ninja towards transparent tracing and debugging on arm
play

Ninja: Towards Transparent Tracing and Debugging on ARM Zhenyu Ning - PowerPoint PPT Presentation

Nov 07, 2023 •170 likes •613 views

Ninja: Towards Transparent Tracing and Debugging on ARM Zhenyu Ning & Fengwei Zhang Wayne State University {zhenyu.ning, fengwei}@wayne.edu Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 1 Outline Introduction

  1. Ninja: Towards Transparent Tracing and Debugging on ARM Zhenyu Ning & Fengwei Zhang Wayne State University {zhenyu.ning, fengwei}@wayne.edu Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 1

  2. Outline • Introduction • Background • System Overview • Evaluation • Conclusion Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 2

  3. Outline • Introduction • Background • System Overview • Evaluation • Conclusion Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 3

  4. Evasion Malware Analyzer Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 4

  5. Evasion Malware Analyzer Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 5

  6. Malware Analysis Applications App App Malware Operating System Hypervisor/Emulator Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 6

  7. Malware Analysis Applications App App Malware Operating System Malware Hypervisor/Emulator Analyzer Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 7

  8. Malware Analysis Applications App App Malware Limitation: • Unarmed to anti- Operating System virtualization or anti- emulation techniques Malware Hypervisor/Emulator Analyzer Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 8

  9. Malware Analysis Applications App App Malware Malware Operating System Analyzer Hypervisor/Emulator Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 9

  10. Malware Analysis Applications App App Malware Limitation: Malware • Unable to handle Operating System Analyzer malware with high privilege (e.g., Hypervisor/Emulator rootkits) Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 10

  11. Malware Analysis Applications App App Malware Operating System Hypervisor/Emulator MalT Hardware S&P 15 Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 11

  12. Malware Analysis Limitations: Applications App App Malware • High performance overhead on mode Operating System switch • Unprotected modified Hypervisor/Emulator registers MalT Hardware • Vulnerable to external S&P 15 timing attack Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 12

  13. Transparency Requirements • An Environment that provides the access to the states of the target malware • An Analyzer which is responsible for the further analysis of the states Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 13

  14. Transparency Requirements • An Environment that provides the access to the states of the target malware • It is isolated from the target malware • It exists on an off-the-shelf (OTS) bare-metal platform • An Analyzer which is responsible for the further analysis of the states Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 14

  15. Transparency Requirements • An Environment that provides the access to the states of the target malware • It is isolated from the target malware • It exists on an off-the-shelf (OTS) bare-metal platform • An Analyzer which is responsible for the further analysis of the states • It should not leave any detectable footprints to the outside of the environment Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 15

  16. Outline • Introduction • Background • System Overview • Evaluation • Conclusion Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 16

  17. Background - TrustZone ARM TrustZone technology divides the execution environment into secure domain and non-secure domain. • The RAM is partitioned to secure and non-secure region. • The interrupts are assigned into secure or non-secure group. • Secure-sensitive registers can only be accessed in secure domain. • Hardware peripherals can be configured as secure access only. Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 17

  18. Background - TrustZone • In ARMv8 architecture, exceptions are delivered to Non-secure Domain Secure Domain different Exception Levels EL0 EL0 (ELs). ( Applications ) ( Applications ) EL1 EL1 • The only way to enter the (Rich OS) ( Secure OS ) secure domain is to trigger a EL3 exception. EL2 (Hypervisor) • The exception return instruction EL3 (ERET) can be used to switch ( Secure Monitor ) back to the non-secure domain. Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 18

  19. Background – PMU and ETM • The Performance Monitor Unit (PMU) leverages a set of performance counter registers to count the occurrence of different CPU events. • The Embedded Trace Macrocell (ETM) traces the instructions and data of the system, and output the trace stream into pre-allocated buffers on the chip. • Both PMU and ETM exist on ARM Cortex-A5x and Cortex-A7x series CPUs, and do NOT affect the performance of the CPU. Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 19

  20. Outline • Introduction • Background • System Overview • Evaluation • Conclusion Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 20

  21. Overview Non-secure Domain Rich OS App App Target Malware Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 21

  22. Overview Non-secure Secure Domain Domain Rich OS Secure Interrupt App Secure Interrupt Handler App Target Malware Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 22

  23. Overview Non-secure Secure Domain Domain Rich OS Trace Subsystem: Secure Interrupt App Secure Interrupt Handler • Instruction Trace • System Call Trace App Trace • Android API Trace Target Subsystem Malware Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 23

