using hardware features for increased debugging
play

Using Hardware Features for Increased Debugging Transparency - PowerPoint PPT Presentation

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. In S&P'15. Fengwei Zhang Wayne State University CSC 6991 Topics in Computer Security 1 Overview


  1. Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. In S&P'15. Fengwei Zhang Wayne State University CSC 6991 Topics in Computer Security 1

  2. Overview • MoOvaOon • Background: System Management Mode (SMM) • System Architecture • EvaluaOon: Transparency and Performance • Conclusions and Future DirecOons Wayne State University CSC 6991 Topics in Computer Security 2

  3. Overview • MoOvaOon • Background: System Management Mode (SMM) • System Architecture • EvaluaOon: Transparency and Performance • Conclusions and Future DirecOons Wayne State University CSC 6991 Topics in Computer Security 3

  4. MoOvaOon • Malware aXacks staOsOcs – Symantec blocked an average of 247,000 aXacks per day [1] – McAfee (Intel Security) reported 8,000,000 new malware samples in the first quarter in 2014 [2] – Kaspersky reported malware threats have grown 34% with over 200,000 new threats per day last year [3] • Computer systems have vulnerable applicaOons that could be exploited by aXackers. Wayne State University CSC 6991 Topics in Computer Security 4

  5. TradiOonal Malware Analysis Virtual Machine Hypervisor (VMM) Hardware • Using virtualizaOon technology to create an isolated execuOon environment for malware debugging • Running malware inside a VM • Running analysis tools outside a VM Wayne State University CSC 6991 Topics in Computer Security 5

  6. TradiOonal Malware Analysis Malware Virtual Machine Hypervisor (VMM) Hardware • Using virtualizaOon technology to create an isolated execuOon environment for malware debugging • Running malware inside a VM • Running analysis tools outside a VM Wayne State University CSC 6991 Topics in Computer Security 6

  7. TradiOonal Malware Analysis Analysis Malware Tool Virtual Machine Hypervisor (VMM) Hardware • Using virtualizaOon technology to create an isolated execuOon environment for malware debugging • Running malware inside a VM • Running analysis tools outside a VM Wayne State University CSC 6991 Topics in Computer Security 7

  8. TradiOonal Malware Analysis Analysis Malware Tool Virtual Machine Hypervisor (VMM) Hardware LimitaOons: • Depending on hypervisors that have a large TCB (e.g., Xen has 500K SLOC and 245 vulnerabiliOes in NVD) ︎ • Incapable of analyzing rootkits with the same or higher privilege level (e.g., hypervisor and firmware rootkits) ︎ • Unable to analyze armored malware with anO- virtualizaOon or anO-emulaOon techniques Wayne State University CSC 6991 Topics in Computer Security 8

  9. Our Approach Analysis Malware Tool Virtual Machine Hypervisor (VMM) Hardware We present a bare-metal debugging system called MalT that leverages System Management Mode for malware analysis ︎ • Uses System Management Mode as a hardware isolated execuOon environment to run analysis tools and can debug hypervisors ︎ • Moves analysis tools from hypervisor-layer to hardware-layer that achieves a high level of transparency Wayne State University CSC 6991 Topics in Computer Security 9

  10. Overview • MoOvaOon • Background: System Management Mode (SMM) • System Architecture • EvaluaOon: Transparency and Performance • Conclusions and Future DirecOons Wayne State University CSC 6991 Topics in Computer Security 10

  11. Background: System Management Mode System Management Mode (SMM) is special CPU mode exisOng in x86 architecture, and it can be used as a hardware isolated execuOon environment. • Originally designed for implemenOng system funcOons (e.g., power management) • Isolated System Management RAM (SMRAM) that is inaccessible from OS • Only way to enter SMM is to trigger a System Management Interrupt (SMI) • ExecuOng RSM instrucOon to resume OS (Protected Mode) Wayne State University CSC 6991 Topics in Computer Security 11

  12. Background: System Management Mode Approaches for Triggering a System Management Interrupt (SMI) • Soiware-based: Write to an I/O port specified by Southbridge datasheet (e.g., 0x2B for Intel) • Hardware-based: Network card, keyboard, hardware Omers Protected Mode System Management Mode Highest privilege Trigger SMI SMM entry Software SMI or Isolated SMRAM SMM exit Handler Hardware RSM Interrupts disabled Normal OS Isolated Execution Environment Wayne State University CSC 6991 Topics in Computer Security 12

  13. Background: Soiware Layers Application Operating System Hypervisor (VMM) Firmware (BIOS) SMM Hardware Wayne State University CSC 6991 Topics in Computer Security 13

  14. Background: Hardware Layout Memory slots Keyboard Mouse Super I/O BIOS Memory bus Serial port LPC bus IDE SATA Northbridge Front-side bus Internal bus Southbridge Audio CPU (memory controller hub) (I/O controller hub) USB MMU and IOMMU CMOS PCIe bus PCI bus Graphic card slot PCI slots Wayne State University CSC 6991 Topics in Computer Security 14

  15. Overview • MoOvaOon • Background: System Management Mode (SMM) • System Architecture • EvaluaOon: Transparency and Performance • Conclusions and Future DirecOons Wayne State University CSC 6991 Topics in Computer Security 15

  16. System Architecture • TradiOonally malware debugging uses virtualizaOon or emulaOon ︎ • MalT debugs malware on a bare-metal machine, and remains transparent in the presence of exisOng anO- debugging, anO-VM, and anO-emulaOon techniques. Debugging Client Debugging Server 1) Trigger SMI SMI handler Inspect 2) Debug command Breakpoint application GDB-like Debugged Debugger application 3) Response message Wayne State University CSC 6991 Topics in Computer Security 16

  17. Step-by-step Debugging in MalT • Debugging program instrucOon-by-instrucOon ︎ • Using performance counters to trigger an SMI for each instrucOon Protected Mode System Management Mode CPU control flow SMM entry inst 1 SMI Handler Trigger SMI inst 2 SMM exit RSM inst 3 EIP Trigger SMI ... SMM entry SMI Handler inst n SMM exit RSM Wayne State University CSC 6991 Topics in Computer Security 17

  18. Overview • MoOvaOon • Background: System Management Mode (SMM) • System Architecture • EvaluaOon: Transparency and Performance • Conclusions and Future DirecOons Wayne State University CSC 6991 Topics in Computer Security 18

  19. EvaluaOon: Transparency Analysis • Two subjects: 1) running environment and 2) debugger itself ︎ – Running environments of a debugger ︎ • SMM v.s. virtualizaOon/emulaOon ︎ – Side effects introduced by a debugger itself ︎ • CPU, cache, memory, I/O, BIOS, and Oming • Towards true transparency ︎ – MalT is not fully transparent (e.g., external Oming aXack) but increased ︎ – Draw aXenOon to hardware-based approach for addressing debugging transparency Wayne State University CSC 6991 Topics in Computer Security 19

  20. EvaluaOon: Performance Analysis • Testbed SpecificaOon ︎ – Motherboard: ASUS M2V-MX SE ︎ – CPU: 2.2 GHz AMD LE-1250 ︎ – Chipsets: AMD K8 Northbridge + VIA VT8237r Southbridge ︎ – BIOS: Coreboot + SeaBIOS Table: SMM Switching and Resume (Time: µ s ) Operations Mean STD 95% CI SMM switching 3.29 0.08 [3.27,3.32] SMM resume 4.58 0.10 [4.55,4.61] Total 7.87 Wayne State University CSC 6991 Topics in Computer Security 20

  21. EvaluaOon: Performance Analysis Table: Stepping Overhead on Windows and Linux (Unit: Times of Slowdown) Stepping Methods Windows Linux π π Far control transfer 2 2 Near return 30 26 Taken branch 565 192 Instruction 973 349 Wayne State University CSC 6991 Topics in Computer Security 21

  22. Overview • MoOvaOon • Background: System Management Mode (SMM) • System Architecture • EvaluaOon: Transparency and Performance • Conclusions and Future DirecOons Wayne State University CSC 6991 Topics in Computer Security 22

  23. Conclusions and Future Work • We developed MalT, a bare-matal debugging system that employs SMM to analyze malware – Hardware-assisted system; does not use virtualizaOon or emulaOon technology ︎ – Providing a more transparent execuOon environment ︎ – Though tesOng exisOng anO-debugging, anO-VM, and anO-emulaOon techniques, MalT remains transparent • Future work Remote Debugger (“client”) Debugging Target (“server”) IDAPro Debug command Tool Debugged GDB SMI application Server Handler GDB Response message Client SMM PM Generic Interaface Wayne State University CSC 6991 Topics in Computer Security 23

  24. References [1] Symantec, “Internet Security Threat Report, Vol. 19 Main Report,” http: //www.symantec.com/content/en/us/enterprise/other resources/b-istr main report v19 21291018.en-us.pdf, 2014. [2] McAfee, “Threats Report: First Quarter 2014,” http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2014-summary.pdf. [3] Kaspersky Lab, “Kaspersky Security Bulletin 2013,” http://media.kaspersky.com/pdf/KSB 2013 EN.pdf. Wayne State University CSC 6991 Topics in Computer Security 24

Recommend


More recommend