xen and the art of binary modification
DESCRIPTION
Xen and the Art of Binary Modification. Lies, Damn Lies, and Page Frame Addresses. Greg Cooksey and Nate Rosenblum, March 2007. Motivation: Paranoid Programs. Programs can be designed to be tamper resistant Obfuscation of control flow Run-time decryption of executable code - PowerPoint PPT PresentationTRANSCRIPT
1
Xen and the Art of Binary Modification
Lies, Damn Lies, and Page Frame Addresses
Greg Cooksey and Nate Rosenblum, March 2007
2
Motivation: Paranoid Programs
Programs can be designed to be tamper resistant Obfuscation of control flow Run-time decryption of executable code Detection of static or dynamic modification
Goal: Subvert tamper prevention mechanisms Enables reverse engineering (“what does this virus do?”)
Allows binary modification (“now this virus does something else”)
3
Self-checksumming Code Value of some computation depends on the bytes of the program text Allows detection of
modifications (e.g. instrumentation, binary rewriting)
Makes implicit assumption of von Neumann (single store) memory architecture
Multiple overlapping checksums help prevent tampering
tamper-resistantprocess
data readinstructionfetch
Von Neumann architecture
4
Attacking Self-checksumming Code
Violating von Neumann assumption defeats protection
Emulation Allows detection and redirection of data reads
But… is slow, expensive
Malicious Operating System Introduced in Wurster (2004)
Utilizes virtual memory hardware
But… requires modified OS
tamper-resistantprocess data read
instructionfetch
Harvard architecture
5
Malicious Virtualization Hypothesis: The Virtual Machine Monitor is a superior malicious agent VMM is responsible for managing virtual memory
Able to modify virtual memory without operating system assistance
Allows attacks on commodity operating systems (e.g. Microsoft Windows)
Virtualization is significantly less expensive than emulation
Xen: Linux-based open source VMM
6
Overview of Approach Modern architectures are Harvard architectures E.g. x86: separate
instruction/data translation lookaside buffers (TLBs)
VMM can get notification of page accesses
Instruction TLB points to modified code page
On data read access, edit data TLB to point to unmodified page
[directory][table] [offset]
fetch?
ITLB DTLB
Linear address
32 0
Mem
Normally these
addresses are the same!
yes no
7
System Architecture
target OS
hypervisor
Igor
victim
modifiedcode
unmodifiedcode
comm channel
Dyninst attach
page correspondences
8
Current Status Running modified Xen and XenLinux installations
Tracking of page faults in target program address space Currently implemented with device driver that makes hypercalls to Xen
Remaining tasks: TLB entry installation Igor process Communication channel from Igor to Xen hypervisor
Performance measurements