research-article

SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization

Authors:

Dongyan XuAuthors Info & Claims

ACSAC '13: Proceedings of the 29th Annual Computer Security Applications Conference

Pages 289 - 298

https://doi.org/10.1145/2523649.2523675

Published: 09 December 2013 Publication History

Abstract

The ability to trap the execution of a binary program at desired instructions is essential in many security scenarios such as malware analysis and attack provenance. However, an increasing percent of both malicious and legitimate programs are equipped with anti-debugging and anti-instrumentation techniques, which render existing debuggers and instrumentation tools inadequate. In this paper, we present Spider, a stealthy program instrumentation framework which enables transparent, efficient and flexible instruction-level trapping based on hardware virtualization. Spider uses invisible breakpoint, a novel primitive we develop that inherits the efficiency and flexibility of software breakpoint, and utilizes hardware virtualization to hide its side-effects from the guest. We have implemented a prototype of Spider on KVM. Our evaluation shows that Spider succeeds in remaining transparent against state-of-the-art anti-debugging and anti-instrumentation techniques; the overhead of invisible breakpoint is comparable with traditional hardware breakpoint. We also demonstrate Spider's usage in various security applications.

References

[1]

Gdb. http://www.gnu.org/software/gdb/.

[2]

Ida pro. http://www.hex-rays.com/idapro/.

[3]

Kvm. http://www.linux-kvm.org/.

[4]

O. Agesen, J. Mattson, R. Rugina, and J. Sheldon. Software techniques for avoiding hardware virtualization exits. In USENIX ATC'12.

Digital Library

[5]

P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. SOSP'03.

Digital Library

[6]

U. Bayer, C. Kruegel, and E. Kirda. Ttanalyze: A tool for analyzing malware. In EICAR'06.

[7]

F. Bellard. Qemu, a fast and portable dynamic translator. In USENIX ATC'05.

Digital Library

[8]

S. Bhansali, W.-K. Chen, S. De Jong, A. Edwards, R. Murray, M. Drinić, D. Mihočka, and J. Chau. Framework for instruction-level tracing and analysis of program executions. In VEE'06.

Digital Library

[9]

R. R. Branco, G. N. Barbosa, and P. D. Neto. Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. Blackhat USA'12.

[10]

D. Bruening. Efficient, transparent, and comprehensive runtime code manipulation. PhD thesis, 2004.

Digital Library

[11]

D. Bruening, Q. Zhao, and S. Amarasinghe. Transparent dynamic instrumentation. In VEE'12.

Digital Library

[12]

P. P. Bungale and C.-K. Luk. Pinos: a programmable framework for whole-system dynamic instrumentation. In VEE'07.

Digital Library

[13]

Z. Deng, D. Xu, X. Zhang, and X. Jiang. Introlib: Efficient and transparent library call introspection for malware forensics. In DFRWS'12.

[14]

A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In CCS'08.

Digital Library

[15]

P. Feiner, A. D. Brown, and A. Goel. Comprehensive kernel instrumentation via dynamic binary translation. In ASPLOS'12.

Digital Library

[16]

P. Ferrie. Attacks on virtual machine emulators. Symantec Advanced Threat Research, 2006.

[17]

P. Ferrie. Attacks on more virtual machine emulators. Symantec Technology Exchange, 2007.

[18]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In NDSS'03.

[19]

M. Grace, Z. Wang, D. Srinivasan, J. Li, X. Jiang, Z. Liang, and S. Liakh. Transparent protection of commodity os kernels using hardware virtualization. In SecureComm'10.

[20]

F. Guo, P. Ferrie, and T.-C. Chiueh. A study of the packer problem and its solutions. In RAID'08.

Digital Library

[21]

Intel. Intel 64 and IA-32 Architectures Software Developer's Manual, volume 3C.

[22]

M. G. Kang, H. Yin, S. Hanna, S. McCamant, and D. Song. Emulating emulation-resistant malware. In VMSec'09.

Digital Library

[23]

M. A. Laurenzano, M. M. Tikir, L. Carrington, and A. Snavely. Pebil: Efficient static binary instrumentation for linux. In ISPASS'10.

[24]

K. P. Lawton. Bochs: A portable pc emulator for unix/x. Linux Journal, 1996.

Digital Library

[25]

K. H. Lee, X. Zhang, and D. Xu. High accuracy attack provenance via binary-based execution partition. In NDSS'13.

[26]

C. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. Reddi, and K. Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. In PLDI'05.

Digital Library

[27]

N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation.

[28]

A. Nguyen, N. Schear, H. Jung, A. Godiyal, S. King, and H. Nguyen. Mavmm: Lightweight and purpose built vmm for malware analysis. In ACSAC'09.

Digital Library

[29]

T. Raffetseder, C. Krügel, and E. Kirda. Detecting system emulators. In ISC'07.

Digital Library

[30]

N. Riva and F. Falcón. Dynamic binary instrumentation frameworks: I know you're there spying on me. REcon'12.

[31]

J. Rutkowska. Subverting vista kernel for fun and profit. Blackhat USA'06.

[32]

K. Scott, N. Kumar, S. Velusamy, B. Childers, J. Davidson, and M. Soffa. Retargetable and reconfigurable software dynamic translation. In CGO'03.

Digital Library

[33]

D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. Bitblaze: A new approach to computer security via binary analysis. In ICISS'08.

Digital Library

[34]

A. Vasudevan. Re-inforced stealth breakpoints. In CRiSIS'09.

[35]

A. Vasudevan and R. Yerraballi. Cobra: Fine-grained malware analysis using stealth localized-executions. In IEEE S&P'06.

Digital Library

[36]

A. Vasudevan and R. Yerraballi. Stealth breakpoints. In ACSAC'05.

Digital Library

[37]

S. Vogl and C. Eckert. Using hardware performance events for instruction-level monitoring on the x86 architecture. In EuroSec'12.

