DOCSLIB.ORG

Non-Intrusive Virtual Machine Analysis and Reverse Debugging with SWAT

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Non-Intrusive Virtual Machine Analysis and Reverse Debugging with SWAT 2020 IEEE 20th International Conference on Software Quality, Reliability and Security (QRS) Non-intrusive Virtual Machine Analysis and Reverse Debugging with SWAT Pavel Dovgalyuk Ivan Vasiliev Natalia Fursova Institute for System Programming Institute for System Programming Institute for System Programming Moscow, Russia Moscow, Russia Moscow, Russia [email protected] [email protected] [email protected] Denis Dmitriev Mikhail Abakumov Vladimir Makarov Institute for System Programming Institute for System Programming Institute for System Programming Moscow, Russia Moscow, Russia Moscow, Russia [email protected] [email protected] [email protected] Abstract—This paper presents SWAT — System-Wide Analysis Most of the virtual machine debugging tools (like GDB) Toolkit. It is based on open source emulation and debugging are targeted to Linux. Debugging of Windows software is projects and implements the approaches for non-intrusive system- different, because GDB can’t read debug symbol files for wide analysis and debugging: lightweight OS-agnostic virtual machine introspection, full system execution replay, non-intrusive Windows. There is a powerful debugger — WinDbg, provided debugging with WinDbg, and full system reverse debugging. by Microsoft. But this debugger requires a running debug These features are based on novel non-intrusive introspection server within the guest system, which limits applicability of and reverse debugging methods. They are useful for stealth the debugger, because analyzed malware can detect the usage debugging and analysis of the platforms with custom kernels. of the server. SWAT includes multi-platform emulator QEMU with additional instrumentation and debugging features, GUI for convenient Virtual machine introspection (VMI) is used to extract QEMU setup and execution, QEMU plugin for non-intrusive structure and behavior of the guest system and programs [4]. introspection, and modified version of GDB. Our toolkit may be Most of the existing VMI methods are intrusive — they require useful for the developers of the virtual platforms, emulators, and code injection into the guest (modified kernel, introspection firmwares/drivers/operating systems. Virtual machine intospec- agent, and so on) [5] and can’t work without the build tools tion approach does not require loading any guest agents and source code of the OS. Therefore it may be applied to ROM- inside the VM or when the execution is recorded. Others (like based guest systems and enables using of record/replay of the PyREBox [6]) can only work with a limited set of OS versions system execution. This paper includes the description of SWAT and builds. Therefore such methods can’t be applied for the components, analysis methods, and some SWAT use cases. custom builds of Linux, that do not have build tools inside. Index Terms—Software instrumentation; Dynamic analysis; WinDbg server and VMI agents also are not possible to use Virtual machine; Introspection; QEMU; SWAT when the execution is recorded, because they must be running live to provide the data. I. INTRODUCTION Our work is targeted to overcoming the following limitations System wide analysis and debugging are needed for op- of state-of-the-art methods: erating system (OS) development, malware analysis, driver • No introspection tool for custom Linux cores. Every debugging, and so on. Tools for aiding in this work use virtual existing tool requires either instrumenting of the source machines to provide isolation and ease the instrumentation and code, or loading guest agent into the virtual machine. analysis. Therefore such tools can’t introspect custom Linux cores The following techniques are the concrete dynamic analysis that do not provide SDK for compilation of the core or methods used for virtual machine and user-level debugging. guest agent. Reverse debugging is used for examining the past states of • No stealth/repeatable debugging with support of Windows the system or program and for deterministically replaying the internals. Windows SDK includes WinDbg which can be recorded executions. There are some reverse debugging tools used for system-wide introspection and debugging. But it for user space programs (e.g., Mozilla RR [1]). can’t be used in deterministic mode of execution, because Existing solutions for system wide execution record/replay the guest debugging server must be run inside the virtual [2], [3] can’t be