using hardware features for increased debugging
play

Using Hardware Features for Increased Debugging Transparency - PowerPoint PPT Presentation

Jan 30, 2024 •170 likes •451 views

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. In S&P'15. Fengwei Zhang Wayne State University CSC 6991 Topics in Computer Security 1 Overview

  1. Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. In S&P'15. Fengwei Zhang Wayne State University CSC 6991 Topics in Computer Security 1

  2. Overview • MoOvaOon • Background: System Management Mode (SMM) • System Architecture • EvaluaOon: Transparency and Performance • Conclusions and Future DirecOons Wayne State University CSC 6991 Topics in Computer Security 2

  3. Overview • MoOvaOon • Background: System Management Mode (SMM) • System Architecture • EvaluaOon: Transparency and Performance • Conclusions and Future DirecOons Wayne State University CSC 6991 Topics in Computer Security 3

  4. MoOvaOon • Malware aXacks staOsOcs – Symantec blocked an average of 247,000 aXacks per day [1] – McAfee (Intel Security) reported 8,000,000 new malware samples in the first quarter in 2014 [2] – Kaspersky reported malware threats have grown 34% with over 200,000 new threats per day last year [3] • Computer systems have vulnerable applicaOons that could be exploited by aXackers. Wayne State University CSC 6991 Topics in Computer Security 4

  5. TradiOonal Malware Analysis Virtual Machine Hypervisor (VMM) Hardware • Using virtualizaOon technology to create an isolated execuOon environment for malware debugging • Running malware inside a VM • Running analysis tools outside a VM Wayne State University CSC 6991 Topics in Computer Security 5

  6. TradiOonal Malware Analysis Malware Virtual Machine Hypervisor (VMM) Hardware • Using virtualizaOon technology to create an isolated execuOon environment for malware debugging • Running malware inside a VM • Running analysis tools outside a VM Wayne State University CSC 6991 Topics in Computer Security 6

  7. TradiOonal Malware Analysis Analysis Malware Tool Virtual Machine Hypervisor (VMM) Hardware • Using virtualizaOon technology to create an isolated execuOon environment for malware debugging • Running malware inside a VM • Running analysis tools outside a VM Wayne State University CSC 6991 Topics in Computer Security 7

  8. TradiOonal Malware Analysis Analysis Malware Tool Virtual Machine Hypervisor (VMM) Hardware LimitaOons: • Depending on hypervisors that have a large TCB (e.g., Xen has 500K SLOC and 245 vulnerabiliOes in NVD) ︎ • Incapable of analyzing rootkits with the same or higher privilege level (e.g., hypervisor and firmware rootkits) ︎ • Unable to analyze armored malware with anO- virtualizaOon or anO-emulaOon techniques Wayne State University CSC 6991 Topics in Computer Security 8

  9. Our Approach Analysis Malware Tool Virtual Machine Hypervisor (VMM) Hardware We present a bare-metal debugging system called MalT that leverages System Management Mode for malware analysis ︎ • Uses System Management Mode as a hardware isolated execuOon environment to run analysis tools and can debug hypervisors ︎ • Moves analysis tools from hypervisor-layer to hardware-layer that achieves a high level of transparency Wayne State University CSC 6991 Topics in Computer Security 9

  10. Overview • MoOvaOon • Background: System Management Mode (SMM) • System Architecture • EvaluaOon: Transparency and Performance • Conclusions and Future DirecOons Wayne State University CSC 6991 Topics in Computer Security 10

  11. Background: System Management Mode System Management Mode (SMM) is special CPU mode exisOng in x86 architecture, and it can be used as a hardware isolated execuOon environment. • Originally designed for implemenOng system funcOons (e.g., power management) • Isolated System Management RAM (SMRAM) that is inaccessible from OS • Only way to enter SMM is to trigger a System Management Interrupt (SMI) • ExecuOng RSM instrucOon to resume OS (Protected Mode) Wayne State University CSC 6991 Topics in Computer Security 11

  12. Background: System Management Mode Approaches for Triggering a System Management Interrupt (SMI) • Soiware-based: Write to an I/O port specified by Southbridge datasheet (e.g., 0x2B for Intel) • Hardware-based: Network card, keyboard, hardware Omers Protected Mode System Management Mode Highest privilege Trigger SMI SMM entry Software SMI or Isolated SMRAM SMM exit Handler Hardware RSM Interrupts disabled Normal OS Isolated Execution Environment Wayne State University CSC 6991 Topics in Computer Security 12

