using hardware features for increased debugging transparency · 2016-09-12 · using hardware...
TRANSCRIPT
![Page 1: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/1.jpg)
UsingHardwareFeaturesforIncreasedDebuggingTransparencyFengweiZhang,KevinLeach,AngelosStavrou,
HainingWang,andKunSun.InS&P'15.
FengweiZhang
WayneStateUniversity CSC6991TopicsinComputerSecurity 1
![Page 2: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/2.jpg)
Overview
• MoOvaOon• Background:SystemManagementMode(SMM)
• SystemArchitecture• EvaluaOon:TransparencyandPerformance• ConclusionsandFutureDirecOons
WayneStateUniversity CSC6991TopicsinComputerSecurity 2
![Page 3: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/3.jpg)
Overview
• MoOvaOon• Background:SystemManagementMode(SMM)
• SystemArchitecture• EvaluaOon:TransparencyandPerformance• ConclusionsandFutureDirecOons
WayneStateUniversity CSC6991TopicsinComputerSecurity 3
![Page 4: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/4.jpg)
MoOvaOon
• MalwareaXacksstaOsOcs– Symantecblockedanaverageof247,000aXacksperday[1]
– McAfee(IntelSecurity)reported8,000,000newmalwaresamplesinthefirstquarterin2014[2]
– Kasperskyreportedmalwarethreatshavegrown34%withover200,000newthreatsperdaylastyear[3]
• ComputersystemshavevulnerableapplicaOonsthatcouldbeexploitedbyaXackers.
WayneStateUniversity CSC6991TopicsinComputerSecurity 4
![Page 5: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/5.jpg)
TradiOonalMalwareAnalysis
• UsingvirtualizaOontechnologytocreateanisolatedexecuOonenvironmentformalwaredebugging
• RunningmalwareinsideaVM• RunninganalysistoolsoutsideaVM
Hardware
Hypervisor (VMM)
Virtual Machine
WayneStateUniversity CSC6991TopicsinComputerSecurity 5
![Page 6: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/6.jpg)
TradiOonalMalwareAnalysis
• UsingvirtualizaOontechnologytocreateanisolatedexecuOonenvironmentformalwaredebugging
• RunningmalwareinsideaVM• RunninganalysistoolsoutsideaVM
Hardware
Hypervisor (VMM)
Virtual Machine
Malware
WayneStateUniversity CSC6991TopicsinComputerSecurity 6
![Page 7: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/7.jpg)
TradiOonalMalwareAnalysis
• UsingvirtualizaOontechnologytocreateanisolatedexecuOonenvironmentformalwaredebugging
• RunningmalwareinsideaVM• RunninganalysistoolsoutsideaVM
Hardware
Hypervisor (VMM)
Virtual Machine
Analysis
Tool
Malware
WayneStateUniversity CSC6991TopicsinComputerSecurity 7
![Page 8: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/8.jpg)
TradiOonalMalwareAnalysis
LimitaOons:• DependingonhypervisorsthathavealargeTCB(e.g.,
Xenhas500KSLOCand245vulnerabiliOesinNVD) ︎• Incapableofanalyzingrootkitswiththesameorhigher
privilegelevel(e.g.,hypervisorandfirmwarerootkits)︎• UnabletoanalyzearmoredmalwarewithanO-
virtualizaOonoranO-emulaOontechniques
Hardware
Hypervisor (VMM)
Virtual Machine
Analysis
Tool
Malware
WayneStateUniversity CSC6991TopicsinComputerSecurity 8
![Page 9: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/9.jpg)
OurApproach
Wepresentabare-metaldebuggingsystemcalledMalTthatleveragesSystemManagementModeformalwareanalysis︎• UsesSystemManagementModeasahardwareisolated
execuOonenvironmenttorunanalysistoolsandcandebughypervisors ︎
• Movesanalysistoolsfromhypervisor-layertohardware-layerthatachievesahighleveloftransparency
