SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization

Zhui Deng, Xiangyu Zhang, and Dongyan XuDepartment of Computer Science and CERIAS, Purdue University

29th ACSAC(December, 2013)

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Outline• Introduction• Overview• Design• Implementation• Evaluation

2013

/10/

8

2

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Introduction• The ability to trap the execution of a binary program at desired

instructions is essential in many security scenarios.• malware analysis• attack provenance

• However, existing approaches are insufficient to support transparent, efficient, and flexible instruction-level trapping.

2013

/10/

8

3

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Related Work• In-Guest Approaches• Software Breakpoint (int 3), Hardware Breakpoint (DR0 ~ DR3)• Page-level mechanism• Dynamic Binary Instrumentation (DBI)

• Emulation Based Approaches

• Hardware Virtualization Based Approaches

• Hybrid Approaches

2013

/10/

8

4

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Overview• Our Goal• Flexibility• Efficiency• Transparency• Reliability

2013

/10/

8

5

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Background about Memory Virtualization• Old Memory Virtualization

2013

/10/

8

6

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Intel Extended Page Table (EPT)

2013

/10/

8

7

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Another Figure for EPT

2013

/10/

8

8

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Overview (cont.)

2013

/10/

8

9

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Design – Splitting Code and Data View

• Splitting Code and Data View• Spider splits the code and the data views of a guest physical page

by mapping it to two host physical pages with mutually exclusive attributes.• Code view: executable, not readable, no writable.• Data view: not executable, readable, no writable.

• Given a split page, although the corresponding EPT entry could only map one of its views at any given time, the mappings of the two views can exist simultaneously in the iTLB (instruction TLB) and dTLB (data TLB), respectively.

2013

/10/

8

10

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Split View

2013

/10/

8

11

Physical Page 2(Read-Only)

push ebp mov ebp, esp sub esp, 16

Physical Page 1(Execute-Only)

int 3mov ebp, esp sub esp, 16

iTLB

dTLB

Guest Page Table

Extended Page Table

EPT Violation

Execute

Read

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Design - Handling Breakpoints• Spider sets the hypervisor to intercept all #BP exceptions

generated by the guest.

• For single-stepping, Spider uses the monitor trap flag (MTF) which is a flag specifically designed for single-stepping in hardware virtualization.• the guest will trigger a VM Exit after executing each instruction.

2013

/10/

8

12

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Design - Monitoring Virtual-to-Physical Mapping

2013

/10/

8

13

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Design - Handling Code Modification

• When the guest tries to write to the page, an EPT violation will be triggered and captured.

2013

/10/

8

14

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Design - Data Watchpoint• Spider allows setting a data watchpoint at a specific physical

address. • adjusting the EPT entry of the guest physical page that contains

the memory address to read-only (to trap write access) or execute-only (to trap both read/write access)

2013

/10/

8

15

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Design - Handling Timing Side-Effect

• To maintain transparency, Spider needs to hide the CPU cycles cost by hypervisor (Th) and VMEntry/VMExit (Te) from the guest.

• Spider sets the TSC-offset field in virtual machine control structure (VMCS) to −(Th + Te) so the value is subtracted from the TSC seen by the guest.

2013

/10/

8

16

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Implementation• We have implemented a prototype of Spider on the KVM 3.5

hypervisor.

• Kernel Breakpoints• We could specify the address space of any process as the kernel

space is mapped in the same way for any process.• (init in Linux and System in Windows)

• Monitor Process Creation• In Windows, we set a breakpoint at the instruction right after the

call to PspCreateProcess.• In Linux, We set a breakpoint at the instruction right after the call

to copy_process.

2013

/10/

8

17

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Implementation (cont.)• Monitor Process Termination• In Windows, we set the breakpoint at the entry of the function PspProcessDelete.

• In Linux, we set the breakpoint at the entry of the function do_exit.

2013

/10/

8

18

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Evaluation• Environment• Hardware: Thinkpad T510 laptop with Intel Core i7-3720QM

2.6GHz CPU and 8GB RAM. • Host OS: Ubuntu Linux 12.10 64-bit• Guest OS (30GB virtual hard disk and 1GB memory):

• Windows XP SP2 32-bit• Ubuntu Linux 12.04 32-bit

2013

/10/

8

19

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Transparency

2013

/10/

8

20• “Fail”means the program fails to run properly in the environment even

without any trap.• “Fail HBP” and “Fail SBP”means the program fails to run properly after setting

hardware breakpoint or software breakpoint.

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Case Study I: Spider + BEEP

2013

/10/

8

21

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Performance Overhead

2013

/10/

8

22

A Se

min

ar a

t Adv

ance

d D

efen

se L

ab

Q & A

2013

/10/

8

23