Loading...
|
Please use this identifier to cite or link to this item:
https://nccur.lib.nccu.edu.tw/handle/140.119/141034
|
| Title: | 利用QEMU針對ARM虛擬機器上之行程進行動態函式追蹤
Real-time Application-aware Function Call Tracing for ARM Virtual Machine using QEMU |
| Authors: | 林履誠
Lin, Lu-Cheng |
| Contributors: | 蕭舜文
Hsiao, Shun-Wen
林履誠
Lin, Lu-Cheng |
| Keywords: | 動態追蹤
虛擬化
虛擬機器內省
ARM
Dynamic tracing
Virtualization
Virtual machine introspection |
| Date: | 2022 |
| Issue Date: | 2022-08-01 17:21:58 (UTC+8) |
| Abstract: | ARM硬體架構於行動裝置、個人電腦和雲端伺服器上面的市場份額占比越來越高,進而使針對ARM裝置的網路攻擊也隨之增加。因此,協助分析ARM裝置上的惡意攻擊行為的工具的需求也日益浮現。virtual machine introspection (VMI) 是一個利用virtual machine (VM) 來進行惡意軟體側錄跟惡意行為分析的技術,其先前在x86硬體架構上面已經有廣泛並且成熟的應用,然而此類工具在ARM裝置的支援仍然處遇前期的階段。本研究試圖利用QEMU,開發出一個能夠應用於ARM裝置上面的VMI系統。這個系統會專注於攔截並且側錄虛擬機器上面特定行程的函式呼叫。為了能夠開發出這樣的系統,我們在過程中面臨了兩個主要的問題:判斷需要監控的行程是否正在執行和如何在執行過程中攔截行程特定的函式呼叫。第一個問題我們主要利用行程的page table address跟ARM CPU上面的translation table base pointer比對,來解決判斷行程的問題。第二個問題我們利用了QEMU內部translation block的機制,進而找到適合的攔截函式呼叫的時機。
在實作這個VMI系統時,我們修改了QEMU的tiny code generator,並且在每一次QEMU執行一個translation block之前,植入了我們部分的VMI的程式。這樣可以確保我們的VMI程式可以於惡意程式在被執行之前,獲得執行的控制權,讓惡意程式無法偵測到我們的執行,然後隱藏他的攻擊足跡。我們在QEMU monitor commands內加入了幾個方便使用者可以輸入的指令,讓使用者可以透過輸入指令的方式來進行程式側錄,並且將結果輸出成log檔案。最後我們針對這個VMI系統進行效能測量,平均的效能影響僅有4%。
Besides the mobile and IoT device market, ARM has gained more market share in the personal desktop and cloud server markets. Accordingly, the number of attacks against ARM devices has increased. Thus, the need for monitoring and analyzing the malware targeting ARM device has emerged. Virtual machine introspection (VMI) is a mature technology used for malware analysis and intrusion detection. Previous research mainly focuses on building VMI on x86, and there is little research on ARM. We chose QEMU as our hypervisor among all approaches because it can emulate a range of ARM processors and allow us to intercept function calls without context switching, which reduces code complexity.
In this paper, we review QEMU`s tiny code generator and translation block and develop a naive approach to intercept function calls by inserting a small piece of code before each translation block is executed. We recognize the process by traversing the process list in the kernel using the QEMU built-in function. We identify the process by comparing the process`s page table pointer and ARM`s translation table pointer. To demonstrate the effectiveness and efficiency of our system, we first implement our VMI system as several QEMU monitor commands. The commands allow researchers to listen to a specific process`s execution and log its execution traces to log files. The benchmark results show an average performance degradation of 3.81 percent on single-threaded tasks and 4.88 percent on multi-threaded tasks. |
| Reference: | B. C. Mark Lipacis, “4q21 cpu share: Pc armaggedon; amd server share poised to accelerate,” Feb. 2022
C. Beek, S. Chandana, T. Dunton, S. Grobman, R. Gupta, T. Holden, T. Hux, K. Mc- Grath, D. Mckee, L. Munson, K. Narayan, J. Olowo, C. Pak, C. Palm, T. Polzer, S. R. Ryu, R. Samani, Sekhar, Sarukkai, and C. Schmugar, “Mcafee labs threats report, november 2020,” McAfee, LLC, San Jose, Tech. Rep., Nov. 2020.
T. Garfinkel and M. Rosenblum, “A virtual machine introspection based architecture for intrusion detection,” NDSS, vol. 3, 05 2003
S.-W. Hsiao, Y. S. Sun, and M. C. Chen, “Hardware-assisted mmu redirection for in- guest monitoring and api profiling,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 2402–2416, 2020.