easily obtained, or lack the capabilities for machine. For the same reason WinDbg can’t be used reverse debugging the whole machine, when the state of all for stealth debugging, because malware may detect the virtual devices is replayed. Therefore the drivers and firmwares debugging server. can be observed only as the code plus memory without any • No convenient tool for reverse debugging of the virtual infomation about the current virtual device state. machines (gdb + gui). Reverse debugging of the virtual 978-1-7281-8913-0/20/$31.00 ©2020 IEEE 196 DOI 10.1109/QRS51102.2020.00036 machines incurs record and replay of its’ executions. But none of the existing tools provide handy interface Recorded Execution for replaying the executions and configuring the virtual machine peripheral devices. Manual command line con- VM Configuration figuration for hardware configuration, reverse debugging, and introspection is error prone. SWAT (System Wide Analysis Toolkit) solves the above GDB QEMU GUI problems by providing the following tools and methods: • Extended lightweight introspection method for supporting platform- and OS-agnostic virtual machine API monitor- ing. • Modified QEMU — multi platform emulator. It includes the features that are not available in the vanilla version: VMI WinDbg reverse debugging, WinDbg server, instrumentation layer, plugin support. These features provide stealth and deter- ministic debugging and analysis methods. • Introspection QEMU plugin for virtual machines based Syscall and API log on x86, x86 64, ARM, and AArch64 platforms. This plugin support both Windows and Linux kernels. Figure 1: Components of the System Wide Analysis Toolkit. • GDB which includes reverse debugging with improved WinDbg is an external tool from Microsoft Windows SDK. performance. • Method for extracting command line parameters from III. EXECUTION RECORD AND REPLAY QEMU for visual management of the virtual machine command line configuration. Virtual machine record and replay is the feature which • qemu-gui — a tool for managing QEMU-based virtual allows recording whole machine execution and later replaying machines with the support of execution recording and it for the sake of debugging or analysis [8]. replaying. Modern approaches to record and replay of the virtual machine execution are implemented within several emulators II. SYSTEM WIDE ANALYSIS TOOLKIT (QEMU [8], Simics [3]) and dynamic analysis frameworks (PANDA [2], Crosscut [14]). Another approach to analysis of SWAT is aimed to make full system debugging and analysis the recorded execution is collecting detailed traces for analysis easier. In its core lays QEMU — multi-platform emulator [7], instead or replaying system behavior [15]. which was modified to add debugging and analysis tools We used QEMU in our toolkit, because it is open source, (Figure 1. high performance, has wide cross-ISA support, and can be Execution record/replay is mandatory for reverse debugging, modified for adding reverse debugging and introspection ca- because program can’t run in backward direction without pabilities. Unlike PANDA, it replays whole emulator behavior recording prior execution steps [8]. It is also very helpful to (including the video output and state of the virtual devices), dynamic binary analysis, because analysis can be decoupled which is useful for convenient debugging, and for development from the execution, and won’t affect the guest behavior [9]. and debugging of the virtual devices within the emulator. Recent versions of QEMU include execution record and replay. To make it more useful we added WinDbg debug IV. GUI FOR QEMU server into QEMU [10], and implemented reverse debugging We introduced a graphical utility for virtual machine man- commands for using with GDB [11]. We also extended GDB agement. Our aim was to help two categories of users: to improve its reverse debugging capabilities. regular QEMU users that debug virtual machines, and QEMU Dynamic binary instrumentation is the only option for developers that may have several builds of QEMU to test their analysis both of kernel and user-level code in the virtual virtual machines. machines [12], [13]. Our modifed version supports instrumen- QEMUs command line is very tricky for a regular user. tation of the guest code and includes a plugin subsystem [5]. One would often forget and miss parameters or would not We also provide a plugin for non-intrusive virtual machine be able to configure QEMU for the specific operation mode introspection. like execution record or replay. QEMU developers could use SWAT also includes graphical utility for managing the some help too, because they need a convenient way to switch virtual machine configurations, which is similar to the one between different builds or versions of the emulator. provided with VirtualBox and VMWare. Our tool has some Also different versions of QEMU support different virtual additional features that allow convenient control of the virtual devices. We can’t hardcode all of them in our tool, therefore machine recordings to make full system debugging more user- we needed to extract list
