SPAD: Software Protection through Antidebugging Based on Hardware Virtualization

Speaker: Miao Yu 08/05/2010

Agenda
About authors Motivation Background Design Implementation I l t ti Evaluation Summary

About authors
Miao Yu,
a graduate in Trusted Computing Group, g p g p, Shanghai Jiao Tong University Interests
Hardware Virtualization based system security OS

About authors
Publications:
Light Weight HBSP: A Light-Weight Hardware Virtualization Based Framework for Transparent Software Protection in Commodity Operating Systems (FCST09) N Bl Pill ( NewBluePill:(, 2011)

Agenda
About th Ab t authors. Motivation Background Design Implementation Evaluation Summary

Motivation
Debugging is a double-edge sword
Speed up the development of software Reveals the internals of any program

Its important to protect released software f I i l d f from debugging, especially commercial ones. (Starforce Protection Technology)

Motivation
Wide applied security problems
A reliable monitor/honeypot is a fundamental assumption in previous works on antidebugging. debugging
General Anti-debugging mechanisms Packers anti-debugging ability Packer s anti debugging .

Motivation
Problems
Can be easily fooled by y y debuggers

User Level Debugger gg Kernel Level Debugger System Level Debugger Simulator Debugger

Root cause:traditional software anti-debugging owns no ability to utilize a higher p y g privilege g

How about
The effectiveness of anti-debugging remains even if:
The mechanism is publicly known The code of this mechanism is publicly known

Low overhead and dynamic-loading would be another great advantage

The key challenge is how to occupy a more privileged p position.

Agenda
About authors. Motivation Background B k d Design Implementation I l t ti Evaluation Summary

Background
D b Debugging M h i i Mechanism i Wi d in Windows
KiDispatchException() is the core API for exception disposal in Windows

Background
Current General Anti-Debugging Tricks Anti Debugging
Related to Windows API, kernel objects and exception handlers (Blackhat08)

Agenda
About authors. Motivation Background B k d Design Implementation I l t ti Evaluation Summary

Design
Back to the problem

How to occupy a more privileged position?

Agenda
About authors authors. Motivation Background Design
Introduction on Intel VT Architecture Anti-Debugging Approach

t ti I l Implementation Evaluation Summary

Hardware Virtual Machine Technology

Intel VT Technology Mainly configure y g VMCS
Ring 3 Ring 0 Ring -1

Hardware Virtual Machine Technology

Guest Machine
MOV CR3,EAX

Hypervisor
Move CR3 Move FakeCR3

Physical Machine

#VMEXIT

MOV EBX, [ESP+8]

( Interrupt Handler )

Return RealVal

Return FakeVal

#VMEXIT

Timer Interrupt

Hardware Virtual Machine Technology

CR3 EPT Base Pointer (EPTP)

Guest Linear Address

Guest IA-32 Page Tables

Guest Physical Address

Host Physical Address

Extended Page Tables

Extended Page Table A new page-table structure, under th control of the VMM t bl t t d the t l f th
Defines mapping between guest- and host-physical addresses EPT base pointer (new VMCS field) points to the EPT page tables EPT (optionally) activated on VM entry, deactivated on VM exit

Guest has full control over its own IA-32 page tables
No VM exits due to guest page faults, INVLPG, or CR3 changes

Agenda
About authors. Motivation B k d Background Design
Introduction on Intel VT Architecture Anti-Debugging Approach

Implementation Evaluation Summary

SPAD Architecture
SPAD Modules:
Anti-debugging Module
Sensitive Behavior Interception Critical Function Monitor Anti-Debugging Action/Approach

Memory Hiding Module Memory-Hiding

Agenda
About th Ab t authors. Motivation Background Design
Introduction on Intel VT Architecture Anti-Debugging Approach

Implementation Evaluation S Summary

Anti-Debugging Anti Debugging Approach

Monitor Process Switching on Key Checkpoints
INT1, INT3, INT2D KiDispatchException()

Agenda
About th Ab t authors. Motivation Background Design Implementation Evaluation Summary

Implementation
How to Monitor Key Checkpoints
Monitor Exceptions/Interrupts Intel VT Monitor KiDispatchException() Not Straight forward

Put CPUID in both the functions entry and exit! (Inline Hook)

Implementation
Are These Hooks Safe?
If OS is tampered by anti-anti-debugger anti anti debugger

SPAD can check the OS integrity before loading itself, even restore the critical hooks.

If someone wants to compromise SPAD after SPAD is loaded

EPT/SPT is effective in defending this type of attack. Previous work also proves this HookSafe (CCS09)

Implementation
Memory-Hiding Module
The Memory Hiding Technology is applied to Memory-Hiding conceal the hypervisor completely

Agenda
About authors. Motivation Background Design Implementation Evaluation Summary S

Evaluation
Security Analysis
Disrupt SPAD integrity
Try to unload or tamper SPAD Memory-Hiding Module

Disable SPAD monitor

Modify IDT Intel VT Modify/Delete Critical Hook SPT/EPT Protection

Evaluation
Effecti eness Anal sis Effectiveness Analysis

Evaluation
Compatibility Analysis

Evaluation
Performance Evaluation f i
Choose the following benchmarks:

SPEC CINT 2006 SPEC CFP 2006

TestBed CPU Memory OS Intel I t l E6320 1 86GH 1.86GHz 2GB Windows XP SP2

Evaluation

Evaluation

SPAD incurs only 0.23% performance overhead

Agenda
About authors authors. Motivation Background Design Implementation Evaluation y Summary

Demo

Summary
By occupying Ring -1 level privilege, SPAD is gg g effective in anti-debugging, even if
The mechanism is publicly known The code of this SPAD is publicly known

SPAD, which can be loaded on the fly, incurs only 0.23% performance overhead in total.

Thank you!
Q&A and Discussion