Using Hardware Features for Increased Debugging Transparency - - PowerPoint PPT Presentation

using hardware features for increased debugging
SMART_READER_LITE
LIVE PREVIEW

Using Hardware Features for Increased Debugging Transparency - - PowerPoint PPT Presentation

Jan 30, 2024 170 likes •456 views

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. In S&P'15. Fengwei Zhang Wayne State University CSC 6991 Topics in Computer Security 1 Overview

slide-1
SLIDE 1

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,

Haining Wang, and Kun Sun. In S&P'15.

Fengwei Zhang

Wayne State University CSC 6991 Topics in Computer Security 1

slide-2
SLIDE 2

Overview

  • MoOvaOon
  • Background: System Management Mode

(SMM)

  • System Architecture
  • EvaluaOon: Transparency and Performance
  • Conclusions and Future DirecOons

Wayne State University CSC 6991 Topics in Computer Security 2

slide-3
SLIDE 3

Overview

  • MoOvaOon
  • Background: System Management Mode

(SMM)

  • System Architecture
  • EvaluaOon: Transparency and Performance
  • Conclusions and Future DirecOons

Wayne State University CSC 6991 Topics in Computer Security 3

slide-4
SLIDE 4

MoOvaOon

  • Malware aXacks staOsOcs

– Symantec blocked an average of 247,000 aXacks per day [1] – McAfee (Intel Security) reported 8,000,000 new malware samples in the first quarter in 2014 [2] – Kaspersky reported malware threats have grown 34% with over 200,000 new threats per day last year [3]

  • Computer systems have vulnerable applicaOons

that could be exploited by aXackers.

Wayne State University CSC 6991 Topics in Computer Security 4

slide-5
SLIDE 5

TradiOonal Malware Analysis

  • Using virtualizaOon technology to create an isolated

execuOon environment for malware debugging

  • Running malware inside a VM
  • Running analysis tools outside a VM

Hardware Hypervisor (VMM) Virtual Machine

Wayne State University CSC 6991 Topics in Computer Security 5

slide-6
SLIDE 6

TradiOonal Malware Analysis

  • Using virtualizaOon technology to create an isolated

execuOon environment for malware debugging

  • Running malware inside a VM
  • Running analysis tools outside a VM

Hardware Hypervisor (VMM) Virtual Machine

Malware

Wayne State University CSC 6991 Topics in Computer Security 6

slide-7
SLIDE 7

TradiOonal Malware Analysis

  • Using virtualizaOon technology to create an isolated

execuOon environment for malware debugging

  • Running malware inside a VM
  • Running analysis tools outside a VM

Hardware Hypervisor (VMM) Virtual Machine

Analysis Tool Malware

Wayne State University CSC 6991 Topics in Computer Security 7

slide-8
SLIDE 8

TradiOonal Malware Analysis

LimitaOons:

  • Depending on hypervisors that have a large TCB (e.g.,

Xen has 500K SLOC and 245 vulnerabiliOes in NVD) ︎

  • Incapable of analyzing rootkits with the same or higher

privilege level (e.g., hypervisor and firmware rootkits) ︎

  • Unable to analyze armored malware with anO-

virtualizaOon or anO-emulaOon techniques

Hardware Hypervisor (VMM) Virtual Machine

Analysis Tool Malware

Wayne State University CSC 6991 Topics in Computer Security 8

slide-9
SLIDE 9

Our Approach

We present a bare-metal debugging system called MalT that leverages System Management Mode for malware analysis ︎

  • Uses System Management Mode as a hardware isolated

execuOon environment to run analysis tools and can debug hypervisors ︎

  • Moves analysis tools from hypervisor-layer to hardware-layer

that achieves a high level of transparency

Hardware Hypervisor (VMM) Virtual Machine

Analysis Tool Malware

Wayne State University CSC 6991 Topics in Computer Security 9

slide-10
SLIDE 10

Overview

  • MoOvaOon
  • Background: System Management Mode

(SMM)

  • System Architecture
  • EvaluaOon: Transparency and Performance
  • Conclusions and Future DirecOons

Wayne State University CSC 6991 Topics in Computer Security 10

slide-11
SLIDE 11

Background: System Management Mode

System Management Mode (SMM) is special CPU mode exisOng in x86 architecture, and it can be used as a hardware isolated execuOon environment.