  13. Background: Soiware Layers Application Operating System Hypervisor (VMM) Firmware (BIOS) SMM Hardware Wayne State University CSC 6991 Topics in Computer Security 13

  14. Background: Hardware Layout Memory slots Keyboard Mouse Super I/O BIOS Memory bus Serial port LPC bus IDE SATA Northbridge Front-side bus Internal bus Southbridge Audio CPU (memory controller hub) (I/O controller hub) USB MMU and IOMMU CMOS PCIe bus PCI bus Graphic card slot PCI slots Wayne State University CSC 6991 Topics in Computer Security 14

  15. Overview • MoOvaOon • Background: System Management Mode (SMM) • System Architecture • EvaluaOon: Transparency and Performance • Conclusions and Future DirecOons Wayne State University CSC 6991 Topics in Computer Security 15

  16. System Architecture • TradiOonally malware debugging uses virtualizaOon or emulaOon ︎ • MalT debugs malware on a bare-metal machine, and remains transparent in the presence of exisOng anO- debugging, anO-VM, and anO-emulaOon techniques. Debugging Client Debugging Server 1) Trigger SMI SMI handler Inspect 2) Debug command Breakpoint application GDB-like Debugged Debugger application 3) Response message Wayne State University CSC 6991 Topics in Computer Security 16

  17. Step-by-step Debugging in MalT • Debugging program instrucOon-by-instrucOon ︎ • Using performance counters to trigger an SMI for each instrucOon Protected Mode System Management Mode CPU control flow SMM entry inst 1 SMI Handler Trigger SMI inst 2 SMM exit RSM inst 3 EIP Trigger SMI ... SMM entry SMI Handler inst n SMM exit RSM Wayne State University CSC 6991 Topics in Computer Security 17

  18. Overview • MoOvaOon • Background: System Management Mode (SMM) • System Architecture • EvaluaOon: Transparency and Performance • Conclusions and Future DirecOons Wayne State University CSC 6991 Topics in Computer Security 18

  19. EvaluaOon: Transparency Analysis • Two subjects: 1) running environment and 2) debugger itself ︎ – Running environments of a debugger ︎ • SMM v.s. virtualizaOon/emulaOon ︎ – Side effects introduced by a debugger itself ︎ • CPU, cache, memory, I/O, BIOS, and Oming • Towards true transparency ︎ – MalT is not fully transparent (e.g., external Oming aXack) but increased ︎ – Draw aXenOon to hardware-based approach for addressing debugging transparency Wayne State University CSC 6991 Topics in Computer Security 19

  20. EvaluaOon: Performance Analysis • Testbed SpecificaOon ︎ – Motherboard: ASUS M2V-MX SE ︎ – CPU: 2.2 GHz AMD LE-1250 ︎ – Chipsets: AMD K8 Northbridge + VIA VT8237r Southbridge ︎ – BIOS: Coreboot + SeaBIOS Table: SMM Switching and Resume (Time: µ s ) Operations Mean STD 95% CI SMM switching 3.29 0.08 [3.27,3.32] SMM resume 4.58 0.10 [4.55,4.61] Total 7.87 Wayne State University CSC 6991 Topics in Computer Security 20

  21. EvaluaOon: Performance Analysis Table: Stepping Overhead on Windows and Linux (Unit: Times of Slowdown) Stepping Methods Windows Linux π π Far control transfer 2 2 Near return 30 26 Taken branch 565 192 Instruction 973 349 Wayne State University CSC 6991 Topics in Computer Security 21

  22. Overview • MoOvaOon • Background: System Management Mode (SMM) • System Architecture • EvaluaOon: Transparency and Performance • Conclusions and Future DirecOons Wayne State University CSC 6991 Topics in Computer Security 22

  23. Conclusions and Future Work • We developed MalT, a bare-matal debugging system that employs SMM to analyze malware – Hardware-assisted system; does not use virtualizaOon or emulaOon technology ︎ – Providing a more transparent execuOon environment ︎ – Though tesOng exisOng anO-debugging, anO-VM, and anO-emulaOon techniques, MalT remains transparent • Future work Remote Debugger (“client”) Debugging Target (“server”) IDAPro Debug command Tool Debugged GDB SMI application Server Handler GDB Response message Client SMM PM Generic Interaface Wayne State University CSC 6991 Topics in Computer Security 23

