2020 IEEE 20th International Conference on Software Quality, Reliability and Security (QRS) Non-intrusive Virtual Machine Analysis and Reverse Debugging with SWAT Pavel Dovgalyuk Ivan Vasiliev Natalia Fursova Institute for System Programming Institute for System Programming Institute for System Programming Moscow, Russia Moscow, Russia Moscow, Russia [email protected] [email protected] [email protected] Denis Dmitriev Mikhail Abakumov Vladimir Makarov Institute for System Programming Institute for System Programming Institute for System Programming Moscow, Russia Moscow, Russia Moscow, Russia [email protected] [email protected] [email protected] Abstract—This paper presents SWAT — System-Wide Analysis Most of the virtual machine debugging tools (like GDB) Toolkit. It is based on open source emulation and debugging are targeted to Linux. Debugging of Windows software is projects and implements the approaches for non-intrusive system- different, because GDB can’t read debug symbol files for wide analysis and debugging: lightweight OS-agnostic virtual machine introspection, full system execution replay, non-intrusive Windows. There is a powerful debugger — WinDbg, provided debugging with WinDbg, and full system reverse debugging. by Microsoft. But this debugger requires a running debug These features are based on novel non-intrusive introspection server within the guest system, which limits applicability of and reverse debugging methods. They are useful for stealth the debugger, because analyzed malware can detect the usage debugging and analysis of the platforms with custom kernels. of the server. SWAT includes multi-platform emulator QEMU with additional instrumentation and debugging features, GUI for convenient Virtual machine introspection (VMI) is used to extract QEMU setup and execution, QEMU plugin for non-intrusive structure and behavior of the guest system and programs [4]. introspection, and modified version of GDB. Our toolkit may be Most of the existing VMI methods are intrusive — they require useful for the developers of the virtual platforms, emulators, and code injection into the guest (modified kernel, introspection firmwares/drivers/operating systems. Virtual machine intospec- agent, and so on) [5] and can’t work without the build tools tion approach does not require loading any guest agents and source code of the OS. Therefore it may be applied to ROM- inside the VM or when the execution is recorded. Others (like based guest systems and enables using of record/replay of the PyREBox [6]) can only work with a limited set of OS versions system execution. This paper includes the description of SWAT and builds. Therefore such methods can’t be applied for the components, analysis methods, and some SWAT use cases. custom builds of Linux, that do not have build tools inside. Index Terms—Software instrumentation; Dynamic analysis; WinDbg server and VMI agents also are not possible to use Virtual machine; Introspection; QEMU; SWAT when the execution is recorded, because they must be running live to provide the data. I. INTRODUCTION Our work is targeted to overcoming the following limitations System wide analysis and debugging are needed for op- of state-of-the-art methods: erating system (OS) development, malware analysis, driver • No introspection tool for custom Linux cores. Every debugging, and so on. Tools for aiding in this work use virtual existing tool requires either instrumenting of the source machines to provide isolation and ease the instrumentation and code, or loading guest agent into the virtual machine. analysis. Therefore such tools can’t introspect custom Linux cores The following techniques are the concrete dynamic analysis that do not provide SDK for compilation of the core or methods used for virtual machine and user-level debugging. guest agent. Reverse debugging is used for examining the past states of • No stealth/repeatable debugging with support of Windows the system or program and for deterministically replaying the internals. Windows SDK includes WinDbg which can be recorded executions. There are some reverse debugging tools used for system-wide introspection and debugging. But it for user space programs (e.g., Mozilla RR [1]). can’t be used in deterministic mode of execution, because Existing solutions for system wide execution record/replay the guest debugging server must be run inside the virtual [2], [3] can’t be easily obtained, or lack the capabilities for machine. For the same reason WinDbg can’t be used reverse debugging the whole machine, when the state of all for stealth debugging, because malware may detect the virtual devices is replayed. Therefore the drivers and firmwares debugging server. can be observed only as the code plus memory without any • No convenient tool for reverse debugging of