Load more

Recommended publications
  • Effective Virtual CPU Configuration with QEMU and Libvirt
    Effective Virtual CPU Configuration with QEMU and libvirt Kashyap Chamarthy <[email protected]> Open Source Summit Edinburgh, 2018 1 / 38 Timeline of recent CPU flaws, 2018 (a) Jan 03 • Spectre v1: Bounds Check Bypass Jan 03 • Spectre v2: Branch Target Injection Jan 03 • Meltdown: Rogue Data Cache Load May 21 • Spectre-NG: Speculative Store Bypass Jun 21 • TLBleed: Side-channel attack over shared TLBs 2 / 38 Timeline of recent CPU flaws, 2018 (b) Jun 29 • NetSpectre: Side-channel attack over local network Jul 10 • Spectre-NG: Bounds Check Bypass Store Aug 14 • L1TF: "L1 Terminal Fault" ... • ? 3 / 38 Related talks in the ‘References’ section Out of scope: Internals of various side-channel attacks How to exploit Meltdown & Spectre variants Details of performance implications What this talk is not about 4 / 38 Related talks in the ‘References’ section What this talk is not about Out of scope: Internals of various side-channel attacks How to exploit Meltdown & Spectre variants Details of performance implications 4 / 38 What this talk is not about Out of scope: Internals of various side-channel attacks How to exploit Meltdown & Spectre variants Details of performance implications Related talks in the ‘References’ section 4 / 38 OpenStack, et al. libguestfs Virt Driver (guestfish) libvirtd QMP QMP QEMU QEMU VM1 VM2 Custom Disk1 Disk2 Appliance ioctl() KVM-based virtualization components Linux with KVM 5 / 38 OpenStack, et al. libguestfs Virt Driver (guestfish) libvirtd QMP QMP Custom Appliance KVM-based virtualization components QEMU QEMU VM1 VM2 Disk1 Disk2 ioctl() Linux with KVM 5 / 38 OpenStack, et al. libguestfs Virt Driver (guestfish) Custom Appliance KVM-based virtualization components libvirtd QMP QMP QEMU QEMU VM1 VM2 Disk1 Disk2 ioctl() Linux with KVM 5 / 38 libguestfs (guestfish) Custom Appliance KVM-based virtualization components OpenStack, et al.
    [Show full text]
  • QEMU Parameter Jungle Slides
    Finding your way through the QEMU parameter jungle 2018-02-04 Thomas Huth <[email protected]> Legal ● Disclaimer: Opinions are my own and not necessarily the views of my employer ● “Jungle Leaves” background license: CC BY 3.0 US : https://creativecommons.org/licenses/by/3.0/us/ Image has been modified from the original at: https://www.freevector.com/jungle-leaves-vector-background 2 Introduction 3 Why a guide through the QEMU parameter jungle? 4 Why a guide through the QEMU parameter jungle? ● QEMU is a big project, supports lots of emulated devices, and lots of host backends ● 15 years of development → a lot of legacy ● $ qemu-system-i386 -h | wc -l 454 ● People regularly ask about CLI problems on mailing lists or in the IRC channels → Use libvirt, virt-manager, etc. if you just want an easier way to run a VM 5 General Know-How ● QEMU does not distinguish single-dash options from double-dash options: -h = --h = -help = --help ● QEMU starts with a set of default devices, e.g. a NIC and a VGA card. If you don't want this: --nodefaults or suppress certain default devices: --vga none --net none 6 Getting help about the options ● Parameter overview: -h or --help (of course) ● Many parameters provide info with “help”: --accel help ● Especially, use this to list available devices: --device help ● To list parameters of a device: --device e1000,help ● To list parameters of a machine: --machine q35,help 7 e1000 example ● $ qemu-system-x86_64 --device e1000,help [...] e1000.addr=int32 (PCI slot and function¼) e1000.x-pcie-extcap-init=bool (on/off) e1000.extra_mac_registers=bool (on/off) e1000.mac=str (Ethernet 6-byte MAC Address¼) e1000.netdev=str (ID of a netdev backend) ● $ qemu-system-x86_64 --device \ e1000,mac=52:54:00:12:34:56,addr=06.0 8 General Know How: Guest and Host There are always two parts of an emulated device: ● Emulated guest hardware, e.g.: --device e1000 ● The backend in the host, e.g.: --netdev tap Make sure to use right set of parameters for configuration! 9 “Classes” of QEMU parameters ● Convenience : Easy to use, but often limited scope.