  24. Overview Non-secure Secure Domain Domain Rich OS Debug Subsystem: Secure Interrupt App Secure Interrupt Handler • Single Stepping • Breakpoints App Trace Debug • Memory R/W Target Subsystem Subsystem Malware Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 24

  25. Overview Non-secure Secure Domain Domain Rich OS Secure Interrupt App Secure Interrupt Handler App Remote Trace Debug Debugging Target Secure Port Subsystem Subsystem Client Malware Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 25

  26. Overview Non-secure Secure Domain Domain Rich OS Secure Interrupt App Secure Interrupt Handler App Remote Trace Debug Debugging Target ERET Secure Port Subsystem Subsystem Client Malware Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 26

  27. Hardware Traps Non-secure Domain …… MRS X0, PMCR_EL0 MOV X1, #1 AND X0, X0, X1 …… Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 27

  28. Hardware Traps Non-secure Domain Secure Domain MDCR_EL3.TPM = 1 …… Analyzing the instruction MRS X0, PMCR_EL0 MOV X1, #1 AND X0, X0, X1 …… Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 28

  29. Hardware Traps Non-secure Domain Secure Domain MDCR_EL3.TPM = 1 …… Analyzing the instruction MRS X0, PMCR_EL0 MOV X0, #0x41013000 MOV X1, #1 AND X0, X0, X1 …… Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 29

  30. Hardware Traps Non-secure Domain Secure Domain MDCR_EL3.TPM = 1 …… Analyzing the instruction MRS X0, PMCR_EL0 MOV X0, #0x41013000 MOV X1, #1 Modifying saved ELR_EL3 AND X0, X0, X1 …… Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 30

  31. Hardware Traps Non-secure Domain Secure Domain MDCR_EL3.TPM = 1 …… Analyzing the instruction MRS X0, PMCR_EL0 MOV X0, #0x41013000 MOV X1, #1 Modifying saved ELR_EL3 AND X0, X0, X1 ERET …… Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 31

  32. Outline • Introduction • Background • System Overview • Evaluation • Conclusion Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 32

  33. Evaluation - Transparency • Environment: • Analyzer: Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 33

  34. Evaluation - Transparency • Environment: ü Isolated • Analyzer: Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 34

  35. Evaluation - Transparency • Environment: ü Isolated ü Exists on OTS platforms • Analyzer: Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 35

  36. Evaluation - Transparency • Environment: ü Isolated ü Exists on OTS platforms • Analyzer: ü No detectable footprints? Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 36

  37. Evaluation - Transparency • Environment: We believe that the hardware-based ü Isolated approach provides better transparency. ü Exists on OTS platforms To build a fully transparent system, we may need additional hardware support. • Analyzer: ü No detectable footprints? Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 37

  38. Evaluation – Performance of the TS • Testbed Specification • ARM Juno v1 development board • A dual-core 800 MHZ Cortex-A57 cluster and a quad-core 700 MHZ Cortex-A53 cluster • ARM Trusted Firmware (ATF) v1.1 and Android 5.1.1 Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DEBUGGING DSLS WITH XTEXTS NEW TRACING API 1 Debugging of Generated Code Whats needed?

DEBUGGING DSLS WITH XTEXTS NEW TRACING API 1 Debugging of Generated Code Whats needed?

Christian Schneider, Miro Spnemann TypeFox.io DEBUGGING DSLS WITH XTEXTS NEW TRACING API 1 Debugging of Generated Code Whats needed? Mapping of code regions in source to code regions in target Data structures

406 views • 23 slides
Transparent ROP Exploit Mitigation using Indirect Branch Tracing

Transparent ROP Exploit Mitigation using Indirect Branch Tracing

Transparent ROP Exploit Mitigation using Indirect Branch Tracing Alexandros Perrakis Manolis Karabinakis Stelios Ninidakis Vulnerabilities Buffer overflow

342 views • 30 slides
Behind the scenes of a C64 demo Ninja / The Dreams 28C3 Ninja / The Dreams Behind the scenes of

Behind the scenes of a C64 demo Ninja / The Dreams 28C3 Ninja / The Dreams Behind the scenes of

Behind the scenes of a C64 demo Ninja / The Dreams 28C3 Ninja / The Dreams Behind the scenes of a C64 demo About me Linux kernel hacker embedded systems low level computing prefers limited machines and thats mainly because. . . Ninja /