Hardware
Hypervisor (VMM)
Virtual Machine
Analysis
Tool
Malware
WayneStateUniversity CSC6991TopicsinComputerSecurity 9
![Page 10: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/10.jpg)
Overview
• MoOvaOon• Background:SystemManagementMode(SMM)
• SystemArchitecture• EvaluaOon:TransparencyandPerformance• ConclusionsandFutureDirecOons
WayneStateUniversity CSC6991TopicsinComputerSecurity 10
![Page 11: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/11.jpg)
Background:SystemManagementMode
SystemManagementMode(SMM)isspecialCPUmodeexisOnginx86architecture,anditcanbeusedasahardwareisolatedexecuOonenvironment.• OriginallydesignedforimplemenOngsystemfuncOons(e.g.,powermanagement)
• IsolatedSystemManagementRAM(SMRAM)thatisinaccessiblefromOS
• OnlywaytoenterSMMistotriggeraSystemManagementInterrupt(SMI)
• ExecuOngRSMinstrucOontoresumeOS(ProtectedMode)
WayneStateUniversity CSC6991TopicsinComputerSecurity 11
![Page 12: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/12.jpg)
Background:SystemManagementMode
ApproachesforTriggeringaSystemManagementInterrupt(SMI)• Soiware-based:WritetoanI/OportspecifiedbySouthbridge
datasheet(e.g.,0x2BforIntel)• Hardware-based:Networkcard,keyboard,hardwareOmers
Protected Mode
Normal OS
System Management Mode
Isolated Execution Environment
SMIHandler
Isolated SMRAM
Highest privilege
Interrupts disabled
SMM entry
SMM exit
Softwareor
Hardware
Trigger SMI
RSM
WayneStateUniversity CSC6991TopicsinComputerSecurity 12
![Page 13: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/13.jpg)
Background:SoiwareLayers
Application
Operating System
Hypervisor (VMM)
Firmware (BIOS) SMM
Hardware
WayneStateUniversity CSC6991TopicsinComputerSecurity 13
![Page 14: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/14.jpg)
Background:HardwareLayout
CPUNorthbridge
(memory controller hub)MMU and IOMMU
Graphic card slot
Memory bus
Memory slots
Southbridge(I/O controller hub)
PCI bus
PCI slots
BIOS Super I/O
LPC bus
Keyboard
Mouse
Serial port
IDE
SATA
Audio
USB
CMOS
Front-side bus
PCIe bus
Internal bus
WayneStateUniversity CSC6991TopicsinComputerSecurity 14
![Page 15: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/15.jpg)
Overview
• MoOvaOon• Background:SystemManagementMode(SMM)
• SystemArchitecture• EvaluaOon:TransparencyandPerformance• ConclusionsandFutureDirecOons
WayneStateUniversity CSC6991TopicsinComputerSecurity 15
![Page 16: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/16.jpg)
SystemArchitecture
• TradiOonallymalwaredebuggingusesvirtualizaOonoremulaOon ︎
• MalTdebugsmalwareonabare-metalmachine,andremainstransparentinthepresenceofexisOnganO-debugging,anO-VM,andanO-emulaOontechniques.
Debugging Client
GDB-like
Debugger
Debugging Server
SMI
handler
Debugged
application
1) Trigger SMI
2) Debug command
3) Response message
Inspect
application
Breakpoint
WayneStateUniversity CSC6991TopicsinComputerSecurity 16
![Page 17: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/17.jpg)
Step-by-stepDebugginginMalT
• DebuggingprograminstrucOon-by-instrucOon ︎• UsingperformancecounterstotriggeranSMIforeachinstrucOon
Protected Mode System Management Mode
SMI Handler
SMI Handler
SMM entry
SMM entry
SMM exit
SMM exit
inst1inst2inst3
...
