Download - Xen and the Art of Binary Modification
![Page 1: Xen and the Art of Binary Modification](https://reader036.vdocument.in/reader036/viewer/2022082612/56813fe2550346895daacc4c/html5/thumbnails/1.jpg)
1
Xen and the Art of Binary Modification
Lies, Damn Lies, and Page Frame Addresses
Greg Cooksey and Nate Rosenblum, March 2007
![Page 2: Xen and the Art of Binary Modification](https://reader036.vdocument.in/reader036/viewer/2022082612/56813fe2550346895daacc4c/html5/thumbnails/2.jpg)
2
Motivation: Paranoid Programs
Programs can be designed to be tamper resistant Obfuscation of control flow Run-time decryption of executable code Detection of static or dynamic modification
Goal: Subvert tamper prevention mechanisms Enables reverse engineering (“what does this virus do?”)
Allows binary modification (“now this virus does something else”)
![Page 3: Xen and the Art of Binary Modification](https://reader036.vdocument.in/reader036/viewer/2022082612/56813fe2550346895daacc4c/html5/thumbnails/3.jpg)
3
Self-checksumming Code Value of some computation depends on the bytes of the program text Allows detection of
modifications (e.g. instrumentation, binary rewriting)
Makes implicit assumption of von Neumann (single store) memory architecture
Multiple overlapping checksums help prevent tampering
tamper-resistantprocess
data readinstructionfetch
Von Neumann architecture
![Page 4: Xen and the Art of Binary Modification](https://reader036.vdocument.in/reader036/viewer/2022082612/56813fe2550346895daacc4c/html5/thumbnails/4.jpg)
4
Attacking Self-checksumming Code
Violating von Neumann assumption defeats protection
Emulation Allows detection and redirection of data reads
But… is slow, expensive
Malicious Operating System Introduced in Wurster (2004)
Utilizes virtual memory hardware
But… requires modified OS
tamper-resistantprocess data read
instructionfetch
Harvard architecture
![Page 5: Xen and the Art of Binary Modification](https://reader036.vdocument.in/reader036/viewer/2022082612/56813fe2550346895daacc4c/html5/thumbnails/5.jpg)
5
Malicious Virtualization Hypothesis: The Virtual Machine Monitor is a superior malicious agent VMM is responsible for managing virtual memory
Able to modify virtual memory without operating system assistance
Allows attacks on commodity operating systems (e.g. Microsoft Windows)
Virtualization is significantly less expensive than emulation
Xen: Linux-based open source VMM
![Page 6: Xen and the Art of Binary Modification](https://reader036.vdocument.in/reader036/viewer/2022082612/56813fe2550346895daacc4c/html5/thumbnails/6.jpg)
6
Overview of Approach Modern architectures are Harvard architectures E.g. x86: separate
instruction/data translation lookaside buffers (TLBs)
VMM can get notification of page accesses
Instruction TLB points to modified code page
On data read access, edit data TLB to point to unmodified page
[directory][table] [offset]
fetch?
ITLB DTLB
Linear address
32 0
Mem
Normally these
addresses are the same!
yes no
![Page 7: Xen and the Art of Binary Modification](https://reader036.vdocument.in/reader036/viewer/2022082612/56813fe2550346895daacc4c/html5/thumbnails/7.jpg)
7
System Architecture
target OS
hypervisor
Igor
victim
modifiedcode
unmodifiedcode
comm channel
Dyninst attach
page correspondences
![Page 8: Xen and the Art of Binary Modification](https://reader036.vdocument.in/reader036/viewer/2022082612/56813fe2550346895daacc4c/html5/thumbnails/8.jpg)
8
Current Status Running modified Xen and XenLinux installations
Tracking of page faults in target program address space Currently implemented with device driver that makes hypercalls to Xen
Remaining tasks: TLB entry installation Igor process Communication channel from Igor to Xen hypervisor
Performance measurements