821 views • 26 slides
Interacve Simplifier Tracing and Debugging in Isabelle Lars Hupel Technische Universitt

Interacve Simplifier Tracing and Debugging in Isabelle Lars Hupel Technische Universitt

Interacve Simplifier Tracing and Debugging in Isabelle Lars Hupel Technische Universitt Mnchen Chair for Logic and Verificaon July 8th, 2014 e l e l Agenda b a s I = State of the Art 1 2 Features of

643 views • 37 slides
Photon Mapping Combines backward/ reverse ray tracing with stochastic ray tracing

Photon Mapping Combines backward/ reverse ray tracing with stochastic ray tracing

Photon Mapping Photon Mapping Combines backward/ reverse ray tracing with stochastic ray tracing Used to simulate the interaction of light with a variety transparent substances (caustics) Glass Water Diffuse

663 views • 18 slides
Enhancing End-to-End Tracing Systems for Automated Performance Debugging in Distributed Systems

Enhancing End-to-End Tracing Systems for Automated Performance Debugging in Distributed Systems

Enhancing End-to-End Tracing Systems for Automated Performance Debugging in Distributed Systems Jethro S. Sun January 23, 2018 MassOpenCloud Research Group 1 Introduction A Sad Story ... 2 A Sad Story ... A distributed system is one in

841 views • 58 slides
uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research

uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research

uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research Scientist, NEC Europe Ltd. Unikernels? Faster, smaller, better! 2 Unikernels? Faster, smaller, better! clip arts: clipproject.info Unikernels

1.14k views • 71 slides
Advanced Ray Tracing 1 2/8/2006 Distributed Ray Tracing Distributed ray tracing is an

Advanced Ray Tracing 1 2/8/2006 Distributed Ray Tracing Distributed ray tracing is an

Advanced Ray Tracing 1 2/8/2006 Distributed Ray Tracing Distributed ray tracing is an elegant technique that tackles many problems at once Stochastic ray tracing: distribute rays stochastically across pixel Distributed ray tracing:

327 views • 8 slides
Study of Charged-Current neutrino interactions on water with nuclear emulsion in the NINJA

Study of Charged-Current neutrino interactions on water with nuclear emulsion in the NINJA

NINJA Study of Charged-Current neutrino interactions on water with nuclear emulsion in the NINJA experiment Ayami Hiramoto (Kyoto Univ.) Y . Suzuki, T.Fukuda, T,Nakaya for the NINJA collaboration 2019.09.09 2

728 views • 30 slides
1 Octrees Spatial Subdivision Subdivision algorithm Volume is subdivided into 4 equal

1 Octrees Spatial Subdivision Subdivision algorithm Volume is subdivided into 4 equal

Photon Mapping Combines backward/ reverse ray tracing Photon Mapping with stochastic ray tracing Used to simulate the interaction of light with a variety transparent substances (caustics) Glass Water Diffuse

293 views • 6 slides
MIT 6.837 - Ray Tracing Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and

MIT 6.837 - Ray Tracing Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and

MIT 6.837 - Ray Tracing Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and Barb Cutler Some slides courtesy of Leonard McMillan 1 2 Ray Tracing Ray Tracing Ray Tracing kills two birds with one stone: Solves the

327 views • 11 slides
State-of-the-art Multicore Debugging and Tracing concepts by Alexander Merkle, Lauterbach GmbH

State-of-the-art Multicore Debugging and Tracing concepts by Alexander Merkle, Lauterbach GmbH

State-of-the-art Multicore Debugging and Tracing concepts by Alexander Merkle, Lauterbach GmbH State-of-the-art Multicore Debug & Trace Alexander Merkle 2013 / 11 / 14 www.lauterbach.com 1 / 20 Agenda AMP or SMP introduction

388 views • 20 slides
Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Chapter 15 Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and set values in memory Execute portions of program Stop execution when (and where) desired Want debugging tools to operate on

274 views • 9 slides
Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Welcome to Advanced .NET Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production Challenges in debugging Production issues Production Environment Debugging Timeline Tools for .NET Debugging Review 3

622 views • 47 slides
Outline Background 8271 discussion of: Transparent LBR-based approach ROP Exploit Mitigation

Outline Background 8271 discussion of: Transparent LBR-based approach ROP Exploit Mitigation

Outline Background 8271 discussion of: Transparent LBR-based approach ROP Exploit Mitigation Using Indirect Branch Tracing Administrative break Stephen McCamant (Original paper: Vasilis Pappas, Michalis Polychronakis, and Angelos D.

