ABSTRACT
We propose a framework that provides a programming interface to perform complex dynamic system-level analyses of deployed production systems. By leveraging hardware support for virtualization available nowadays on all commodity machines, our framework is completely transparent to the system under analysis and it guarantees isolation of the analysis tools running on top of it. Thus, the internals of the kernel of the running system needs not to be modified and the whole platform runs unaware of the framework. Moreover, errors in the analysis tools do not affect the running system and the framework. This is accomplished by installing a minimalistic virtual machine monitor and migrating the system, as it runs, into a virtual machine. In order to demonstrate the potentials of our framework we developed an interactive kernel debugger, named HyperDbg. HyperDbg can be used to debug any critical kernel component, and even to single step the execution of exception and interrupt handlers.
- }}AMD, Inc. AMD virtualization. http://www.amd.com/us/products/technologies/virtualization/Pages/virtualization.aspx.Google Scholar
- }}B. Cantrill, M. W. Shapiro, and A. H. Leventhal. Dynamic Instrumentation of Production Systems. In Proceedings of USENIX Annual Technical Conference, pages 15--28, June 2004. Google ScholarDigital Library
- }}J. Chow, T. Garfinkel, and P. Chen. Decoupling Dynamic Program Analysis from Execution in Virtual Environments. In Proceedings of USENIX Annual Technical Conference, pages 1--14, June 2008. Google ScholarDigital Library
- }}Y. Coady, G. Kiczales, M. Feeley, and G. Smolyn. Using AspectC to improve the modularity of path-specific customization in operating system code. In Proceedings of the 8th European Software Engineering Conference, pages 88--98, 2001. Google ScholarDigital Library
- }}Y. Coady, G. Kiczales, M. J. Feeley, N. C. Hutchinson, and J. S. Ong. Structuring Operating System Aspects. Communications of the ACM, 44(10):79--82, 2001. Google ScholarDigital Library
- }}A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: Malware Analysis via Hardware Virtualization Extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 51--62. ACM, 2008. Google ScholarDigital Library
- }}G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling Intrusion Analysis Through Virtual-Machine Logging and Replay. In OSDI '02: 5th Symposium on Operating Systems Design and Implementations, December 2002. Google ScholarDigital Library
- }}M. Engel and B. Freisleben. TOSKANA: A toolkit for operating system kernel aspects. Transactions on Aspect-Oriented Software Development II, 4242:182--226, 2006. Google ScholarDigital Library
- }}T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the Symposium on Network and Distributed Systems Security, San Diego, CA, Feb. 2003.Google Scholar
- }}S. T. King, G. W. Dunlap, and P. M. Chen. Debugging operating systems with time-traveling virtual machines. In Proceedings of USENIX Annual Technical Conference, pages 71--84, April 2005. Google ScholarDigital Library
- }}Linux Trace Toolkit. http://lttng.org/.Google Scholar
- }}D. Mahrenholz, O. Spinczyk, A. Gal, and W. Schröder-Preikschat. An Aspect-Oriented Implementation of Interrupt Synchronization in the PURE Operating System Family. In Proceedings of the 5th ECOOP Workshop on Object Orientation and Operating Systems, pages 49--54, June 2002.Google Scholar
- }}D. Mahrenholz, O. Spinczyk, and W. Schröder-Preikschat. Program Instrumentation for Debugging and Monitoring with AspectC++. In Symposium on Object-Oriented Real-Time Distributed Computing, pages 249--256, April 2002. Google ScholarDigital Library
- }}Microsoft Corporation. Debugging Tools for Windows. http://www.microsoft.com/whdc/devtools/debugging/default.mspx.Google Scholar
- }}G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig. Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization. Intel Technology Journal, 10(3):167--177, August 2006.Google ScholarCross Ref
- }}G. Pothier and E. Tanter. Back to the future: Omniscient debugging. IEEE Software, 26:78--85, 2009. Google ScholarDigital Library
- }}Rasta ring 0 debugger. http://rr0d.droids-corp.org/.Google Scholar
- }}SoftICE. http://en.wikipedia.org/wiki/SoftICE.Google Scholar
- }}Syser Kernel Debugger. http://www.sysersoft.com/.Google Scholar
- }}A. Tamches. Fine-Grained Dynamic Instrumentation of Commodity Operating System Kernels. PhD thesis, University of Wisconsin-Madison, 2001. Google ScholarDigital Library
- }}A. Vasudevan and R. Yerraballi. Stealth Breakpoints. In 21st Annual Computer Security Applications Conference, pages 381--392, 2005. Google ScholarDigital Library
- }}M. Xu, V. Malyugin, J. Sheldon, G. Venkitachalam, and B. Weissman. ReTrace: Collecting execution trace with virtual machine deterministic replay. In Proceedings of the 3rd Annual Workshop on Modeling, Benchmarking and Simulation, 2007.Google Scholar
Index Terms
- Dynamic and transparent analysis of commodity production systems
Recommendations
Performance comparison of hardware virtualization platforms
NETWORKING'11: Proceedings of the 10th international IFIP TC 6 conference on Networking - Volume Part IHosting virtual servers on a shared physical hardware by means of hardware virtualization is common use at data centers, web hosters, and research facilities. All platforms include isolation techniques that restrict resource consumption of the virtual ...
Building a Hypervisor on a Formally Verifiable Protection Layer
HICSS '13: Proceedings of the 2013 46th Hawaii International Conference on System SciencesVirtualization promises significant benefits in security, efficiency, dependability, and cost. Achieving these benefits depends upon the reliability of the underlying hyper visor. Hyper visors provide complete control of the virtualized resources (...
Virtualizable hardware/software design infrastructure for dynamically partially reconfigurable systems
Special Section on 19th Reconfigurable Architectures Workshop (RAW 2012)In most existing works, reconfigurable hardware modules are still managed as conventional hardware devices. Further, the software reconfiguration overhead incurred by loading corresponding device drivers into the kernel of an operating system has been ...
Comments