標題: ProbeBuilder - Automating Probe Construction in Virtual Machine Introspection through Uncovering Opaque Kernel Data Structures
ProbeBuilder - Automating Probe Construction in Virtual Machine Introspection through Uncovering Opaque Kernel Data Structures
作者: 王繼偉
Wang, Chi-Wei
謝續平
Shieh, Shiuhpyng
資訊科學與工程研究所
關鍵字: 虛擬機器外部觀察;資料結構;逆向工程;作業系統;作業系統核心;Virtual Machine Introspection;Data Structure;Reverse Engineering;ProbeBuilder;Operating System;Kernel
公開日期: 2013
摘要: Virtual Machine Introspection, VMI為一藉由虛擬機器運行目標程式,由虛擬機器外部進行行為觀察之分析方法。而此種分析工具為了能攔截客戶端系統事件並監視作業系統核心狀態,皆需要在虛擬機器管理器(Hypervisor)中插入程式探針(Probe) 。插入程式探針的目的在於,使客戶端作業系統內的程式執行流程觸及目標點時,虛擬機器管理器能暫停其執行並取得控制權。更重要的是,程式探針必須能從客戶端機器的記憶體內挖掘出與該事件有關的資訊。然而,若要為原始程式碼不公開的商用作業系統實作程式探針,往往需要對其核心進行手動軟體逆向工程,以得知其內部的程式流程與資料結構。更甚者,作業系統核心的頻繁更新,以及整體作業系統的更新,經常導致其程式與資料結構改變,因此逆向工程所得之結果,往往無法重覆利用。本篇論文提出ProbeBuilder,為一自動化推斷作業系統核心程式與資料結構之系統化方法。經由動態執行,ProbeBuilder在客戶端機器的記憶體中,不斷挖掘遞迴的「指標-偏移量-指標」的資料模式,以搜尋可能的資料結構。此外,透過程式流程分析, ProbeBuilder可為所發現的資料結構,產生相對應的探針位置,並自動生成可插入QEMU,KVM以及Xen的程式片段,達成自動化的探針建構。經實驗驗證,ProbeBuilder可自動為Windows作業系統快速地產生數十至數百的程式探針,並且可正確地捕捉使用者層級與核心層級的事件。本論文所提出之方法將可為分析人員利用,為不同的作業系統或核心版本,快速進行VMI工具之開發與更新。本論文所提出的系統核心資料結構挖掘方法,讓ProbeBuilder成為第一個具有自動化探針建購功能的系統。
VM-based inspection tools generally implement probes in the hypervisor to monitor events and the state of kernel of the guest system. The most important function of a probe is to carve information of interest out of the memory of the guest when it is triggered. Implementing probes for a closed-source OS demands manually reverse-engineering the undocumented code/data structures in the kernel binary image. Furthermore, the reverse-engineering result is often non-reusable between OS versions or even kernel updates due to the rapid change of these structures. This dissertation proposes ProbeBuilder, a system automating the process to inference kernel data structures. Based on dynamic execution, ProbeBuilder searches for data structures matching the recursive “pointer-offset-pointer” pattern in guest memory. The sequences of these offsets, which are referred to as dereferences, are refined with a repetitive training process. ProbeBuilder further prepare stable probe locations for them with control flow analysis, and generate code snippets of probes for QEMU, KVM, and Xen. The experiment on Windows kernel shows that ProbeBuilder efficiently narrows hundreds of thousands of choices for kernel-level probes down to dozens, and the generated probes effectively capture both user-level and kernel activities. The finding allows analysts to quickly implement probes, facilitating rapid development/update of inspection tools for different OSes. With these features, ProbeBuilder is the first system capable of automatically generating practical probes that extracts information through dereferences to opaque kernel data structures.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT079556502
http://hdl.handle.net/11536/75609
Appears in Collections:Thesis


Files in This Item:

  1. 650201.pdf