  • Originally designed for implemenOng system funcOons

(e.g., power management)

  • Isolated System Management RAM (SMRAM) that is

inaccessible from OS

  • Only way to enter SMM is to trigger a System

Management Interrupt (SMI)

  • ExecuOng RSM instrucOon to resume OS (Protected

Mode)

Wayne State University CSC 6991 Topics in Computer Security 11

slide-12
SLIDE 12

Background: System Management Mode

Approaches for Triggering a System Management Interrupt (SMI)

  • Soiware-based: Write to an I/O port specified by Southbridge

datasheet (e.g., 0x2B for Intel)

  • Hardware-based: Network card, keyboard, hardware Omers

Protected Mode Normal OS System Management Mode Isolated Execution Environment SMI Handler Isolated SMRAM Highest privilege Interrupts disabled

SMM entry SMM exit

Software

  • r

Hardware

Trigger SMI RSM

Wayne State University CSC 6991 Topics in Computer Security 12

slide-13
SLIDE 13

Background: Soiware Layers

Application Operating System Hypervisor (VMM) Firmware (BIOS) SMM Hardware

Wayne State University CSC 6991 Topics in Computer Security 13

slide-14
SLIDE 14

Background: Hardware Layout

CPU Northbridge

(memory controller hub) MMU and IOMMU Graphic card slot Memory bus Memory slots

Southbridge

(I/O controller hub) PCI bus PCI slots

BIOS Super I/O

LPC bus

Keyboard Mouse Serial port IDE SATA Audio USB CMOS

Front-side bus PCIe bus Internal bus

Wayne State University CSC 6991 Topics in Computer Security 14

slide-15
SLIDE 15

Overview

  • MoOvaOon
  • Background: System Management Mode

(SMM)

  • System Architecture
  • EvaluaOon: Transparency and Performance
  • Conclusions and Future DirecOons

Wayne State University CSC 6991 Topics in Computer Security 15

slide-16
SLIDE 16

System Architecture

  • TradiOonally malware debugging uses virtualizaOon
  • r emulaOon ︎
  • MalT debugs malware on a bare-metal machine, and

remains transparent in the presence of exisOng anO- debugging, anO-VM, and anO-emulaOon techniques.

Debugging Client

GDB-like Debugger

Debugging Server

SMI handler Debugged application 1) Trigger SMI 2) Debug command 3) Response message Inspect application Breakpoint

Wayne State University CSC 6991 Topics in Computer Security 16

slide-17
SLIDE 17

Step-by-step Debugging in MalT

  • Debugging program instrucOon-by-instrucOon ︎
  • Using performance counters to trigger an SMI for

each instrucOon

Protected Mode System Management Mode

SMI Handler SMI Handler

SMM entry SMM entry SMM exit SMM exit inst1 inst2 inst3 ... instn CPU control flow EIP Trigger SMI RSM Trigger SMI RSM

Wayne State University CSC 6991 Topics in Computer Security 17

slide-18
SLIDE 18

Overview

  • MoOvaOon
  • Background: System Management Mode

(SMM)

  • System Architecture
  • EvaluaOon: Transparency and Performance
  • Conclusions and Future DirecOons

Wayne State University CSC 6991 Topics in Computer Security 18

slide-19
SLIDE 19

EvaluaOon: Transparency Analysis

  • Two subjects: 1) running environment and 2)

debugger itself ︎

– Running environments of a debugger ︎

  • SMM v.s. virtualizaOon/emulaOon ︎

– Side effects introduced by a debugger itself ︎

  • CPU, cache, memory, I/O, BIOS, and Oming
  • Towards true transparency ︎

– MalT is not fully transparent (e.g., external Oming aXack) but increased ︎ – Draw aXenOon to hardware-based approach for addressing debugging transparency

Wayne State University CSC 6991 Topics in Computer Security 19

slide-20
SLIDE 20

EvaluaOon: Performance Analysis

  • Testbed SpecificaOon ︎

– Motherboard: ASUS M2V-MX SE ︎ – CPU: 2.2 GHz AMD LE-1250 ︎ – Chipsets: AMD K8 Northbridge + VIA VT8237r Southbridge ︎ – BIOS: Coreboot + SeaBIOS Table: SMM Switching and Resume (Time: µs) Operations Mean STD 95% CI SMM switching 3.29 0.08 [3.27,3.32] SMM resume 4.58 0.10 [4.55,4.61] Total 7.87

Wayne State University CSC 6991 Topics in Computer Security 20

slide-21
SLIDE 21

EvaluaOon: Performance Analysis

Table: Stepping Overhead on Windows and Linux (Unit: Times of Slowdown) Stepping Methods Windows Linux π π Far control transfer 2 2 Near return 30 26 Taken branch 565 192 Instruction 973 349

Wayne State University CSC 6991 Topics in Computer Security 21

slide-22
SLIDE 22

Overview

  • MoOvaOon
  • Background: System Management Mode

(SMM)

  • System Architecture
  • EvaluaOon: Transparency and Performance
  • Conclusions and Future DirecOons