    [Show full text]
  • Linux on the Road
    Linux on the Road Linux with Laptops, Notebooks, PDAs, Mobile Phones and Other Portable Devices Werner Heuser <wehe[AT]tuxmobil.org> Linux Mobile Edition Edition Version 3.22 TuxMobil Berlin Copyright © 2000-2011 Werner Heuser 2011-12-12 Revision History Revision 3.22 2011-12-12 Revised by: wh The address of the opensuse-mobile mailing list has been added, a section power management for graphics cards has been added, a short description of Intel's LinuxPowerTop project has been added, all references to Suspend2 have been changed to TuxOnIce, links to OpenSync and Funambol syncronization packages have been added, some notes about SSDs have been added, many URLs have been checked and some minor improvements have been made. Revision 3.21 2005-11-14 Revised by: wh Some more typos have been fixed. Revision 3.20 2005-11-14 Revised by: wh Some typos have been fixed. Revision 3.19 2005-11-14 Revised by: wh A link to keytouch has been added, minor changes have been made. Revision 3.18 2005-10-10 Revised by: wh Some URLs have been updated, spelling has been corrected, minor changes have been made. Revision 3.17.1 2005-09-28 Revised by: sh A technical and a language review have been performed by Sebastian Henschel. Numerous bugs have been fixed and many URLs have been updated. Revision 3.17 2005-08-28 Revised by: wh Some more tools added to external monitor/projector section, link to Zaurus Development with Damn Small Linux added to cross-compile section, some additions about acoustic management for hard disks added, references to X.org added to X11 sections, link to laptop-mode-tools added, some URLs updated, spelling cleaned, minor changes.
    [Show full text]
  • Many Things Related to Qubesos
    Qubes OS Many things Many things related to QubesOS Author: Neowutran Contents 1 Wiping VM 2 1.1 Low level storage technologies .................. 2 1.1.1 Must read ......................... 2 1.1.2 TL;DR of my understanding of the issue ........ 2 1.1.3 Things that could by implemented by QubesOS .... 2 2 Create a Gaming HVM 2 2.1 References ............................. 2 2.2 Prerequise ............................. 3 2.3 Hardware ............................. 3 2.4 Checklist .............................. 4 2.5 IOMMU Group .......................... 4 2.6 GRUB modification ........................ 4 2.7 Patching stubdom-linux-rootfs.gz ................ 5 2.8 Pass the GPU ........................... 6 2.9 Conclusion ............................. 6 2.10 Bugs ................................ 6 3 Create a Linux Gaming HVM, integrated with QubesOS 7 3.1 Goals ................................ 7 3.2 Hardware used .......................... 7 3.3 Main steps summary ....................... 7 3.3.1 Detailled steps ...................... 8 3.3.2 Using a kernel provided by debian ............ 8 3.4 Xorg ................................ 8 3.4.1 Pulseaudio ......................... 11 3.5 Final notes ............................ 11 3.6 References ............................. 12 4 Nitrokey and QubeOS 12 5 Recovery: Mount disk 12 6 Disposable VM 13 6.1 Introduction ............................ 14 6.1.1 References ......................... 14 6.1.2 What is a disposable VM? ................ 14 6.2 Playing online video ....................... 14 6.3 Web browsing ........................... 15 6.4 Manipulating untrusted files/data ................ 16 1 6.5 Mounting LVM image ...................... 17 6.6 Replace sys-* VM ......................... 18 6.7 Replace some AppVMs ...................... 18 7 Building a new QubesOS package 18 7.1 References ............................. 18 7.2 Goal ................................ 18 7.3 The software ............................ 19 7.4 Packaging ............................. 19 7.5 Building .............................