[38]

C. Willems, R. Hund, A. Fobian, D. Felsch, T. Holz, and A. Vasudevan. Down to the bare metal: Using processor features for binary analysis. In ACSAC'12.

Digital Library

[39]

L.-K. Yan, M. Jayachandra, M. Zhang, and H. Yin. V2e: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis. In VEE'12.

Digital Library

[40]

O. Yuschuk. Ollydbg. http://www.ollydbg.de/.

Cited By

Sandborn MStoebner ZWeimer WForrest SDougherty RWhite JLeach K(2024)Reducing Malware Analysis Overhead With CoveringsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.334632821:4(4133-4146)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3346328
D'Elia DNicchi SMariani MMarini MPalmaro F(2023)Designing Robust API Monitoring SolutionsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.313372920:1(392-406)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2021.3133729
Nechta I(2022)Method for Programs Protection against Breakpoints by Code Fragments Execution in a Shared BufferThe Herald of the Siberian State University of Telecommunications and Informatics10.55648/1998-6920-2022-16-3-48-55(48-55)Online publication date: 1-Oct-2022
https://doi.org/10.55648/1998-6920-2022-16-3-48-55
Show More Cited By

Index Terms

SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization

Recommendations

SRVM: Hypervisor Support for Live Migration with Passthrough SR-IOV Network Devices
VEE '16

Single-Root I/O Virtualization (SR-IOV) is a specification that allows a single PCI Express (PCIe) device (ysical function or PF) to be used as multiple PCIe devices (virtual functions or VF). In a virtualization system, each VF can be directly assigned ...
SRVM: Hypervisor Support for Live Migration with Passthrough SR-IOV Network Devices
VEE '16: Proceedings of the12th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

Single-Root I/O Virtualization (SR-IOV) is a specification that allows a single PCI Express (PCIe) device (ysical function or PF) to be used as multiple PCIe devices (virtual functions or VF). In a virtualization system, each VF can be directly assigned ...
Enabling Instantaneous Relocation of Virtual Machines with a Lightweight VMM Extension
CCGRID '10: Proceedings of the 2010 10th IEEE/ACM International Conference on Cluster, Cloud and Grid Computing

We are developing an efficient resource management system with aggressive virtual machine (VM) relocation among physical nodes in a data center. Existing live migration technology, however, requires a long time to change the execution host of a VM, it ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '13: Proceedings of the 29th Annual Computer Security Applications Conference

December 2013

374 pages

ISBN:9781450320153

DOI:10.1145/2523649

Conference Chair:
Charles N. Payne
Adventium Labs

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Defense Advanced Research Projects Agency

Conference

ACSAC '13

Sponsor:

ACSA

ACSAC '13: Annual Computer Security Applications Conference

December 9 - 13, 2013

Louisiana, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

64
Total Citations
View Citations
601
Total Downloads

Downloads (Last 12 months)47
Downloads (Last 6 weeks)7

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sandborn MStoebner ZWeimer WForrest SDougherty RWhite JLeach K(2024)Reducing Malware Analysis Overhead With CoveringsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.334632821:4(4133-4146)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3346328
D'Elia DNicchi SMariani MMarini MPalmaro F(2023)Designing Robust API Monitoring SolutionsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.313372920:1(392-406)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2021.3133729
Nechta I(2022)Method for Programs Protection against Breakpoints by Code Fragments Execution in a Shared BufferThe Herald of the Siberian State University of Telecommunications and Informatics10.55648/1998-6920-2022-16-3-48-55(48-55)Online publication date: 1-Oct-2022
https://doi.org/10.55648/1998-6920-2022-16-3-48-55
Sikdar SRuan SHan QPitimanaaree PBlackthorne JYener BXia LPelachaud CTaylor MFaliszewski PMascardi V(2022)Anti-Malware Sandbox GamesProceedings of the 21st International Conference on Autonomous Agents and Multiagent Systems10.5555/3535850.3535984(1201-1209)Online publication date: 9-May-2022
https://dl.acm.org/doi/10.5555/3535850.3535984
Karvandi MGholamrezaei MKhalaj Monfared SMeghdadizanjani SAbbassi BAmini AMortazavi RGorgin SRahmati DSchwarz MYin HStavrou ACremers CShi E(2022)HyperDbg: Reinventing Hardware-Assisted DebuggingProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560649(1709-1723)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560649
Sato MNakamura RYamauchi TTaniguchi H(2022)Improving Transparency of Hardware Breakpoints with Virtual Machine Introspection2022 12th International Congress on Advanced Applied Informatics (IIAI-AAI)10.1109/IIAIAAI55812.2022.00031(113-117)Online publication date: Jul-2022
https://doi.org/10.1109/IIAIAAI55812.2022.00031
Resende JMagalhães LBrandão AMartins RAntunes L(2021)Towards a Modular On-Premise Approach for Data SharingSensors10.3390/s2117580521:17(5805)Online publication date: 28-Aug-2021
https://doi.org/10.3390/s21175805
Leon RKiperberg MLeon Zabag AZaidenberg N(2021)Hypervisor-assisted dynamic malware analysisCybersecurity10.1186/s42400-021-00083-94:1Online publication date: 2-Jun-2021
https://doi.org/10.1186/s42400-021-00083-9
Yong Wong MLanden MAntonakakis MBlough DRedmiles EAhamad MKim YKim JVigna GShi E(2021)An Inside Look into the Practice of Malware AnalysisProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484759(3053-3069)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484759
Xue LZhou HLuo XZhou YShi YGu GZhang FAu M(2021)Happer: Unpacking Android Apps via a Hardware-Assisted Approach2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00105(1641-1658)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00105
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents