Ninja: Towards Transparent Tracing and Debugging on ARM Zhenyu Ning - - PowerPoint PPT Presentation

ninja towards transparent tracing and debugging on arm
SMART_READER_LITE
LIVE PREVIEW

Ninja: Towards Transparent Tracing and Debugging on ARM Zhenyu Ning - - PowerPoint PPT Presentation

Nov 07, 2023 170 likes •614 views

Ninja: Towards Transparent Tracing and Debugging on ARM Zhenyu Ning & Fengwei Zhang Wayne State University {zhenyu.ning, fengwei}@wayne.edu Wayne State University COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 1 Outline Introduction

slide-1
SLIDE 1

Ninja: Towards Transparent Tracing and Debugging on ARM

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 1

Zhenyu Ning & Fengwei Zhang Wayne State University {zhenyu.ning, fengwei}@wayne.edu

Wayne State University

slide-2
SLIDE 2

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 2

Outline

  • Introduction
  • Background
  • System Overview
  • Evaluation
  • Conclusion

Wayne State University

slide-3
SLIDE 3

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 3

Outline

  • Introduction
  • Background
  • System Overview
  • Evaluation
  • Conclusion

Wayne State University

slide-4
SLIDE 4

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 4

Evasion Malware

Analyzer

Wayne State University

slide-5
SLIDE 5

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 5

Evasion Malware

Analyzer

Wayne State University

slide-6
SLIDE 6

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 6

Malware Analysis

Applications Operating System Hypervisor/Emulator Malware App App

Wayne State University

slide-7
SLIDE 7

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 7

Malware Analysis

Applications Operating System Hypervisor/Emulator Malware App App Malware Analyzer

Wayne State University

slide-8
SLIDE 8

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 8

Malware Analysis

Applications Operating System Hypervisor/Emulator Malware App App Malware Analyzer

Limitation:

  • Unarmed to anti-

virtualization or anti- emulation techniques

Wayne State University

slide-9
SLIDE 9

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 9

Malware Analysis

Applications Operating System Hypervisor/Emulator Malware App App Malware Analyzer

Wayne State University

slide-10
SLIDE 10

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 10

Malware Analysis

Applications Operating System Hypervisor/Emulator Malware App App Malware Analyzer

Limitation:

  • Unable to handle

malware with high privilege (e.g., rootkits)

Wayne State University

slide-11
SLIDE 11

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 11

Malware Analysis

Applications Operating System Hypervisor/Emulator Malware App App MalT S&P 15 Hardware

Wayne State University

slide-12
SLIDE 12

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 12

Malware Analysis

Applications Operating System Hypervisor/Emulator Malware App App

Limitations:

  • High performance
  • verhead on mode

switch

  • Unprotected modified

registers

  • Vulnerable to external

timing attack

MalT S&P 15 Hardware

Wayne State University

slide-13
SLIDE 13

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 13

Transparency Requirements

  • An Environment that provides the access to the states of the

target malware

  • An Analyzer which is responsible for the further analysis of

the states

Wayne State University

slide-14
SLIDE 14

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 14

Transparency Requirements

  • An Environment that provides the access to the states of the

target malware

  • It is isolated from the target malware
  • It exists on an off-the-shelf (OTS) bare-metal platform
  • An Analyzer which is responsible for the further analysis of

the states

Wayne State University

slide-15
SLIDE 15

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 15

Transparency Requirements

  • An Environment that provides the access to the states of the

target malware

  • It is isolated from the target malware
  • It exists on an off-the-shelf (OTS) bare-metal platform
  • An Analyzer which is responsible for the further analysis of

the states

  • It should not leave any detectable footprints to the outside of

the environment

Wayne State University

slide-16
SLIDE 16

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 16

Outline

  • Introduction
  • Background
  • System Overview
  • Evaluation
  • Conclusion

Wayne State University

slide-17
SLIDE 17

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 17

Background - TrustZone

ARM TrustZone technology divides the execution environment into secure domain and non-secure domain.