    [Show full text]
  • Latest X64dbg Version Supports Non-English Languges Through a Generic Algorithm That May Or May Not Work Well in Your Language
    x64dbg Documentation Release 0.1 x64dbg Jul 05, 2021 Contents 1 Suggested reads 1 1.1 What is x64dbg?.............................................1 1.2 Introduction...............................................1 1.3 GUI manual............................................... 15 1.4 Commands................................................ 31 1.5 Developers................................................ 125 1.6 Licenses................................................. 261 2 Indices and tables 277 i ii CHAPTER 1 Suggested reads If you came here because someone told you to read the manual, start by reading all sections of the introduction. Contents: 1.1 What is x64dbg? This is a x64/x32 debugger that is currently in active development. The debugger (currently) has three parts: • DBG • GUI • Bridge DBG is the debugging part of the debugger. It handles debugging (using TitanEngine) and will provide data for the GUI. GUI is the graphical part of the debugger. It is built on top of Qt and it provides the user interaction. Bridge is the communication library for the DBG and GUI part (and maybe in the future more parts). The bridge can be used to work on new features, without having to update the code of the other parts. 1.2 Introduction This section explains the basics of x64dbg. Make sure to fully read this! Contents: 1 x64dbg Documentation, Release 0.1 1.2.1 Features This program is currently under active development. It supports many basic and advanced features to ease debugging on Windows. Basic features • Full-featured debugging of DLL and EXE files (TitanEngine Community Edition) • 32-bit and 64-bit Windows support from Windows XP to Windows 10 • Built-in assembler (XEDParse/Keystone/asmjit) • Fast disassembler (Zydis) • C-like expression parser • Logging • Notes • Memory map view • Modules and symbols view • Source code view • Thread view • Content-sensitive register view • Call stack view • SEH view • Handles, privileges and TCP connections enumeration.
    [Show full text]
  • Using EMC VNX Storage with Vmware Vsphere Techbook CONTENTS
    Using EMC® VNX® Storage with VMware vSphere Version 4.0 TechBook P/N H8229 REV 05 Copyright © 2015 EMC Corporation. All rights reserved. Published in the USA. Published January 2015 EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC2, EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. For the most up-to-date regulatory document for your product line, go to EMC Online Support (https://support.emc.com). 2 Using EMC VNX Storage with VMware vSphere TechBook CONTENTS Preface Chapter 1 Configuring VMware vSphere on VNX Storage Technology overview................................................................................... 18 EMC VNX family..................................................................................... 18 FLASH 1st.............................................................................................. 18 MCx multicore optimization..................................................................
    [Show full text]
  • 5 Ways Vmware Vsphere Improves Backup and Recovery
    5 Ways VMware vSphereChapter1. Improves An Introduction Backup and to VMware Recovery Virtualization CONTENTS CONTENTS..............................................................................................................2 INTRODUCTION......................................................................................................2 A BRIEF HISTORY OF VMWARE ..............................................................................3 VIRTUALIZATION ARCHITECTURE...........................................................................4 THE HYPERVISOR............................................................................................................................4 RINGS IN VIRTUALIZATION..............................................................................................................7 CPU SCHEDULER............................................................................................................................9 DIFFERENCES BETWEEN ESX & ESXI.............................................................................................9 WHAT IS A VIRTUAL MACHINE?...........................................................................12 ENCAPSULATION.......................................................................................................................... 12 VIRTUAL MACHINE HARDWARE ................................................................................................. 13 VIRTUAL MACHINE FILES ...........................................................................................................