the virtual infomation about the current virtual device state. machines (gdb + gui). Reverse debugging of the virtual 978-1-7281-8913-0/20/$31.00 ©2020 IEEE 196 DOI 10.1109/QRS51102.2020.00036 machines incurs record and replay of its’ executions. But none of the existing tools provide handy interface Recorded Execution for replaying the executions and configuring the virtual machine peripheral devices. Manual command line con- VM Configuration figuration for hardware configuration, reverse debugging, and introspection is error prone. SWAT (System Wide Analysis Toolkit) solves the above GDB QEMU GUI problems by providing the following tools and methods: • Extended lightweight introspection method for supporting platform- and OS-agnostic virtual machine API monitor- ing. • Modified QEMU — multi platform emulator. It includes the features that are not available in the vanilla version: VMI WinDbg reverse debugging, WinDbg server, instrumentation layer, plugin support. These features provide stealth and deter- ministic debugging and analysis methods. • Introspection QEMU plugin for virtual machines based Syscall and API log on x86, x86 64, ARM, and AArch64 platforms. This plugin support both Windows and Linux kernels. Figure 1: Components of the System Wide Analysis Toolkit. • GDB which includes reverse debugging with improved WinDbg is an external tool from Microsoft Windows SDK. performance. • Method for extracting command line parameters from III. EXECUTION RECORD AND REPLAY QEMU for visual management of the virtual machine command line configuration. Virtual machine record and replay is the feature which • qemu-gui — a tool for managing QEMU-based virtual allows recording whole machine execution and later replaying machines with the support of execution recording and it for the sake of debugging or analysis [8]. replaying. Modern approaches to record and replay of the virtual machine execution are implemented within several emulators II. SYSTEM WIDE ANALYSIS TOOLKIT (QEMU [8], Simics [3]) and dynamic analysis frameworks (PANDA [2], Crosscut [14]). Another approach to analysis of SWAT is aimed to make full system debugging and analysis the recorded execution is collecting detailed traces for analysis easier. In its core lays QEMU — multi-platform emulator [7], instead or replaying system behavior [15]. which was modified to add debugging and analysis tools We used QEMU in our toolkit, because it is open source, (Figure 1. high performance, has wide cross-ISA support, and can be Execution record/replay is mandatory for reverse debugging, modified for adding reverse debugging and introspection ca- because program can’t run in backward direction without pabilities. Unlike PANDA, it replays whole emulator behavior recording prior execution steps [8]. It is also very helpful to (including the video output and state of the virtual devices), dynamic binary analysis, because analysis can be decoupled which is useful for convenient debugging, and for development from the execution, and won’t affect the guest behavior [9]. and debugging of the virtual devices within the emulator. Recent versions of QEMU include execution record and replay. To make it more useful we added WinDbg debug IV. GUI FOR QEMU server into QEMU [10], and implemented reverse debugging We introduced a graphical utility for virtual machine man- commands for using with GDB [11]. We also extended GDB agement. Our aim was to help two categories of users: to improve its reverse debugging capabilities. regular QEMU users that debug virtual machines, and QEMU Dynamic binary instrumentation is the only option for developers that may have several builds of QEMU to test their analysis both of kernel and user-level code in the virtual virtual machines. machines [12], [13]. Our modifed version supports instrumen- QEMUs command line is very tricky for a regular user. tation of the guest code and includes a plugin subsystem [5]. One would often forget and miss parameters or would not We also provide a plugin for non-intrusive virtual machine be able to configure QEMU for the specific operation mode introspection. like execution record or replay. QEMU developers could use SWAT also includes graphical utility for managing the some help too, because they need a convenient way to switch virtual machine configurations, which is similar to the one between different builds or versions of the emulator. provided with VirtualBox and VMWare. Our tool has some Also different versions of QEMU support different virtual additional features that allow convenient control of the virtual devices. We can’t hardcode all of them in our tool, therefore machine recordings to make full system debugging more user- we needed to extract list
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages8 Page
-
File Size-