  • The RAM is partitioned to secure and non-secure region.
  • The interrupts are assigned into secure or non-secure group.
  • Secure-sensitive registers can only be accessed in secure domain.
  • Hardware peripherals can be configured as secure access only.

Wayne State University

slide-18
SLIDE 18

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 18

Background - TrustZone

  • In ARMv8 architecture,

exceptions are delivered to different Exception Levels (ELs).

  • The only way to enter the

secure domain is to trigger a EL3 exception.

  • The exception return instruction

(ERET) can be used to switch back to the non-secure domain.

EL1 (Rich OS) EL2 (Hypervisor) EL3 (Secure Monitor) EL0 (Applications) EL1 (Secure OS) Non-secure Domain Secure Domain EL0 (Applications)

Wayne State University

slide-19
SLIDE 19

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 19

Background – PMU and ETM

  • The Performance Monitor Unit (PMU) leverages a set of

performance counter registers to count the occurrence of different CPU events.

  • The Embedded Trace Macrocell (ETM) traces the instructions and

data of the system, and output the trace stream into pre-allocated buffers on the chip.

  • Both PMU and ETM exist on ARM Cortex-A5x and Cortex-A7x

series CPUs, and do NOT affect the performance of the CPU.

Wayne State University

slide-20
SLIDE 20

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 20

Outline

  • Introduction
  • Background
  • System Overview
  • Evaluation
  • Conclusion

Wayne State University

slide-21
SLIDE 21

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 21

Overview

App App Target Malware Rich OS Non-secure Domain

Wayne State University

slide-22
SLIDE 22

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 22

Overview

App App Target Malware Rich OS Non-secure Domain Secure Interrupt Handler Secure Domain Secure Interrupt

Wayne State University

slide-23
SLIDE 23

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 23

Overview

App App Target Malware Rich OS Non-secure Domain Secure Interrupt Handler Secure Domain Secure Interrupt Trace Subsystem Trace Subsystem:

  • Instruction Trace
  • System Call Trace
  • Android API Trace

Wayne State University

slide-24
SLIDE 24

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 24

Overview

App App Target Malware Rich OS Non-secure Domain Secure Interrupt Handler Secure Domain Secure Interrupt Trace Subsystem Debug Subsystem Debug Subsystem:

  • Single Stepping
  • Breakpoints
  • Memory R/W

Wayne State University

slide-25
SLIDE 25

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 25

Overview

App App Target Malware Rich OS Non-secure Domain Secure Interrupt Handler Secure Domain Secure Interrupt Trace Subsystem Debug Subsystem Remote Debugging Client Secure Port

Wayne State University

slide-26
SLIDE 26

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 26

Overview

App App Target Malware Rich OS Non-secure Domain Secure Interrupt Handler Secure Domain Secure Interrupt Trace Subsystem Debug Subsystem Remote Debugging Client Secure Port ERET

Wayne State University

slide-27
SLIDE 27

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 27

Hardware Traps

…… Non-secure Domain MRS X0, PMCR_EL0 MOV X1, #1 AND X0, X0, X1 ……

Wayne State University

slide-28
SLIDE 28

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 28

Hardware Traps

…… Non-secure Domain MRS X0, PMCR_EL0 MOV X1, #1 AND X0, X0, X1 …… Analyzing the instruction Secure Domain MDCR_EL3.TPM = 1

Wayne State University

slide-29
SLIDE 29

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 29

Hardware Traps

MOV X0, #0x41013000 …… Non-secure Domain MRS X0, PMCR_EL0 MOV X1, #1 AND X0, X0, X1 …… Analyzing the instruction Secure Domain MDCR_EL3.TPM = 1

Wayne State University

slide-30
SLIDE 30

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 30

Hardware Traps

Modifying saved ELR_EL3 MOV X0, #0x41013000 …… Non-secure Domain MRS X0, PMCR_EL0 MOV X1, #1 AND X0, X0, X1 …… Analyzing the instruction Secure Domain MDCR_EL3.TPM = 1