Wayne State University CSC 6991 Topics in Computer Security 22

slide-23
SLIDE 23

Conclusions and Future Work

  • We developed MalT, a bare-matal debugging system that

employs SMM to analyze malware

– Hardware-assisted system; does not use virtualizaOon or emulaOon technology ︎ – Providing a more transparent execuOon environment ︎ – Though tesOng exisOng anO-debugging, anO-VM, and anO-emulaOon techniques, MalT remains transparent

  • Future work

Remote Debugger (“client”)

GDB Server IDAPro Tool GDB Client

Debugging Target (“server”)

SMI Handler Debugged application Debug command Response message

SMM PM Generic Interaface

Wayne State University CSC 6991 Topics in Computer Security 23

slide-24
SLIDE 24

References

[1] Symantec, “Internet Security Threat Report, Vol. 19 Main Report,” http: //www.symantec.com/content/en/us/enterprise/other resources/b-istr main report v19 21291018.en-us.pdf, 2014. [2] McAfee, “Threats Report: First Quarter 2014,” http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2014-summary.pdf. [3] Kaspersky Lab, “Kaspersky Security Bulletin 2013,” http://media.kaspersky.com/pdf/KSB 2013 EN.pdf.

Wayne State University CSC 6991 Topics in Computer Security 24

slide-25
SLIDE 25

Paper Discussion

  • Nicholas Burton
  • MALT is a System Management Mode based debugging framework used to

analyze malware. It is a bare metal debugging system that allows high

  • transparency. Bare metal debugging is used because malware oien has anO-

virtualizaOon measures that change its behavior when it discovers it is in a virtual machine or emulaOon environment. Using SMM MALT has ring -2 privilege and has a smaller Trusted Code Base than any debugger that depends on virtualizaOon. MALT is an effecOve debugger that is generally unhindered by armored malware that has anO-VM and anO-debugging soiware, however it is incapable of debugging rootkits at the ring -2 privilege level. MALT is iniOally triggered by a serial message arriving at the COM1 port, which has been reconfigured to send an

  • SMI. During debugging the current EIP value is checked against the breakpoint,

when they are equal an event in LAPIC is set to overflow to trigger the SMI. VulnerabiliOes that SMM has can be used to stop MALT being that it is SMM-

  • based. AXacks such as cache poisoning and memory reclamaOon, however these

issues have been fixed by implementaOon of SMRR and locking the SMRAM respecOvely.

Wayne State University CSC 6991 Topics in Computer Security 25

slide-26
SLIDE 26

Paper Discussion

  • Jacob Bednard
  • This paper proposes and implements a new technique for transparent debugging

based in System Management Mode called MaLT. The moOvaOon for this technique is that malware can detect the presence of virtual machines and emulaOon and choose to remain stealthy by not unpacking it’s contents. MaLT shows that a debugger placed into SMM by Coreboot on boot can remain transparent to malware. In short, the core process of MaLT allows the placement

  • f breakpoints into code that modify the O/S instrucOon set to call an SMI and
  • pen the MaLT environment for introspecOon. When the current cycle is complete

for MaLT, it the next instrucOon in the registers to resume the previous operaOon. The benefit that MaLT has is that it operates in Ring -1/-2 space. That is, MaLT

  • perates close to bare metal. The MaLT program can be accessed and used

through a serial terminal which allows a user to read memory and launch break

  • points. The only signature that MaLT may leave behind is a side-channel based

Oming detecOon method in which malware monitors 3rd party Ome stamps to see if there have been any breaks in processor execuOon.

Wayne State University CSC 6991 Topics in Computer Security 26

slide-27
SLIDE 27

Paper Discussion

  • Surya Mani
  • This paper talks about the deficiency of advanced malware analysis techniques

using virtualizaOon and emulaOon techniques to prevent malware aXack. The malware has the ability to detect the presence of above techniques and hides itself, making the system more vulnerable. The paper discusses in detail about MALT a debugging framework using System Management Mode(SMM). The following are the advantages of using MALT techniques. It is hardware assisted malware analysis which can do rootkit analysis and kernel debugging without using

  • OS. In MALT, either serial port or performance counter is used to trigger SMI

(System Management Interrupt) and also uses hardware breakpoint techniques thereby increasing transparency and reducing vulnerability. MALT executes in SSM Ring -2 level hence it is capable of debugging user mode, kernel mode and hypervisor level rootkits. Since MALT code does run in bare metal machine, it does not change any code in operaOng system. MALT uses reboot approach to restore a system to clean state hence by leaving it vulnerable to malware aXack during reboot.

Wayne State University CSC 6991 Topics in Computer Security 27

slide-28
SLIDE 28

Reminders

  • Paper reviews
  • Research Topics
  • Next Class: TransportaOon Security
  • Next Week

Wayne State University CSC 6991 Topics in Computer Security 28