instn
CPU control flow
EIP
Trigger SMI
RSM
Trigger SMI
RSM
WayneStateUniversity CSC6991TopicsinComputerSecurity 17
![Page 18: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/18.jpg)
Overview
• MoOvaOon• Background:SystemManagementMode(SMM)
• SystemArchitecture• EvaluaOon:TransparencyandPerformance• ConclusionsandFutureDirecOons
WayneStateUniversity CSC6991TopicsinComputerSecurity 18
![Page 19: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/19.jpg)
EvaluaOon:TransparencyAnalysis• Twosubjects:1)runningenvironmentand2)debuggeritself︎– Runningenvironmentsofadebugger︎
• SMMv.s.virtualizaOon/emulaOon ︎– Sideeffectsintroducedbyadebuggeritself︎
• CPU,cache,memory,I/O,BIOS,andOming• Towardstruetransparency ︎– MalTisnotfullytransparent(e.g.,externalOmingaXack)butincreased︎
– DrawaXenOontohardware-basedapproachforaddressingdebuggingtransparency
WayneStateUniversity CSC6991TopicsinComputerSecurity 19
![Page 20: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/20.jpg)
EvaluaOon:PerformanceAnalysis• TestbedSpecificaOon︎– Motherboard:ASUSM2V-MXSE︎– CPU:2.2GHzAMDLE-1250 ︎– Chipsets:AMDK8Northbridge+VIAVT8237rSouthbridge︎– BIOS:Coreboot+SeaBIOS
Evaluation: Performance Analysis
I Testbed SpecificationI Motherboard: ASUS M2V-MX SEI CPU: 2.2 GHz AMD LE-1250I Chipsets: AMD K8 Northbridge + VIA VT8237r SouthbridgeI BIOS: Coreboot + SeaBIOS
Table: SMM Switching and Resume (Time: µs)
Operations Mean STD 95% CISMM switching 3.29 0.08 [3.27,3.32]SMM resume 4.58 0.10 [4.55,4.61]Total 7.87
19
WayneStateUniversity CSC6991TopicsinComputerSecurity 20
![Page 21: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/21.jpg)
EvaluaOon:PerformanceAnalysisEvaluation: Performance Analysis
Table: Stepping Overhead on Windows and Linux (Unit: Times ofSlowdown)
Stepping Methods Windows Linux⇡ ⇡
Far control transfer 2 2Near return 30 26Taken branch 565 192Instruction 973 349
20
WayneStateUniversity CSC6991TopicsinComputerSecurity 21
![Page 22: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/22.jpg)
Overview
• MoOvaOon• Background:SystemManagementMode(SMM)
• SystemArchitecture• EvaluaOon:TransparencyandPerformance• ConclusionsandFutureDirecOons
WayneStateUniversity CSC6991TopicsinComputerSecurity 22
![Page 23: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/23.jpg)
ConclusionsandFutureWork• WedevelopedMalT,abare-mataldebuggingsystemthat
employsSMMtoanalyzemalware– Hardware-assistedsystem;doesnotusevirtualizaOonoremulaOon
technology ︎– ProvidingamoretransparentexecuOonenvironment︎– ThoughtesOngexisOnganO-debugging,anO-VM,andanO-emulaOon
techniques,MalTremainstransparent
• Futurework Remote Debugger (“client”)
GDBServer
IDAProTool
GDBClient
Debugging Target (“server”)
SMIHandler
Debuggedapplication
Debug command
Response message
SMM PMGeneric Interaface
WayneStateUniversity CSC6991TopicsinComputerSecurity 23
![Page 24: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/24.jpg)
ReferencesReferences I
[1] Symantec, “Internet Security Threat Report, Vol. 19 Main Report,” http:
//www.symantec.com/content/en/us/enterprise/other resources/b-istr main report v19 21291018.en-us.pdf,
2014.
[2] McAfee, “Threats Report: First Quarter 2014,”
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2014-summary.pdf.
