Thapen 1 Pavel Pudl Mathematical Institute, Academy of Sciences, Prague Riga, 6.7.17 1the authors are supported by the ERC grant FEALORA [1] History and Motivation Stefan Dantchev [unpublished]

417 views • 37 slides
Some unusual spectra of periodic quantum graphs Pavel Exner Doppler Institute for Mathematical

Some unusual spectra of periodic quantum graphs Pavel Exner Doppler Institute for Mathematical

Some unusual spectra of periodic quantum graphs Pavel Exner Doppler Institute for Mathematical Physics and Applied Mathematics Prague in collaboration with Stepan Manko , Daniel Va sata , and Ond rej Turek A talk at the conference Chaos,

1.84k views • 153 slides
BF theory on cobordisms endowed with cellular decomposition Pavel Mnev Max Planck Institute for

BF theory on cobordisms endowed with cellular decomposition Pavel Mnev Max Planck Institute for

BF theory on cobordisms endowed with cellular decomposition Pavel Mnev Max Planck Institute for Mathematics, Bonn Poisson 2016, ETH Z urich, July 4, 2016 Joint work with Alberto S. Cattaneo and Nikolai Reshetikhin Introduction BV-BFV

1.25k views • 87 slides
On formal complexity measures Pavel Pudl ak Mathematical Institute, Academy of Sciences,

On formal complexity measures Pavel Pudl ak Mathematical Institute, Academy of Sciences,

On formal complexity measures Pavel Pudl ak Mathematical Institute, Academy of Sciences, Prague and Charles University, Prague Workshop on Randomness and Enumeration November 24-28, 2008 La Suiza Andina, Curacaut n, Chile 1 Overview

964 views • 39 slides
Cg: A system for programming Cg: A system for programming graphics hardware in a graphics

Cg: A system for programming Cg: A system for programming graphics hardware in a graphics

Cg: A system for programming Cg: A system for programming graphics hardware in a graphics hardware in a C-like language C-like language William R. Mark University of Texas at Austin R. Steven Glanville NVIDIA Kurt Akeley NVIDIA and

522 views • 26 slides
Spectral gaps of periodic quantum graphs Pavel Exner Doppler Institute for Mathematical Physics

Spectral gaps of periodic quantum graphs Pavel Exner Doppler Institute for Mathematical Physics

Spectral gaps of periodic quantum graphs Pavel Exner Doppler Institute for Mathematical Physics and Applied Mathematics Prague In memoriam Hagen Neidhardt A talk at the conference Operator Theory and Krein Spaces Vienna, December 20, 2019

1.53k views • 137 slides
General Ternary Bit Strings on Commodity Longest-Prefix-Match Infrastructures Pavel Chuprikov

General Ternary Bit Strings on Commodity Longest-Prefix-Match Infrastructures Pavel Chuprikov

General Ternary Bit Strings on Commodity Longest-Prefix-Match Infrastructures Pavel Chuprikov , Kirill Kogan , Sergey Nikolenko Steklov Institute of Mathematics at St. Petersburg IMDEA Networks Institute, Madrid represent

260 views • 10 slides
A General Solver Based on Sparse Resultants Ioannis Z. Emiris presented by Pavel Trutman

A General Solver Based on Sparse Resultants Ioannis Z. Emiris presented by Pavel Trutman

A General Solver Based on Sparse Resultants Ioannis Z. Emiris presented by Pavel Trutman <pavel.trutman@cvut.cz> August 30, 2019 Czech Institute of Informatics, Robotics, and Cybernetics Czech Technical University in Prague P. Trutman

410 views • 19 slides
BAT System Description for NIST LRE 2015 BUT+Agnitio+Torino Oldrich Plchot, Pavel Matejka, Radek

BAT System Description for NIST LRE 2015 BUT+Agnitio+Torino Oldrich Plchot, Pavel Matejka, Radek

BAT System Description for NIST LRE 2015 BUT+Agnitio+Torino Oldrich Plchot, Pavel Matejka, Radek Fer, Ondrej Glembek,Ondrej Novotny, Jan Pesan, Lukas Burget, Martin Karafiat, Karel Vesely, Lucas Ondel, Santosh Kesiraju, Frantisek Grezl, Sri

199 views • 18 slides
Cross-lingual Information Retrieval Pavel Pecina Institute of Formal and Applied Linguistics

Cross-lingual Information Retrieval Pavel Pecina Institute of Formal and Applied Linguistics

Cross-lingual Information Retrieval Pavel Pecina Institute of Formal and Applied Linguistics Charles University, Prague, Czech Republic Joint work with Shadi Saleh Jan 17, 2019 - AFCEA Outline 1. Introduction 2. (Cross-lingual) information

797 views • 69 slides
Energy deposition for intense muon sources (chicane + the rest of the front end) Pavel Snopok

Energy deposition for intense muon sources (chicane + the rest of the front end) Pavel Snopok

Energy deposition for intense muon sources (chicane + the rest of the front end) Pavel Snopok Illinois Institute of Technology and Fermilab December 4, 2014 Pavel Snopok | MAP Winter Collaboration Meeting (SLAC, December 3-7, 2014) Outline

471 views • 17 slides

More recommend