471 views • 5 slides
Ray Tracing 1 Ray Tracing Ray Tracing kills two birds with one stone: Solves the Hidden

Ray Tracing 1 Ray Tracing Ray Tracing kills two birds with one stone: Solves the Hidden

Ray Tracing 1 Ray Tracing Ray Tracing kills two birds with one stone: Solves the Hidden Surface Removal problem Evaluates an improved global illumination model shadows ideal specular reflections ideal specular refractions

586 views • 19 slides
Class 3: Multi-Arm Bandit Sutton and Barto, Chapter 2 Sutton slides and Silver 295, class 2 1

Class 3: Multi-Arm Bandit Sutton and Barto, Chapter 2 Sutton slides and Silver 295, class 2 1

Class 3: Multi-Arm Bandit Sutton and Barto, Chapter 2 Sutton slides and Silver 295, class 2 1 Multi-Arm Bandits Sutton and Barto, Chapter2 The simplest reinforcement learning problem The Exploration/Exploitation Dilemma Online

457 views • 32 slides
In Kernel Switcher: A solution to support ARM's new big.LITTLE technology Presenter: Mathieu

In Kernel Switcher: A solution to support ARM's new big.LITTLE technology Presenter: Mathieu

In Kernel Switcher: A solution to support ARM's new big.LITTLE technology Presenter: Mathieu Poirier web: www.linaro.org email: mathieu.poirier@linaro.org What is big.LITTLE? A system that contains two sets of architecturally identical

628 views • 29 slides
Intra-Process Memory Protection Sergey Bratus for Applications on ARM and Julian Bangert x86:

Intra-Process Memory Protection Sergey Bratus for Applications on ARM and Julian Bangert x86:

"Sections are types, linking is policy" Intra-Process Memory Protection Sergey Bratus for Applications on ARM and Julian Bangert x86: Leveraging the ELF ABI Maxwell Koo The Problem A buggy library can read or corrupt any of your

1.02k views • 64 slides
Fixing MC for ARM v7-A Just a few corner cases how hard can it be? 1 MC Hammer?

Fixing MC for ARM v7-A Just a few corner cases how hard can it be? 1 MC Hammer?

Fixing MC for ARM v7-A Just a few corner cases how hard can it be? 1 MC Hammer? Framework for exhaustive testing of MC layer implementation for ARM First introduced at Euro LLVM 2012 35 issues found, fixes open sourced

445 views • 6 slides
RevARM: A Platform-Agnostic ARM Binary Rewriter for Security Applications * Taegyu Kim, Chung

RevARM: A Platform-Agnostic ARM Binary Rewriter for Security Applications * Taegyu Kim, Chung

RevARM: A Platform-Agnostic ARM Binary Rewriter for Security Applications * Taegyu Kim, Chung Hwan Kim, Hongjun Choi, Yonghwi Kwon, + Brendan Saltaformaggio, Xiangyu Zhang, Dongyan Xu + * Security of ARM platforms ARM platforms have

377 views • 22 slides
Probably Approximately Correct (PAC) Selection in Simulation/Best-Arm Problems David Eckman

Probably Approximately Correct (PAC) Selection in Simulation/Best-Arm Problems David Eckman

Probably Approximately Correct (PAC) Selection in Simulation/Best-Arm Problems David Eckman Shane Henderson Cornell University, ORIE Cornell University, ORIE r

358 views • 20 slides
Sergeant at Arms (SAA) Club Officer Training Agenda SAA SAA SAA Role

Sergeant at Arms (SAA) Club Officer Training Agenda SAA SAA SAA Role

Sergeant at Arms (SAA) Club Officer Training Agenda SAA SAA SAA Role Responsibilities Resources www.toastmasters.org Session Objectives Identify your role Fulfill your responsibilities Find resources that help you

422 views • 20 slides
Muti-armed Bandits,Online Learning and Sequential Prediction Jian Li Institute for

Muti-armed Bandits,Online Learning and Sequential Prediction Jian Li Institute for

2016 NDBC Muti-armed Bandits,Online Learning and Sequential Prediction Jian Li Institute for Interdisciplinary Information Sciences Tsinghua University Outline Online Learning Stochastic Multi-armed Bandits UCB Combinatorial

789 views • 47 slides

More recommend