ninja: towards transparent tracing and debugging on arm · 2019. 12. 18. · base: tracing disabled...
TRANSCRIPT
![Page 1: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/1.jpg)
Ninja:TowardsTransparentTracingandDebuggingonARM
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 1
Zhenyu Ning &Fengwei ZhangWayneStateUniversity
{zhenyu.ning,fengwei}@wayne.edu
WayneStateUniversity
![Page 2: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/2.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 2
Outline
• Introduction• Background• System Overview• Evaluation• Conclusion
WayneStateUniversity
![Page 3: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/3.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 3
Outline
• Introduction• Background• System Overview• Evaluation• Conclusion
WayneStateUniversity
![Page 4: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/4.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 4
EvasionMalware
Analyzer
WayneStateUniversity
![Page 5: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/5.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 5
EvasionMalware
Analyzer
WayneStateUniversity
![Page 6: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/6.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 6
Malware Analysis
Applications
OperatingSystem
Hypervisor/Emulator
MalwareApp App
WayneStateUniversity
![Page 7: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/7.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 7
Malware Analysis
Applications
OperatingSystem
Hypervisor/Emulator
MalwareApp App
MalwareAnalyzer
WayneStateUniversity
![Page 8: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/8.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 8
Malware Analysis
Applications
OperatingSystem
Hypervisor/Emulator
MalwareApp App
MalwareAnalyzer
Limitation:
• Unarmedtoanti-virtualizationoranti-emulationtechniques
WayneStateUniversity
![Page 9: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/9.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 9
Malware Analysis
Applications
OperatingSystem
Hypervisor/Emulator
MalwareApp App
MalwareAnalyzer
WayneStateUniversity
![Page 10: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/10.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 10
Malware Analysis
Applications
OperatingSystem
Hypervisor/Emulator
MalwareApp App
MalwareAnalyzer
Limitation:
• Unabletohandlemalwarewithhighprivilege(e.g.,rootkits)
WayneStateUniversity
![Page 11: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/11.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 11
Malware Analysis
Applications
OperatingSystem
Hypervisor/Emulator
MalwareApp App
MalTS&P 15Hardware
WayneStateUniversity
![Page 12: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/12.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 12
Malware Analysis
Applications
OperatingSystem
Hypervisor/Emulator
MalwareApp AppLimitations:
• Highperformanceoverheadonmodeswitch
• Unprotectedmodifiedregisters
• Vulnerabletoexternaltimingattack
MalTS&P 15Hardware
WayneStateUniversity
![Page 13: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/13.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 13
TransparencyRequirements
• AnEnvironment thatprovidestheaccesstothestatesofthetargetmalware
• AnAnalyzer whichisresponsibleforthefurtheranalysisofthestates
WayneStateUniversity
![Page 14: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/14.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 14
TransparencyRequirements
• AnEnvironment thatprovidestheaccesstothestatesofthetargetmalware• Itisisolatedfromthetargetmalware• Itexistsonanoff-the-shelf(OTS)bare-metalplatform
• AnAnalyzer whichisresponsibleforthefurtheranalysisofthestates
WayneStateUniversity
![Page 15: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/15.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 15
TransparencyRequirements
• AnEnvironment thatprovidestheaccesstothestatesofthetargetmalware• Itisisolatedfromthetargetmalware• Itexistsonanoff-the-shelf(OTS)bare-metalplatform
• AnAnalyzer whichisresponsibleforthefurtheranalysisofthestates• Itshouldnotleaveanydetectablefootprintstotheoutsideoftheenvironment
WayneStateUniversity
![Page 16: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/16.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 16
Outline
• Introduction• Background• System Overview• Evaluation• Conclusion
WayneStateUniversity
![Page 17: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/17.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 17
Background- TrustZone
ARMTrustZonetechnologydividestheexecutionenvironmentintosecure domainandnon-secure domain.
• TheRAMispartitionedtosecure andnon-secure region.
• Theinterruptsareassignedintosecure ornon-secure group.
• Secure-sensitiveregisterscanonlybeaccessedinsecuredomain.
• Hardwareperipheralscanbeconfiguredassecureaccessonly.
WayneStateUniversity
![Page 18: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/18.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 18
Background- TrustZone• InARMv8architecture,exceptionsaredeliveredtodifferentExceptionLevels(ELs).
• TheonlywaytoenterthesecuredomainistotriggeraEL3exception.
• Theexceptionreturninstruction(ERET)canbeusedtoswitchbacktothenon-securedomain.
EL1(RichOS)
EL2(Hypervisor)
EL3(SecureMonitor)
EL0(Applications)
EL1(SecureOS)
Non-secureDomain SecureDomain
EL0(Applications)
WayneStateUniversity
![Page 19: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/19.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 19
Background– PMUandETM
• ThePerformanceMonitorUnit(PMU)leveragesasetofperformancecounterregisterstocounttheoccurrenceofdifferentCPUevents.
• TheEmbeddedTraceMacrocell (ETM)tracestheinstructionsanddataofthesystem,andoutputthetracestreamintopre-allocatedbuffersonthechip.
• BothPMUandETMexistonARMCortex-A5xandCortex-A7xseriesCPUs,anddoNOT affecttheperformanceoftheCPU.
WayneStateUniversity
![Page 20: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/20.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 20
Outline
• Introduction• Background• System Overview• Evaluation• Conclusion
WayneStateUniversity
![Page 21: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/21.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 21
Overview
App
App
TargetMalware
RichOS
Non-secureDomain
WayneStateUniversity
![Page 22: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/22.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 22
Overview
App
App
TargetMalware
RichOS
Non-secureDomain
SecureInterruptHandler
SecureDomain
SecureInterrupt
WayneStateUniversity
![Page 23: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/23.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 23
Overview
App
App
TargetMalware
RichOS
Non-secureDomain
SecureInterruptHandler
SecureDomain
SecureInterrupt
TraceSubsystem
TraceSubsystem:
• InstructionTrace
• SystemCallTrace
• AndroidAPITrace
WayneStateUniversity
![Page 24: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/24.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 24
Overview
App
App
TargetMalware
RichOS
Non-secureDomain
SecureInterruptHandler
SecureDomain
SecureInterrupt
TraceSubsystem
DebugSubsystem
DebugSubsystem:
• SingleStepping
• Breakpoints
• MemoryR/W
WayneStateUniversity
![Page 25: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/25.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 25
Overview
App
App
TargetMalware
RichOS
Non-secureDomain
SecureInterruptHandler
SecureDomain
SecureInterrupt
TraceSubsystem
DebugSubsystem
RemoteDebuggingClient
SecurePort
WayneStateUniversity
![Page 26: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/26.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 26
Overview
App
App
TargetMalware
RichOS
Non-secureDomain
SecureInterruptHandler
SecureDomain
SecureInterrupt
TraceSubsystem
DebugSubsystem
RemoteDebuggingClient
SecurePortERET
WayneStateUniversity
![Page 27: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/27.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 27
HardwareTraps
……
Non-secureDomain
MRSX0,PMCR_EL0MOVX1,#1
ANDX0,X0,X1……
WayneStateUniversity
![Page 28: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/28.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 28
HardwareTraps
……
Non-secureDomain
MRSX0,PMCR_EL0MOVX1,#1
ANDX0,X0,X1……
Analyzing theinstruction
SecureDomainMDCR_EL3.TPM=1
WayneStateUniversity
![Page 29: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/29.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 29
HardwareTraps
MOVX0,#0x41013000……
Non-secureDomain
MRSX0,PMCR_EL0MOVX1,#1
ANDX0,X0,X1……
Analyzing theinstruction
SecureDomainMDCR_EL3.TPM=1
WayneStateUniversity
![Page 30: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/30.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 30
HardwareTraps
ModifyingsavedELR_EL3MOVX0,#0x41013000
……
Non-secureDomain
MRSX0,PMCR_EL0MOVX1,#1
ANDX0,X0,X1……
Analyzing theinstruction
SecureDomainMDCR_EL3.TPM=1
WayneStateUniversity
![Page 31: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/31.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 31
HardwareTraps
ERETModifyingsavedELR_EL3MOVX0,#0x41013000
……
Non-secureDomain
MRSX0,PMCR_EL0MOVX1,#1
ANDX0,X0,X1……
Analyzing theinstruction
SecureDomainMDCR_EL3.TPM=1
WayneStateUniversity
![Page 32: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/32.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 32
Outline
• Introduction• Background• System Overview• Evaluation• Conclusion
WayneStateUniversity
![Page 33: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/33.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 33
Evaluation- Transparency
• Environment:
• Analyzer:
WayneStateUniversity
![Page 34: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/34.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 34
Evaluation- Transparency
• Environment:
ü Isolated
• Analyzer:
WayneStateUniversity
![Page 35: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/35.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 35
Evaluation- Transparency
• Environment:
ü Isolated
ü ExistsonOTSplatforms
• Analyzer:
WayneStateUniversity
![Page 36: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/36.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 36
Evaluation- Transparency
• Environment:
ü Isolated
ü ExistsonOTSplatforms
• Analyzer:
ü Nodetectablefootprints?
WayneStateUniversity
![Page 37: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/37.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 37
Evaluation- Transparency
• Environment:
ü Isolated
ü ExistsonOTSplatforms
• Analyzer:
ü Nodetectablefootprints?
Webelievethatthehardware-basedapproachprovidesbettertransparency.
Tobuildafullytransparentsystem,wemayneedadditionalhardwaresupport.
WayneStateUniversity
![Page 38: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/38.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 38
Evaluation– PerformanceoftheTS
• Testbed Specification
• ARMJunov1developmentboard
• Adual-core800MHZCortex-A57clusterandaquad-core700MHZCortex-A53cluster
• ARMTrustedFirmware(ATF)v1.1andAndroid5.1.1
WayneStateUniversity
![Page 39: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/39.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 39
Evaluation– PerformanceoftheTS
Mean STD #Slowdown
Base:TracingDisabled 2.133s 0.69ms
InstructionTracing 2.135s 2.79ms 1x
SystemcallTracing 2.134s 5.13ms 1x
AndroidAPITracing 149.372s 1287.88ms 70x
• Calculatingonemilliondigitsof𝜋
• GNUMultiplePrecisionArithmeticLibrary
WayneStateUniversity
![Page 40: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/40.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 40
Evaluation– PerformanceoftheTS
• PerformancescoresevaluatedbyCF-Bench
NativeScores JavaScores Overall Scores
Mean #Slowdown Mean #Slowdown Mean #Slowdown
Basic:Tracing Disabled 25380 18758 21407
Instruction Tracing 25364 1x 18673 1x 21349 1x
System callTracing 25360 1x 18664 1x 21342 1x
AndroidAPI Tracing 6452 4x 122 154x 2654 8x
WayneStateUniversity
![Page 41: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/41.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 41
Evaluation– DomainSwitchingTime
• Timeconsumptionofdomainswitching(inµs)
• 34x-1674xfasterthanMalT (11.72µs)
ATF Enabled NinjaEnabled Mean STD 95% CI
✖ ✖ 0.007 0.000 [0.007, 0.007]
✔ ✖ 0.202 0.013 [0.197,0.207]
✔ ✔ 0.342 0.021 [0.334,0.349]
WayneStateUniversity
![Page 42: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/42.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 42
Outline
• Introduction• Background• System Overview• Evaluation• Conclusion
WayneStateUniversity
![Page 43: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/43.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 43
Conclusion
• Ninja:AmalwareanalysisframeworkonARM.
•Adebugsubsystemandatracesubsystem
•UsingTrustZone,PMU,andETMtoimprovetransparency
•Thehardware-assistedtracesubsystemisimmunetotimingattack.
WayneStateUniversity
![Page 44: Ninja: Towards Transparent Tracing and Debugging on ARM · 2019. 12. 18. · Base: Tracing Disabled 2.133 s 0.69 ms Instruction Tracing 2.135 s 2.79 ms 1x System call Tracing 2.134](https://reader036.vdocuments.net/reader036/viewer/2022071516/6139275ca4cdb41a985b860d/html5/thumbnails/44.jpg)
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 44
Thankyou!Email:[email protected]
Questions?
WayneStateUniversity