A. Dinaburg, P. Royal, M. Sharif, and W. Lee, “Ether: Malware analysis via hard- ware virtualization extensions,” in Proceedings of the ACM Conference on Computer and Communications Security, 01 2008, pp. 51–62.
J. Pfoh, C. Schneider, and C. Eckert, “Nitro: Hardware-based system call tracing for virtual machines,” in Advances in Information and Computer Security 6th Inter- national Workshop on Security, IWSEC 2011, Tokyo, Japan, November 8-10, 2011. Proceedings, 11 2011, pp. 96–112.
D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. New- some, P. Poosankam, and P. Saxena, “BitBlaze: A new approach to computer se- curity via binary analysis,” in Proceedings of the 4th International Conference on Information Systems Security. Keynote invited paper., Hyderabad, India, Dec. 2008
Z. Deng, X. Zhang, and D. Xu, “Spider: Stealthy binary program instrumentation and debugging via hardware virtualization,” in Proceedings of the 29th Annual Computer Security Applications Conference, ser. ACSAC ’13. New York, NY, USA: Association for Computing Machinery, 2013, p. 289–298. [Online]. Available: https://doi.org/10.1145/2523649.2523675
T. Lengyel, T. Kittel, and C. Eckert, “Virtual machine introspection with xen on arm,” 09 2015.
S. Proskurin, T. Lengyel, M. Momeu, C. Eckert, and A. Zarras, “Hiding in the shadows: Empowering arm for stealthy virtual machine introspection,” in Proceedings of the 34th Annual Computer Security Applications Conference, ser. ACSAC ’18. New York, NY, USA: Association for Computing Machinery, 2018, p. 407–417. [Online]. Available: https://doi.org/10.1145/3274694.3274698
Learn the architecture: Aarch64 exception model,” https://developer.arm.com/ documentation/102412/0100/Privilege-and-Exception-levels, accessed: 2022-04- 05.
“Virtualization in aarch64,” https://developer.arm.com/documentation/102142/ 0100/Virtualization-in-AArch64, accessed: 2022-03-26.
B. Ngabonziza, D. Martin, A. Bailey, H. Cho, and S. Martin, “Trustzone explained: Architectural features and use cases,” in 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC), 2016, pp. 445–451.
F. Bellard, “Qemu, a fast and portable dynamic translator,” in Proceedings of the Annual Conference on USENIX Annual Technical Conference, ser. ATEC ’05. USA: USENIX Association, 2005, p. 41.
“Translator internals,” https://qemu.readthedocs.io/en/latest/devel/tcg.html, ac- cessed: 2022-03-26.
S.-W. Hsiao and Y.-J. Lee, “Nn-based feature selection for text-based sequential data,” in 24th Pacific Asia Conference on Information Systems, PACIS 2020, Dubai, UAE, June 22-24, 2020, D. Vogel, K. N. Shen, P. S. Ling, C. H. 0001, J. Y. L. Thong, M. de Marco, M. Limayem, and S. X. Xu, Eds., 2020, p. 238. [Online]. Available: https://aisel.aisnet.org/pacis2020/238
S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff, “A sense of self for unix processes,” in Proceedings 1996 IEEE Symposium on Security and Privacy, 1996, pp. 120–128
A. S. Tanenbaum and H. Bos, Modern Operating Systems, 4th ed. Pearson Educa- tion Limited, 2015, ch. 7.
G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig, “Intel virtualization tech- nology: Hardware support for efficient processor virtualization,” Intel Technology Journal, vol. 10, 08 2006.
“tiny code generator,” https://gitlab.com/qemu-project/qemu/-/blob/master/tcg/ README, accessed: 2022-03-26.
X. Jiang, X. Wang, and D. Xu, “Stealthy malware detection through vmm-based ”out-of-the-box” semantic view reconstruction,” in Proceedings of the 14th ACM Conference on Computer and Communications Security, ser. CCS ’07. New York NY, USA: Association for Computing Machinery, 2007, p. 128–138. [Online]. Available: https://doi.org/10.1145/1315245.1315262
Y. Fu and Z. Lin, “Bridging the semantic gap in virtual machine introspection via online kernel data redirection,” ACM Trans. Inf. Syst. Secur., vol. 16, no. 2, sep 2013. [Online]. Available: https://doi.org/10.1145/2505124
J. Xiao, L. Lu, H. Wang, and X. Zhu, “Hyperlink: Virtual machine intro- spection and memory forensic analysis without kernel source code,” in 2016 IEEE International Conference on Autonomic Computing (ICAC), 2016, pp. 127–136.
