Using Hardware Features for Increased Debugging Transparency [1]
作者:Fengwei Zhang (Wayne State University)
With the rapid proliferation of malware attacks on the Internet, understanding these malicious behaviors plays a critical role in crafting effective defense. Advanced malware analysis relies on virtualization or emulation technology to run samples in a confined environment, and to analyze malicious activities by instrumenting code execution. However, virtual machines and emulators inevitably create artifacts in the execution environment, making these approaches vulnerable to detection or subversion [2].
To avoid detection by malware, we develop MalT, a novel approach that progresses towards stealthy debugging by leveraging System Management Mode (SMM)[3] to transparently debug software on bare-metal. MalT is the first implemented system that uses SMM for addressing debugging transparency problem. Our system is motivated by the intuition that malware debugging needs to be transparent, and it should not leave artifacts introduced by the debugging functions.
SMM is a special-purpose CPU mode in all x86 platforms. The main benefit of SMM is to provide a distinct and easily isolated processor environment that is transparent to the OS or running applications. With the help of SMM, we are able to achieve a high level of transparency, which enables a strong threat model for malware debugging. We briefly describe its basic workflow as follows.
We run malware on one physical target machine and employ SMM to communicate with the debugging client on another physical machine. While SMM executes, Protected Mode is essentially paused. The OS and hypervisor, therefore, are unaware of code executing in SMM. Because we run debugging code in SMM, we expose far fewer artifacts to the malware, enabling a more transparent execution environment for the debugging code than existing approaches. The debugging client communicates with the target server using a GDB-like protocol with serial messages.
We implement the basic debugging commands (e.g., breakpoints and memory/register examination) in the current prototype of MalT. Furthermore, we implement four techniques to provide step-by-step debugging: (1) instruction-level, (2) branch-level, (3) far control transfer level, and (4) near return transfer level. We also design a user-friendly interface for MalT to easily work with several popular debugging clients, such as IDAPro and GDB.
MalT runs the debugging code in SMM without using a hypervisor. Thus, it has a smaller Trusted Code Base (TCB) than hypervisor-based debugging systems, which significantly reduces the attack surface of MalT. Moreover, MalT is OS-agnostic and immune to hypervisor attacks (e.g., VM-escape attacks). Compared to existing bare-metal malware analysis, SMM has the same privilege level as hardware. Thus, MalT is capable of debugging and analyzing kernel and hypervisor rootkits as well. We develop a prototype of MalT on two physical machines connected by a serial cable.
To demonstrate the efficiency and transparency of our approach, we test MalT with popular packing, anti-debugging, anti-virtualization, and anti-emulation techniques. The experimental results show that MalT remains transparent against these techniques. Additionally, our experiments demonstrate that MalT is able to debug crashed kernels/hypervisors. MalT introduces a reasonable overhead: It takes about 12 microseconds on average to execute the debugging code without command communication. Moreover, we use popular benchmarks to measure the performance overhead for the four types of step-by-step execution on Windows and Linux platforms. The overhead ranges from 2 to 973 times slowdown on the target system, depending on the user’s selected instrumentation method.
参考文献
[1] Fengwei Zhang, Kevin Leach , Angelos Stavrou , Haining Wang , and Kun Sun. “Using Hardware Features for Increased Debugging Transparency”. In Proceedings of Security and Privacy (S&P) 2015.
[2] R. R. Branco, G. N. Barbosa, and P. D. Neto, “Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies,” in Black Hat, 2012.
[3] Intel, “64 and IA-32 Architectures Software Developer’s Manual.” [Online]. Available: http://www.intel.com/content/www/us/ en/processors/architectures-software-developer-manuals.html
作者简介
Fengwei Zhang is an assistant professor in the Department of Computer Science at Wayne State University. He earned his Ph.D. in Computer Science from George Mason University in April 2015. Before that, he received his M.S. degree in Computer Science from Columbia University in 2010. He also received dual B.S. degrees in Computer Science from North China University of Technology and Southern Polytechnic State University in 2008. His primary research interests are in the areas of systems security, with a focus on trustworthy execution, memory introspection, mobile security, plausibly deniable encryption, and transparent malware analysis. Currently, he is looking for graduate students to work with him on exciting projects in systems security. If you are interested, please drop him an email.