Dynamic and Transparent Analysis of Commodity Production Systems

We propose a framework that provides a programming interface to perform complex dynamic system-level analyses of deployed production systems. By leveraging hardware support for virtualization available nowadays on all commodity machines, our framework is completely transparent to the system under analysis and it guarantees isolation of the analysis tools running on its top. Thus, the internals of the kernel of the running system needs not to be modified and the whole platform runs unaware of the framework. Moreover, errors in the analysis tools do not affect the running system and the framework. This is accomplished by installing a minimalistic virtual machine monitor and migrating the system, as it runs, into a virtual machine. In order to demonstrate the potentials of our framework we developed an interactive kernel debugger, nicknamed HyperDbg. HyperDbg can be used to debug any critical kernel component, and even to single step the execution of exception and interrupt handlers.Comment: 10 pages, To appear in the 25th IEEE/ACM International Conference on Automated Software Engineering, Antwerp, Belgium, 20-24 September 201

BINARY INSTRUMENTATION AND TRANSFORMATION FOR SOFTWARE SECURITY APPLICATIONS

The capabilities of software analysis and manipulation are crucial to counter software security threats such as malware and vulnerabilities. Binary instrumentation and transformation are the essential techniques to enable software analysis and manipulation. However, existing approaches fail to meet requirements (e.g. flexibility, transparency) specific in software security applications

On-chip system call tracing: A feasibility study and open prototype

Several tools for program tracing and introspection exist. These tools can be used to analyze potentially malicious or untrusted programs. In this setting, it is important to prevent that the target program determines whether it is being traced or not. This is typically achieved by minimizing the code of the introspection routines and any artifact or side-effect that the program can leverage. Indeed, the most recent approaches consist of lightly instrumented operating systems or thin hypervisors running directly on bare metal. Following this research trend, we investigate the feasibility of transparently tracing a Linux/ARM program without modifying the software stack, while keeping the analysis cost and flexibility compatible with state of the art emulation- or baremetal- based approaches. As for the typical program tracing task, our goal is to reconstruct the stream of system call invocations along with the respective un-marshalled arguments. We propose to leverage the availability of on-chip debugging interfaces of modern ARM systems, which are accessible via JTAG. More precisely, we developed OpenST, an open-source prototype tracer that allowed us to analyze the performance overhead and to assess the transparency with respect to evasive, real-world malicious programs. OpenST has two tracing modes: In-kernel dynamic tracing and external tracing. The in-kernel dynamic tracing mode uses the JTAG interface to \u201chot-patch\u201d the system calls at runtime, injecting introspection code. This mode is more transparent than emulator based approaches, but assumes that the traced program does not have access to the kernel memory\u2014where the introspection code is loaded. The external tracing mode removes this assumption by using the JTAG interface to manage hardware breakpoints. Our tests show that OpenST\u2019s greater transparency comes at the price of a steep performance penalty. However, with a cost model, we show that OpenST scales better than the state of the art, bare-metal-based approach, while remaining equally stealthy to evasive malware

HyperDbg: Reinventing Hardware-Assisted Debugging (Extended Version)

Software analysis, debugging, and reverse engineering have a crucial impact in today's software industry. Efficient and stealthy debuggers are especially relevant for malware analysis. However, existing debugging platforms fail to address a transparent, effective, and high-performance low-level debugger due to their detectable fingerprints, complexity, and implementation restrictions. In this paper, we present HyperDbg, a new hypervisor-assisted debugger for high-performance and stealthy debugging of user and kernel applications. To accomplish this, HyperDbg relies on state-of-the-art hardware features available in today's CPUs, such as VT-x and extended page tables. In contrast to other widely used existing debuggers, we design HyperDbg using a custom hypervisor, making it independent of OS functionality or API. We propose hardware-based instruction-level emulation and OS-level API hooking via extended page tables to increase the stealthiness. Our results of the dynamic analysis of 10,853 malware samples show that HyperDbg's stealthiness allows debugging on average 22% and 26% more samples than WinDbg and x64dbg, respectively. Moreover, in contrast to existing debuggers, HyperDbg is not detected by any of the 13 tested packers and protectors. We improve the performance over other debuggers by deploying a VMX-compatible script engine, eliminating unnecessary context switches. Our experiment on three concrete debugging scenarios shows that compared to WinDbg as the only kernel debugger, HyperDbg performs step-in, conditional breaks, and syscall recording, 2.98x, 1319x, and 2018x faster, respectively. We finally show real-world applications, such as a 0-day analysis, structure reconstruction for reverse engineering, software performance analysis, and code-coverage analysis

A Multiprocessor Distributed Debugger

This thesis presents the design and implementation of a distributed debugger. The debugger was designed to support the debugging of a system containing multiple processors from a single debug console. The debugger implementation consists of host software which runs on a VAX minicomputer and target software which runs on Intel SDK-86 single board computers. The host and targets communicate using an RS-232 channel. The debugger supports breakpoints, disassembly of target code, symbolic reference of program procedures and variables, and download of Intel Object Module Format binary files

Signal processing techniques for analysis of heart sounds and electrocardiograms

Audible heart sounds represent less than 5% of the vibrational energy associated with the cardiac cycle. In this study, experiments have been conducted to explore the feasibility of examining cardiac vibration by means of a single display encompassing the entire bandwidth of the oscillations and relating components at different frequencies. Zero-phase-shift digital filtering is shown to be required in producing such displays, which extend from a recognizable phonocardiogram at one frequency extreme to a recognizable apexcardiogram at the other. Certain features in mid-systole and early diastole, observed by means of this technique, appear not to have been previously described. Frequency modulation of an audio-frequency sinusoid by a complex signal is shown to be effective in generating sounds analogous to that signal and containing the same information, but occupying a bandwidth suitable to optimum human auditory perception. The generation of such sounds using an exponential-response voltage- controlled oscillator is found to be most appropriate for converting amplitude as well as frequency changes in the original signal into pitch changes in the new sounds, utilizing the human auditory system\u27s more acute discrimination of pitch changes than amplitude changes. Pseudologarithmic compression of the input signal is shown to facilitate emphasis in the converted sounds upon changes at high or low amplitudes in the original signal. A noise-control circuit has been implemented for amplitude modulation of the converted signal to de- emphasize sounds arising from portions of the input signal below a chosen amplitude threshold. This method is shown to facilitate the transmission of analogs of audible and normally inaudible sounds over standard telephone channels, and to permit the slowing down of the converted sounds with no loss of information due to decreased frequencies. The approximation of an arbitrary waveform by a piecewise-linear (PL) function is shown to permit economical digital storage in parametric form. Fourier series and Fourier transforms may be readily calculated directly from the PL breakpoint parameters without further approximation, and the number of breakpoints needed to define the PL approximation is significantly lower than the number of uniformly-spaced samples required to satisfy the Nyquist sampling criterion; aliasing problems are shown not to arise. Thus data compression is feasible by this means without recourse to a parametric model defined for the signal (e.g., speech) being processed. Methods of automatic adaptive PL sampling and waveform reconstruction are discussed, and microcomputer algorithms implemented for this purpose are described in detail. Examples are given of the application of PL techniques to electrocardiography, phonocardiography, and the digitization of speech