A. Henderson, L. K. Yan, X. Hu, A. Prakash, H. Yin, and S. McCamant, “Decaf: A platform-neutral whole-system dynamic binary analysis plat- form,” IEEE Transactions on Software Engineering, vol. 43, no. 2, pp. 164–184, 2017.
H.-L. Wei, C.-T. King, B. Das, M.-C. Peng, C.-C. Wang, H.-L. Huang, and J.-M. Lu, “Application specific component-service-aware trace gen- eration on android-qemu,” in 2017 30th IEEE International System-on- Chip Conference (SOCC), 2017, pp. 316–321.
“Qemu support arm cpu list,” https://elixir.bootlin.com/qemu/v5.2.0/ source/target/arm/cpu tcg.c#L635, accessed: 2022-04-05.
P. Varanasi and G. Heiser, “Hardware-supported virtualization on arm,” in Proceedings of the Second Asia-Pacific Workshop on Systems, ser. APSys ’11. New York, NY, USA: Association for Computing Machinery, 2011. [Online]. Available: https://doi.org/10.1145/2103799. 2103813
“Learn the architecture: Aarch64 virtualization - stage 2 translation,” https://developer.arm.com/documentation/102142/0100/ Stage-2-translation, accessed: 2022-03-26.
“Learn the architecture: Trustzone for aarch64,” https://developer.arm. com/documentation/102418/0101/TrustZone-in-the-processor, accessed: 2022-03-26.
L. Jia, M. Zhu, and B. Tu, “T-vmi: Trusted virtual machine introspection in cloud environments,” in 2017 17th IEEE/ACM International Sym- posium on Cluster, Cloud and Grid Computing (CCGRID), 2017, pp. 478–487
M. Guerra, B. Taubmann, H. P. Reiser, S. Yalew, and M. Correia, “Introspection for arm trustzone with the itz library,” in 2018 IEEE International Conference on Software Quality, Reliability and Security (QRS), 2018, pp. 123–134.
S. Wan, J. Sun, K. Sun, N. Zhang, and Q. Li, “Satin: A secure and trustworthy asynchronous introspection on multi-core arm processors,” in 2019 49th Annual IEEE/IFIP International Conference on Depend- able Systems and Networks (DSN), June 2019, pp. 289–301.
S. Chylek, “Collecting program execution statistics with qemu processor emulator,” in 2009 International Multiconference on Computer Science and Information Technology, 2009, pp. 555–558.
P. Dovgalyuk, N. Fursova, I. Vasiliev, and V. Makarov, “Qemu-based framework for non-intrusive virtual machine instrumentation and introspection,” in Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, ser. ESEC/FSE 2017. New York, NY, USA: Association for Computing Machinery, 2017, p. 944–948. [Online]. Available: https://doi.org/10.1145/3106237.3122817
“sched.h,” https://elixir.bootlin.com/linux/v5.4.74/source/include/linux/ sched.h#L624, accessed: 2022-04-05.
“Arm armv8-a architecture registers,” https://developer. arm.com/documentation/ddi0595/2021-12/AArch32-Registers/ TTBR0--Translation-Table-Base-Register-0?lang=en, accessed: 2022- 04-05.
Procedure Call Standard for the Arm Architecture, Arm Limited, 4 2022.
“mmtypes.h,” https://elixir.bootlin.com/linux/v5.4.74/source/include/ linux/mm types.h#L370, accessed: 2022-04-05.
“kernel.h,” https://elixir.bootlin.com/linux/v5.4.74/source/tools/include/ linux/kernel.h#L22, accessed: 2022-04-05.
“byte-unixbench,” https://github.com/kdlucas/byte-unixbench, accessed: 2022-03-26.
“Curl: command line tool and library for transferring data with urls,” https://curl.se/, accessed: 2022-04-05.
T. Van Dung, I. Taniguchi, T. Hieda, and H. Tomiyama, “Function profiling for embedded software by utilizing qemu and analyzer tool,” in 2013 IEEE 56th International Midwest Symposium on Circuits and Systems (MWSCAS), 2013, pp. 1251–1254. |
| Description: | 碩士
國立政治大學
資訊管理學系
109356017 |
| Source URI: | http://thesis.lib.nccu.edu.tw/record/#G0109356017 |
| Data Type: | thesis |
| DOI: | 10.6814/NCCU202200712 |
| Appears in Collections: | [資訊管理學系] 學位論文
|
Files in This Item:
| File |
Description |
Size | Format | |
|---|
| 601701.pdf | | 629Kb | Adobe PDF2 | 0 | View/Open |
|
All items in 政大典藏 are protected by copyright, with all rights reserved.
|