  24. References [1] Symantec, “Internet Security Threat Report, Vol. 19 Main Report,” http: //www.symantec.com/content/en/us/enterprise/other resources/b-istr main report v19 21291018.en-us.pdf, 2014. [2] McAfee, “Threats Report: First Quarter 2014,” http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2014-summary.pdf. [3] Kaspersky Lab, “Kaspersky Security Bulletin 2013,” http://media.kaspersky.com/pdf/KSB 2013 EN.pdf. Wayne State University CSC 6991 Topics in Computer Security 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using Hardware Features for Increased Debugging Transparency

Using Hardware Features for Increased Debugging Transparency

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. In S&P'15.

772 views • 28 slides
Language-specific debugging Most languages include some features/support for debugging, good

Language-specific debugging Most languages include some features/support for debugging, good

Language-specific debugging Most languages include some features/support for debugging, good idea to know what they are Special variables with key information Special functions/libraries that can be used Special options that can be

422 views • 7 slides
Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&P 19 1 Outline Introduction Obstacles in

1.03k views • 63 slides
Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&P 19 1 Outline Introduction Obstacles for

679 views • 65 slides
Hardware Debugging CSE/ISE 311: Systems Administra5on How to

Hardware Debugging CSE/ISE 311: Systems Administra5on How to

CSE/ISE 311: Systems Administra5on Hardware Debugging CSE/ISE 311: Systems Administra5on How to troubleshoot a hardware failure Later lectures will deal with

512 views • 47 slides
Lecture 13: Things of Interest G63.2011.002/G22.2945.001 November 30, 2010 Debugging

Lecture 13: Things of Interest G63.2011.002/G22.2945.001 November 30, 2010 Debugging

Lecture 13: Things of Interest G63.2011.002/G22.2945.001 November 30, 2010 Debugging Instrumentation Profiling and Hardware Outline Debugging Instrumentation Profiling and Hardware Debugging Instrumentation Profiling and Hardware Today

826 views • 55 slides
3D compact profiler Table top instrument with fixed configuration Key hardware features Compact

3D compact profiler Table top instrument with fixed configuration Key hardware features Compact

3D compact profiler Table top instrument with fixed configuration Key hardware features Compact design All integrated: Sensor head, Controller and Support Stand New developments Key hardware features B&W camera 1360x1024 One LED

350 views • 10 slides
On-hardware debugging of IP cores with free tools Anton Kuzmin 2020-02-02 1 / 12 Intro Why

On-hardware debugging of IP cores with free tools Anton Kuzmin 2020-02-02 1 / 12 Intro Why

Intro Why FPGA (and what the FPGA is all about) Software approach simulation first Going to the hardware Whats next Contact info On-hardware debugging of IP cores with free tools Anton Kuzmin 2020-02-02 1 / 12 Intro Why FPGA (and

770 views • 12 slides
Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Chapter 15 Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and set values in memory Execute portions of program Stop execution when (and where) desired Want debugging tools to operate on

274 views • 9 slides
Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

CS 240 Stage 2 Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging Machine code, assembly language, program translation Control flow Procedures, stacks Data layout, security, linking and loading Program,

822 views • 29 slides
Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

CS 240 Stage 2 Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging Machine code, assembly language, program translation Control flow Procedures, stacks Data layout, security, linking and loading Program,

415 views • 30 slides
Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Welcome to Advanced .NET Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production Challenges in debugging Production issues Production Environment Debugging Timeline Tools for .NET Debugging Review 3

622 views • 47 slides
Hardware Debugging Problems: Machine wont power on No

Hardware Debugging Problems: Machine wont power on No

3/4/14 CSE/ISE 311: Systems Administra5on CSE/ISE 311: Systems Administra5on How to troubleshoot a hardware failure Later lectures will deal with so7ware

482 views • 8 slides
Story Applications Hardware Software Key features Roadmap Summary Story Story Applications

Story Applications Hardware Software Key features Roadmap Summary Story Story Applications

Story Applications Hardware Software Key features Roadmap Summary Story Story Applications Hardware Software Key features Roadmap Summary A low-cost modular Ethernet test solution designed from the bottom

446 views • 31 slides
Story Applications Hardware Software Key features Roadmap Summary Story Story Applications

Story Applications Hardware Software Key features Roadmap Summary Story Story Applications