    [Show full text]
  • QEMU for Xen Secure by Default
    QEMU for Xen secure by default Deprivileging the PC system emulator Ian Jackson <[email protected]> FOSDEM 2016 with assistance from Stefano Stabellini guest guest Xen PV driver IDE driver Xen PV protocol mmio, dma, etc. qemu Emulated IDE controller Xen PV backend (usually), syscalls (usually) dom0 (usu.dom0) kernel Device driver kernel Device driver PV HVM ... ... ... ... ... from Xen Security Team advisories page, http://xenbits.xen.org/xsa/ Xen on x86 modes, and device model bug implications Current status for users of upstream Xen and distros and future plans Status Device model Notes bugs mean PV Fully supported Safe (no DM) Only modified guests HVM qemu in dom0 Fully supported Vulnerable Current default as root HVM qemu stub DM Upstream but not Safe Ancient qemu qemu-xen-trad. in most distros. Build system problems HVM qemu stub DM In progress Safe Rump build system rump kernel Hard work! is mini distro HVM qemu dom0 Targeting No privilege esc. Defence in depth not as root Xen 4.7 Maybe dom0 DoS Hopefully, will be default Xen on x86 modes, and device model bug implications Current status for users of upstream Xen and distros and future plans Status Device model Notes bugs mean PV Fully supported Safe (no DM) Only modified guests HVM qemu in dom0 Fully supported Vulnerable Current default as root HVM qemu stub DM Upstream but not Safe Ancient qemu qemu-xen-trad. in most distros. Build system problems HVM qemu stub DM In progress Safe Rump build system rump kernel Hard work! is mini distro HVM qemu dom0 Targeting No privilege esc.
    [Show full text]
  • Introduction to Virtualization Virtualization
    Introduction to Virtualization Prashant Shenoy Computer Science CS691D: Hot-OS Lecture 2, page 1 Virtualization • Virtualization: extend or replace an existing interface to mimic the behavior of another system. – Introduced in 1970s: run legacy software on newer mainframe hardware • Handle platform diversity by running apps in VMs – Portability and flexibility Computer Science CS691D: Hot-OS Lecture 2, page 2 Types of Interfaces • Different types of interfaces – Assembly instructions – System calls – APIs • Depending on what is replaced /mimiced, we obtain different forms of virtualization Computer Science CS691D: Hot-OS Lecture 2, page 3 Types of Virtualization • Emulation – VM emulates/simulates complete hardware – Unmodified guest OS for a different PC can be run • Bochs, VirtualPC for Mac, QEMU • Full/native Virtualization – VM simulates “enough” hardware to allow an unmodified guest OS to be run in isolation • Same hardware CPU – IBM VM family, VMWare Workstation, Parallels,… Computer Science CS691D: Hot-OS Lecture 2, page 4 Types of virtualization • Para-virtualization – VM does not simulate hardware – Use special API that a modified guest OS must use – Hypercalls trapped by the Hypervisor and serviced – Xen, VMWare ESX Server • OS-level virtualization – OS allows multiple secure virtual servers to be run – Guest OS is the same as the host OS, but appears isolated • apps see an isolated OS – Solaris Containers, BSD Jails, Linux Vserver • Application level virtualization – Application is gives its own copy of components that are not shared • (E.g., own registry files, global objects) - VE prevents conflicts – JVM Computer Science CS691D: Hot-OS Lecture 2, page 5 Examples • Application-level virtualization: “process virtual machine” • VMM /hypervisor Computer Science CS691D: Hot-OS Lecture 2, page 6 The Architecture of Virtual Machines J Smith and R.