Wayne State University

slide-31
SLIDE 31

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 31

Hardware Traps

ERET Modifying saved ELR_EL3 MOV X0, #0x41013000 …… Non-secure Domain MRS X0, PMCR_EL0 MOV X1, #1 AND X0, X0, X1 …… Analyzing the instruction Secure Domain MDCR_EL3.TPM = 1

Wayne State University

slide-32
SLIDE 32

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 32

Outline

  • Introduction
  • Background
  • System Overview
  • Evaluation
  • Conclusion

Wayne State University

slide-33
SLIDE 33

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 33

Evaluation - Transparency

  • Environment:
  • Analyzer:

Wayne State University

slide-34
SLIDE 34

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 34

Evaluation - Transparency

  • Environment:

ü Isolated

  • Analyzer:

Wayne State University

slide-35
SLIDE 35

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 35

Evaluation - Transparency

  • Environment:

ü Isolated ü Exists on OTS platforms

  • Analyzer:

Wayne State University

slide-36
SLIDE 36

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 36

Evaluation - Transparency

  • Environment:

ü Isolated ü Exists on OTS platforms

  • Analyzer:

ü No detectable footprints?

Wayne State University

slide-37
SLIDE 37

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 37

Evaluation - Transparency

  • Environment:

ü Isolated ü Exists on OTS platforms

  • Analyzer:

ü No detectable footprints?

We believe that the hardware-based approach provides better transparency. To build a fully transparent system, we may need additional hardware support.

Wayne State University

slide-38
SLIDE 38

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 38

Evaluation – Performance of the TS

  • Testbed Specification
  • ARM Juno v1 development board
  • A dual-core 800 MHZ Cortex-A57 cluster and a quad-core 700 MHZ

Cortex-A53 cluster

  • ARM Trusted Firmware (ATF) v1.1 and Android 5.1.1

Wayne State University

slide-39
SLIDE 39

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 39

Evaluation – Performance of the TS

Mean STD #Slowdown Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134 s 5.13 ms 1x Android API Tracing 149.372 s 1287.88 ms 70x

  • Calculating one million digits of 𝜌
  • GNU Multiple Precision Arithmetic Library

Wayne State University

slide-40
SLIDE 40

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 40

Evaluation – Performance of the TS

  • Performance scores evaluated by CF-Bench

Native Scores Java Scores Overall Scores Mean #Slowdown Mean #Slowdown Mean #Slowdown Basic: Tracing Disabled 25380 18758 21407 Instruction Tracing 25364 1x 18673 1x 21349 1x System call Tracing 25360 1x 18664 1x 21342 1x Android API Tracing 6452 4x 122 154x 2654 8x

Wayne State University

slide-41
SLIDE 41

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 41

Evaluation – Domain Switching Time

  • Time consumption of domain switching (in µs)
  • 34x-1674x faster than MalT (11.72 µs)

ATF Enabled Ninja Enabled Mean STD 95% CI ✖ ✖ 0.007 0.000 [0.007, 0.007] ✔ ✖ 0.202 0.013 [0.197, 0.207] ✔ ✔ 0.342 0.021 [0.334, 0.349]

Wayne State University

slide-42
SLIDE 42

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 42

Outline

  • Introduction
  • Background
  • System Overview
  • Evaluation
  • Conclusion

Wayne State University

slide-43
SLIDE 43

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 43

Conclusion

  • Ninja: A malware analysis framework on ARM.
  • A debug subsystem and a trace subsystem
  • Using TrustZone, PMU, and ETM to improve transparency
  • The hardware-assisted trace subsystem is immune to timing

attack.

Wayne State University

slide-44
SLIDE 44

COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU) 44

Thank you! Email: zhenyu.ning@wayne.edu Questions?

Wayne State University