ninja: towards transparent tracing and debugging on arm · 2019. 12. 18. · base: tracing disabled...
TRANSCRIPT
Ninja:TowardsTransparentTracingandDebuggingonARM
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 1
Zhenyu Ning &Fengwei ZhangWayneStateUniversity
{zhenyu.ning,fengwei}@wayne.edu
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 2
Outline
• Introduction• Background• System Overview• Evaluation• Conclusion
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 3
Outline
• Introduction• Background• System Overview• Evaluation• Conclusion
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 4
EvasionMalware
Analyzer
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 5
EvasionMalware
Analyzer
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 6
Malware Analysis
Applications
OperatingSystem
Hypervisor/Emulator
MalwareApp App
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 7
Malware Analysis
Applications
OperatingSystem
Hypervisor/Emulator
MalwareApp App
MalwareAnalyzer
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 8
Malware Analysis
Applications
OperatingSystem
Hypervisor/Emulator
MalwareApp App
MalwareAnalyzer
Limitation:
• Unarmedtoanti-virtualizationoranti-emulationtechniques
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 9
Malware Analysis
Applications
OperatingSystem
Hypervisor/Emulator
MalwareApp App
MalwareAnalyzer
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 10
Malware Analysis
Applications
OperatingSystem
Hypervisor/Emulator
MalwareApp App
MalwareAnalyzer
Limitation:
• Unabletohandlemalwarewithhighprivilege(e.g.,rootkits)
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 11
Malware Analysis
Applications
OperatingSystem
Hypervisor/Emulator
MalwareApp App
MalTS&P 15Hardware
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 12
Malware Analysis
Applications
OperatingSystem
Hypervisor/Emulator
MalwareApp AppLimitations:
• Highperformanceoverheadonmodeswitch
• Unprotectedmodifiedregisters
• Vulnerabletoexternaltimingattack
MalTS&P 15Hardware
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 13
TransparencyRequirements
• AnEnvironment thatprovidestheaccesstothestatesofthetargetmalware
• AnAnalyzer whichisresponsibleforthefurtheranalysisofthestates
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 14
TransparencyRequirements
• AnEnvironment thatprovidestheaccesstothestatesofthetargetmalware• Itisisolatedfromthetargetmalware• Itexistsonanoff-the-shelf(OTS)bare-metalplatform
• AnAnalyzer whichisresponsibleforthefurtheranalysisofthestates
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 15
TransparencyRequirements
• AnEnvironment thatprovidestheaccesstothestatesofthetargetmalware• Itisisolatedfromthetargetmalware• Itexistsonanoff-the-shelf(OTS)bare-metalplatform
• AnAnalyzer whichisresponsibleforthefurtheranalysisofthestates• Itshouldnotleaveanydetectablefootprintstotheoutsideoftheenvironment
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 16
Outline
• Introduction• Background• System Overview• Evaluation• Conclusion
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 17
Background- TrustZone
ARMTrustZonetechnologydividestheexecutionenvironmentintosecure domainandnon-secure domain.
• TheRAMispartitionedtosecure andnon-secure region.
• Theinterruptsareassignedintosecure ornon-secure group.
• Secure-sensitiveregisterscanonlybeaccessedinsecuredomain.
• Hardwareperipheralscanbeconfiguredassecureaccessonly.
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 18
Background- TrustZone• InARMv8architecture,exceptionsaredeliveredtodifferentExceptionLevels(ELs).
• TheonlywaytoenterthesecuredomainistotriggeraEL3exception.
• Theexceptionreturninstruction(ERET)canbeusedtoswitchbacktothenon-securedomain.
EL1(RichOS)
EL2(Hypervisor)
EL3(SecureMonitor)
EL0(Applications)
EL1(SecureOS)
Non-secureDomain SecureDomain
EL0(Applications)
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 19
Background– PMUandETM
• ThePerformanceMonitorUnit(PMU)leveragesasetofperformancecounterregisterstocounttheoccurrenceofdifferentCPUevents.
• TheEmbeddedTraceMacrocell (ETM)tracestheinstructionsanddataofthesystem,andoutputthetracestreamintopre-allocatedbuffersonthechip.
• BothPMUandETMexistonARMCortex-A5xandCortex-A7xseriesCPUs,anddoNOT affecttheperformanceoftheCPU.