Story Applications Hardware Software Key features Roadmap Summary Story Story Applications Hardware Software Key features Roadmap Summary Todays enterprise-grade firewalls have highly advanced function

489 views • 29 slides
Story Applications Hardware Software Key features Roadmap Summary Story Story Applications

Story Applications Hardware Software Key features Roadmap Summary Story Story Applications

Story Applications Hardware Software Key features Roadmap Summary Story Story Applications Hardware Software Key features Roadmap Summary Vulcan generates stateful Ethernet traffic to analyze how firewalls,

578 views • 37 slides
MALT: Distributed Data Parallelism for Existing ML Applications Hao Li*, Asim Kadav, Erik Kruus,

MALT: Distributed Data Parallelism for Existing ML Applications Hao Li*, Asim Kadav, Erik Kruus,

MALT: Distributed Data Parallelism for Existing ML Applications Hao Li*, Asim Kadav, Erik Kruus, Cristian Ungureanu * University of Maryland-College Park NEC Laboratories, Princeton Data, data everywhere User-generated Software Hardware

439 views • 42 slides
Session Objectives 1) Describe the purpose and key aspects of incorporating standards of

Session Objectives 1) Describe the purpose and key aspects of incorporating standards of

3/15/2017 Sherri Jones, MS, MBA, RDN, LDN, FAND Improvement Specialist UPMC Shadyside Session Objectives 1) Describe the purpose and key aspects of incorporating standards of excellence into practice 2) Utilize the Academys Standards of

268 views • 14 slides
Nutritional Considerations: Nutrient Content & Variety Living (Well!) with Gastroparesis

Nutritional Considerations: Nutrient Content & Variety Living (Well!) with Gastroparesis

Nutritional Considerations: Nutrient Content & Variety Living (Well!) with Gastroparesis Program Class 7 Nutritional Considerations in the GP-friendly Diet Nutrient Content Variety Balance (class 8) Quality (class 8) Things

354 views • 10 slides
Annual Business Meeting 2016-2017 Executive Summary 2017 Annual Conference Board Meeting,

Annual Business Meeting 2016-2017 Executive Summary 2017 Annual Conference Board Meeting,

Annual Business Meeting 2016-2017 Executive Summary 2017 Annual Conference Board Meeting, Retreat, Dinner Strategic Plan National Nutrition Month PR/Media/Communications House of Delegates Executive Summary cont. List

263 views • 15 slides
MALT : MALloc Tracker A memory profiling tool 3/02/2019 MALT, Sbastien Valat 1 Questions

MALT : MALloc Tracker A memory profiling tool 3/02/2019 MALT, Sbastien Valat 1 Questions

MALT : MALloc Tracker A memory profiling tool 3/02/2019 MALT, Sbastien Valat 1 Questions We have good profiling tool for timings (eg. Valgrind or vtune) But for what memory profiling ? Memory can be an issue : Availability of

762 views • 40 slides
MALT & NUMAPROF , Memory Profiling for HPC Applications SBASTIEN VALAT FOSDEM 2019

MALT & NUMAPROF , Memory Profiling for HPC Applications SBASTIEN VALAT FOSDEM 2019

1 MALT & NUMAPROF , Memory Profiling for HPC Applications SBASTIEN VALAT FOSDEM 2019 TRACK HPC Origin of the tools 2 PhD. on memory management for HPC (at CEA/UVSQ) MALT , post-doc at Versailles : NUMAPROF , side

532 views • 16 slides
Ensemble Models for Dependency Parsing: Cheap and Good? Mihai Surdeanu and Christopher D. Manning

Ensemble Models for Dependency Parsing: Cheap and Good? Mihai Surdeanu and Christopher D. Manning

Ensemble Models for Dependency Parsing: Cheap and Good? Mihai Surdeanu and Christopher D. Manning Stanford University June 3, 2010 Ensemble Parsing Parser 2 Parser 1 Parser 3 Ensemble Parser Parser 4

195 views • 18 slides
Transparent System Introspection in Support of Analyzing Stealthy Malware Kevin Leach PhD

Transparent System Introspection in Support of Analyzing Stealthy Malware Kevin Leach PhD

Transparent System Introspection in Support of Analyzing Stealthy Malware Kevin Leach PhD Dissertation kjl2y@virginia.edu November 30, 2016 Analogy: Volkswagen Scandal Volkswagen cheated on emissions test (over 10x EPA requirements) 2

1.56k views • 78 slides

More recommend