    [Show full text]
  • Intel® Inspector 2020 Update 2 Release Notes Intel® Inspector 2020 Update 2 to Learn More About This Product, See
    Intel® Inspector 2020 Update 2 Release Notes 16 July 2020 Intel® Inspector 2020 Update 2 Customer Support For technical support, including answers to questions not addressed in this product, visit the technical support forum, FAQs, and other support information at: • https://software.intel.com/en-us/inspector/support/ • http://www.intel.com/software/products/support/ • https://software.intel.com/en-us/inspector Please remember to register your product at https://registrationcenter.intel.com/ by providing your email address. Registration entitles you to free technical support, product updates and upgrades for the duration of the support term. It also helps Intel recognize you as a valued customer in the support forum. NOTE: If your distributor provides technical support for this product, please contact them for support rather than Intel. Contents 1 Introduction 2 2 What’s New 3 3 System Requirements 3 4 Where to Find the Release 5 5 Installation Notes 5 6 Known Issues 7 7 Attributions 13 8 Legal Information 13 1 Introduction Intel® Inspector helps developers identify and resolve memory and threading correctness issues in their C, C++ and Fortran applications on Windows* and Linux*. Additionally, on Windows platforms, the tool allows the analysis of the unmanaged portion of mixed managed and unmanaged programs and identifies threading correctness issues in managed .NET C# applications. Intel Inspector is a dynamic error checking tool for developing multithreaded applications on Windows or Linux operating systems. Intel Inspector maximizes code quality and reliability by quickly detecting memory, threading, and source code security errors during the development cycle. You can also use the Intel Inspector to visualize and manage Static Analysis results created by Intel® compilers in various suite products.
    [Show full text]
  • Demarinis Kent Williams-King Di Jin Rodrigo Fonseca Vasileios P
    sysfilter: Automated System Call Filtering for Commodity Software Nicholas DeMarinis Kent Williams-King Di Jin Rodrigo Fonseca Vasileios P. Kemerlis Department of Computer Science Brown University Abstract This constant stream of additional functionality integrated Modern OSes provide a rich set of services to applications, into modern applications, i.e., feature creep, not only has primarily accessible via the system call API, to support the dire effects in terms of security and protection [1, 71], but ever growing functionality of contemporary software. How- also necessitates a rich set of OS services: applications need ever, despite the fact that applications require access to part of to interact with the OS kernel—and, primarily, they do so the system call API (to function properly), OS kernels allow via the system call (syscall) API [52]—in order to perform full and unrestricted use of the entire system call set. This not useful tasks, such as acquiring or releasing memory, spawning only violates the principle of least privilege, but also enables and terminating additional processes and execution threads, attackers to utilize extra OS services, after seizing control communicating with other programs on the same or remote of vulnerable applications, or escalate privileges further via hosts, interacting with the filesystem, and performing I/O and exploiting vulnerabilities in less-stressed kernel interfaces. process introspection. To tackle this problem, we present sysfilter: a binary Indicatively, at the time of writing, the Linux
    [Show full text]
  • IBM Virtual Machine Facility/370 : Systems Introduction
    GC20-1800-0 IBM Virtual Machine Facility/370 : Systems Introduction The IBM Virtual Machine Facility/370 (VM/370) is a System Control Program (SCP) that has been designed specifically for the IBM System/370. VM/370 manages the IBM System/370 in such a way that mUltiple remote terminal users appear to have a dedicated computing system at their disposal. Within this "virtual machine" the user may run the operaHng system of his choice, subject to the restrictions noted in "Appendix C: VM/370 Restrictions" of this manual. The design of VM/370 is based on the IBM Control Program-67/Cam­ bridge Monitor System (CP-67/CMS) which is executed on an IBM System/360 Model 67. The Conversational Monitor System (CMS) is the major subsystem ofVM/370. CMS provides problem solving and program development services to the user, as well as supporting facilities for a remote user who chooses to run some other operating system in his virtual machine. This manual provides introductory information about the facilities provided by VM/370, and defines the min­ imum equipment configuration necessary for execution. Preface This manual provides introductory information on the IBM Virtual Machine Facility/370 (VM/370) and its associated subsystem, the Conversational Monitor Sys­ tem (CMS), as well as an overview of the purpose and functions of VM/370. It is assumed that the user has a prior knowledge of virtual storage concepts as implemented on the IBM System/370 via dynamic address translation. The reader is referred to Part I of the student text publication Introduction to Virtual Storage in System/370, Order No.
    [Show full text]