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 20
Outline
• Introduction• Background• System Overview• Evaluation• Conclusion
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 21
Overview
App
App
TargetMalware
RichOS
Non-secureDomain
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 22
Overview
App
App
TargetMalware
RichOS
Non-secureDomain
SecureInterruptHandler
SecureDomain
SecureInterrupt
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 23
Overview
App
App
TargetMalware
RichOS
Non-secureDomain
SecureInterruptHandler
SecureDomain
SecureInterrupt
TraceSubsystem
TraceSubsystem:
• InstructionTrace
• SystemCallTrace
• AndroidAPITrace
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 24
Overview
App
App
TargetMalware
RichOS
Non-secureDomain
SecureInterruptHandler
SecureDomain
SecureInterrupt
TraceSubsystem
DebugSubsystem
DebugSubsystem:
• SingleStepping
• Breakpoints
• MemoryR/W
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 25
Overview
App
App
TargetMalware
RichOS
Non-secureDomain
SecureInterruptHandler
SecureDomain
SecureInterrupt
TraceSubsystem
DebugSubsystem
RemoteDebuggingClient
SecurePort
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 26
Overview
App
App
TargetMalware
RichOS
Non-secureDomain
SecureInterruptHandler
SecureDomain
SecureInterrupt
TraceSubsystem
DebugSubsystem
RemoteDebuggingClient
SecurePortERET
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 27
HardwareTraps
……
Non-secureDomain
MRSX0,PMCR_EL0MOVX1,#1
ANDX0,X0,X1……
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 28
HardwareTraps
……
Non-secureDomain
MRSX0,PMCR_EL0MOVX1,#1
ANDX0,X0,X1……
Analyzing theinstruction
SecureDomainMDCR_EL3.TPM=1
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 29
HardwareTraps
MOVX0,#0x41013000……
Non-secureDomain
MRSX0,PMCR_EL0MOVX1,#1
ANDX0,X0,X1……
Analyzing theinstruction
SecureDomainMDCR_EL3.TPM=1
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 30
HardwareTraps
ModifyingsavedELR_EL3MOVX0,#0x41013000
……
Non-secureDomain
MRSX0,PMCR_EL0MOVX1,#1
ANDX0,X0,X1……
Analyzing theinstruction
SecureDomainMDCR_EL3.TPM=1
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 31
HardwareTraps
ERETModifyingsavedELR_EL3MOVX0,#0x41013000
……
Non-secureDomain
MRSX0,PMCR_EL0MOVX1,#1
ANDX0,X0,X1……
Analyzing theinstruction
SecureDomainMDCR_EL3.TPM=1
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 32
Outline
• Introduction• Background• System Overview• Evaluation• Conclusion
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 33
Evaluation- Transparency
• Environment:
• Analyzer:
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 34
Evaluation- Transparency
• Environment:
ü Isolated
• Analyzer:
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 35
Evaluation- Transparency
• Environment:
ü Isolated
ü ExistsonOTSplatforms
• Analyzer:
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 36
Evaluation- Transparency
• Environment:
ü Isolated
ü ExistsonOTSplatforms
• Analyzer:
ü Nodetectablefootprints?
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 37
Evaluation- Transparency
• Environment:
ü Isolated
ü ExistsonOTSplatforms
• Analyzer:
ü Nodetectablefootprints?
Webelievethatthehardware-basedapproachprovidesbettertransparency.
Tobuildafullytransparentsystem,wemayneedadditionalhardwaresupport.
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 38
Evaluation– PerformanceoftheTS
• Testbed Specification
• ARMJunov1developmentboard
• Adual-core800MHZCortex-A57clusterandaquad-core700MHZCortex-A53cluster
• ARMTrustedFirmware(ATF)v1.1andAndroid5.1.1
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 39
Evaluation– PerformanceoftheTS
Mean STD #Slowdown
Base:TracingDisabled 2.133s 0.69ms
InstructionTracing 2.135s 2.79ms 1x
SystemcallTracing 2.134s 5.13ms 1x
AndroidAPITracing 149.372s 1287.88ms 70x
• Calculatingonemilliondigitsof𝜋
• GNUMultiplePrecisionArithmeticLibrary
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 40
Evaluation– PerformanceoftheTS
• PerformancescoresevaluatedbyCF-Bench
NativeScores JavaScores Overall Scores
Mean #Slowdown Mean #Slowdown Mean #Slowdown
Basic:Tracing Disabled 25380 18758 21407
Instruction Tracing 25364 1x 18673 1x 21349 1x
System callTracing 25360 1x 18664 1x 21342 1x
AndroidAPI Tracing 6452 4x 122 154x 2654 8x
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 41
Evaluation– DomainSwitchingTime
• Timeconsumptionofdomainswitching(inµs)
• 34x-1674xfasterthanMalT (11.72µs)
ATF Enabled NinjaEnabled Mean STD 95% CI
✖ ✖ 0.007 0.000 [0.007, 0.007]
✔ ✖ 0.202 0.013 [0.197,0.207]
✔ ✔ 0.342 0.021 [0.334,0.349]
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 42
Outline
• Introduction• Background• System Overview• Evaluation• Conclusion
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 43
Conclusion
• Ninja:AmalwareanalysisframeworkonARM.
•Adebugsubsystemandatracesubsystem
•UsingTrustZone,PMU,andETMtoimprovetransparency
•Thehardware-assistedtracesubsystemisimmunetotimingattack.
WayneStateUniversity
COMPASSLAB(HTTP://COMPASS.CS.WAYNE.EDU) 44
Thankyou!Email:[email protected]
Questions?
WayneStateUniversity