Beruflich Dokumente
Kultur Dokumente
Agenda
About authors Motivation Background Design Implementation I l t ti Evaluation Summary
About authors
Miao Yu,
a graduate in Trusted Computing Group, g p g p, Shanghai Jiao Tong University Interests
Hardware Virtualization based system security OS
About authors
Publications:
Light Weight HBSP: A Light-Weight Hardware Virtualization Based Framework for Transparent Software Protection in Commodity Operating Systems (FCST09) N Bl Pill ( NewBluePill:(, 2011)
Agenda
About th Ab t authors. Motivation Background Design Implementation Evaluation Summary
Motivation
Debugging is a double-edge sword
Speed up the development of software Reveals the internals of any program
Its important to protect released software f I i l d f from debugging, especially commercial ones. (Starforce Protection Technology)
Motivation
Wide applied security problems
A reliable monitor/honeypot is a fundamental assumption in previous works on antidebugging. debugging
General Anti-debugging mechanisms Packers anti-debugging ability Packer s anti debugging .
Motivation
Problems
Can be easily fooled by y y debuggers
User Level Debugger gg Kernel Level Debugger System Level Debugger Simulator Debugger
How about
The effectiveness of anti-debugging remains even if:
The mechanism is publicly known The code of this mechanism is publicly known
Agenda
About authors. Motivation Background B k d Design Implementation I l t ti Evaluation Summary
Background
D b Debugging M h i i Mechanism i Wi d in Windows
KiDispatchException() is the core API for exception disposal in Windows
Background
Current General Anti-Debugging Tricks Anti Debugging
Related to Windows API, kernel objects and exception handlers (Blackhat08)
Agenda
About authors. Motivation Background B k d Design Implementation I l t ti Evaluation Summary
Design
Back to the problem
Agenda
About authors authors. Motivation Background Design
Introduction on Intel VT Architecture Anti-Debugging Approach
Hypervisor
Move CR3 Move FakeCR3
Physical Machine
#VMEXIT
( Interrupt Handler )
Return RealVal
Return FakeVal
#VMEXIT
Timer Interrupt
Extended Page Table A new page-table structure, under th control of the VMM t bl t t d the t l f th
Defines mapping between guest- and host-physical addresses EPT base pointer (new VMCS field) points to the EPT page tables EPT (optionally) activated on VM entry, deactivated on VM exit
Guest has full control over its own IA-32 page tables
No VM exits due to guest page faults, INVLPG, or CR3 changes
Agenda
About authors. Motivation B k d Background Design
Introduction on Intel VT Architecture Anti-Debugging Approach
SPAD Architecture
SPAD Modules:
Anti-debugging Module
Sensitive Behavior Interception Critical Function Monitor Anti-Debugging Action/Approach
Agenda
About th Ab t authors. Motivation Background Design
Introduction on Intel VT Architecture Anti-Debugging Approach
Agenda
About th Ab t authors. Motivation Background Design Implementation Evaluation Summary
Implementation
How to Monitor Key Checkpoints
Monitor Exceptions/Interrupts Intel VT Monitor KiDispatchException() Not Straight forward
Put CPUID in both the functions entry and exit! (Inline Hook)
Implementation
Are These Hooks Safe?
If OS is tampered by anti-anti-debugger anti anti debugger
SPAD can check the OS integrity before loading itself, even restore the critical hooks.
EPT/SPT is effective in defending this type of attack. Previous work also proves this HookSafe (CCS09)
Implementation
Memory-Hiding Module
The Memory Hiding Technology is applied to Memory-Hiding conceal the hypervisor completely
Agenda
About authors. Motivation Background Design Implementation Evaluation Summary S
Evaluation
Security Analysis
Disrupt SPAD integrity
Try to unload or tamper SPAD Memory-Hiding Module
Evaluation
Effecti eness Anal sis Effectiveness Analysis
Evaluation
Compatibility Analysis
Evaluation
Performance Evaluation f i
Choose the following benchmarks:
TestBed CPU Memory OS Intel I t l E6320 1 86GH 1.86GHz 2GB Windows XP SP2
Evaluation
Evaluation
Agenda
About authors authors. Motivation Background Design Implementation Evaluation y Summary
Demo
Summary
By occupying Ring -1 level privilege, SPAD is gg g effective in anti-debugging, even if
The mechanism is publicly known The code of this SPAD is publicly known
SPAD, which can be loaded on the fly, incurs only 0.23% performance overhead in total.
Thank you!
Q&A and Discussion