[3] Kaspersky Lab, “Kaspersky Security Bulletin 2013,” http://media.kaspersky.com/pdf/KSB 2013 EN.pdf.
22
WayneStateUniversity CSC6991TopicsinComputerSecurity 24
![Page 25: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/25.jpg)
PaperDiscussion• MikalFourrier
• MALTisaframeworkforWindowsandLinuxdesignedtotransparentlydetectmalwares.ItusestheSystemManagementModeonx86.OnlytheBIOSistrusted,bringingtheKSLOCoftrustedcodedownbytwotofourordersofmagnitudecomparedtoemulator-basedtechniques.ThecodeexecuOnginSMMactsasadebuggingserverandiscontrolledbyagdb-likeuserspaceprogram.ThestandardoperaOonslikebreakpointsandstep-by-stepexecuOonaresupported.AddiOonally,sincetheserverisexecutedinring-2,itcanalsobeusedtodebugkernelsandhypervisors.Sinceit'sanewtechnique,noneofthecurrentsmalwaresdetectsit.Someside-effectsintroducedbySMMortechniqueslikeOmingaXackscouldbeusedbymalwaresinthefuture.
WayneStateUniversity CSC6991TopicsinComputerSecurity 25
![Page 26: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/26.jpg)
PaperDiscussion• SaeidMofrad
• ThispaperisaboutMalt,atransparentdebuggerwhichleveragesSMMmodeinthex86architecture.MaltisresidinginSMM(ring-2)andcandetectrootkitsinthehypervisor(ring-1),OSkernel(ring0)andalsoarmoredmalwarewhichcanhidetheirpayloadandmaliciousacOvityintheeventoftheexistenceofthenon-transparentmalwaredetecOonsystems.Maltisusingclient-servermodelforitsimplementaOon.TheuserconnectsremotelytotheMaltbyserialcableandconstructsMalttodebugaparOcularprogram(pupngabreakpoint,stepintoinstrucOonsorreadingCPUregistersvalue,etc.)intoSMMandanalyzeitinatransparentmanner.Also,MaltissuscepObletoOmingaXacks.Inexample,malwaremaydetectSMMbasedacOvitybymeasuringtheOmedelaymoreeffecOvebyusingencryptedexternalOmemeasurementandhidesitsmaliciousacOvity.
WayneStateUniversity CSC6991TopicsinComputerSecurity 26
![Page 27: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/27.jpg)
PaperDiscussion• SudeepNanjappaJayakumar
• ThispaperincludestheusageofaframeworkcalledMalt,heretheclient-serverarchitectureisusedtodebugandaXainthetransparency.MalthastheCPUmodeinthearchitecture.ThissystemmanagementmodedoesnotdependthevirtualizaOonoremulaOonwhichalsomakesthissystemnotbeingaffectedmuchfrommostofthemalwareaXackedenvironments.InthissystemthereisaimplementaOonoftwotypesofmachinestoshowthatthetransparencyismaintainedthroughout.SMMisaspecialpurposecpumodeusedinhereanditprovidesthestrongprotecOonformalwaredebugging.HerethemalwareisrunononeofthephysicalmachineandtheSMMisimplementedtocommunicatewithclientofthedebuggingmachine.FurthermoreSMMisusuallyconsideredasthe(ring-2)whichworkswiththehypervisorwhichisat(ring-1)andtheOSkernelisat(ring-0).
WayneStateUniversity CSC6991TopicsinComputerSecurity 27
![Page 28: Using Hardware Features for Increased Debugging Transparency · 2016-09-12 · Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou,](https://reader033.vdocuments.net/reader033/viewer/2022042312/5edbd576ad6a402d66663dce/html5/thumbnails/28.jpg)
Reminders
• Paperreviews
• CourseParOcipaOonConfirmaOon
• Nextclass:TransparentMalwareAnalysisII
WayneStateUniversity CSC6991TopicsinComputerSecurity 28