BINARY INSTRUMENTATION AND TRANSFORMATION FOR SOFTWARE SECURITY APPLICATIONS

The capabilities of software analysis and manipulation are crucial to counter software security threats such as malware and vulnerabilities. Binary instrumentation and transformation are the essential techniques to enable software analysis and manipulation. However, existing approaches fail to meet requirements (e.g. flexibility, transparency) specific in software security applications

Assessing performance overhead of Virtual Machine Introspection and its suitability for malware analysis

Virtual Machine Introspection is the process of introspecting guest VM’s memory and reconstructing the state of the guest operating system. Due to its isolation, stealth and full visibility of the monitored target, VMI lends itself well for security monitoring and malware analysis. The topics covered in this thesis include operating system and hypervisor concepts, the semantic gap issue, VMI techniques and implementations, applying VMI for malware analysis, and analysis of the performance overhead. The behaviour and magnitude of the performance overhead associated with doing virtual machine introspection is analysed with five different empirical test cases. The intention of the tests is to estimate the costs of a single trapped event, determine the feasibility of various monitoring sensors from usability and stealth perspective, and analyse the behaviour of performance overhead. Various VMI-based tools were considered for the measurement, but DRAKVUF was chosen as it is the most advanced tool available. The test cases go as follows. The chosen load is first executed without any monitoring to determine the baseline execution time. Then a DRAKVUF monitoring plugin is turned on and the load is executed again. After both measurements have been made, the difference between the two execution times is the time spent executing monitoring code. The execution overhead is then determined by calculating the difference between the two execution times and dividing it by the baseline execution time. The disc consumption and execution overhead of a sensor, which captures removed files is small enough to be deployed as a monitoring solution. The performance overhead of system call monitoring sensor is dependant on the number of issued system calls. Loads which issue large numbers of system calls cause high performance overhead. The performance overhead of such loads can be limited by monitoring a subset of all system calls

Virtualization with Limited Hardware Support

<p>In recent years, as mobile devices started to become an essential part of everyday computing, virtualization on mobile devices has begun to emerge as a solution for supporting multiple profiles on the same device. However, virtualization on mobile and embedded systems, and to a greater extent, on systems with limited hardware support for virtualization, often face different hardware environment than x86 platforms.</p><p>First of all, these platforms were usually equipped with CPUs that did not have hardware virtualization support. We propose a transparent and portable CPU virtualization solution for all types of CPUs that have hardware breakpoint functionality. We use a combination of the hardware breakpoint support and guest kernel control flow graph analysis to trap and emulate sensitive instructions.</p><p>Second, the traditional way of implementing record and replay which is an important feature of virtualization, cannot be implemented the same way on CPUs without hardware branch counters. We propose a record and replay implementation without using hardware branch counters on paravirtualized guests. We inspect guest virtual machine internal states to carefully rearrange recorded instructions during replay to achieve the same end result without having to literally repeat the same stream of instructions.</p><p>Third, these platforms are often equipped with storage systems with distinct I/O characteristics. SD card, for example, is a prevalent storage media on smartphones. We discuss the mismatch of I/O characteristics between SD card write speed characteristics and guest virtual machine workload characteristics using VMware Mobile Virtualization Platform as an example. We then propose a solution to bridge the gap and achieve efficient guest I/O when storing guest virtual disk images on SD cards.</p><p>This dissertation shows that it is possible to efficiently virtualize and provide advanced virtualization functionality to a range of systems without relying on x86 and PC specific virtualization technologies.</p>Dissertatio

Software-Managed Read and Write Wear-Leveling for Non-Volatile Main Memory

In-memory wear-leveling has become an important research field for emerging non-volatile main memories over the past years. Many approaches in the literature perform wear-leveling by making use of special hardware. Since most non-volatile memories only wear out from write accesses, the proposed approaches in the literature also usually try to spread write accesses widely over the entire memory space. Some non-volatile memories, however, also wear out from read accesses, because every read causes a consecutive write access. Software-based solutions only operate from the application or kernel level, where read and write accesses are realized with different instructions and semantics. Therefore different mechanisms are required to handle reads and writes on the software level. First, we design a method to approximate read and write accesses to the memory to allow aging aware coarse-grained wear-leveling in the absence of special hardware, providing the age information. Second, we provide specific solutions to resolve access hot-spots within the compiled program code (text segment) and on the application stack. In our evaluation, we estimate the cell age by counting the total amount of accesses per cell. The results show that employing all our methods improves the memory lifetime by up to a factor of 955×

IMPROVED SOFTWARE ACTIVATION USING MULTITHREADING

Software activation is an anti-piracy technology designed to verify that software products have been legitimately licensed [1]. It is supposed to be quick and simple while simultaneously protecting customer privacy. The most common form of software activation is through the entering of legitimate product serial numbers by users, which sometimes are also known as product keys. This technique is employed by various software, from small shareware programs to large commercial programs such as Microsoft Office. However, software activation based on a serial number appears to be weak, as various cracks for a majority of programs are available and can be found easily on the Internet. Users can use such cracks to bypass the software activation. Generally, the verification logic for checking a serial number executes sequentially in a single thread. Such an approach is weak because attackers can effectively trace this thread from the beginning to the end to understand how the verification logic works. In this paper, we develop a practical multi-threaded verification design. We breakdown the checking logic into smaller pieces and run each piece within a separate thread. Our results show that the amount of traceable code in a debugger is reduced to a low percentage of the code -- especially when junk threads with deadlocks are used -- and the traceable code in each run can differ as well. This makes it more difficult for an attacker to reverse engineer the code and bypass any security check. Finally, we attempt to quantify the increased effort necessary to break out verification logic

Efficient branch and node testing

Software testing evaluates the correctness of a program’s implementation through a test suite. The quality of a test case or suite is assessed with a coverage metric indicating what percentage of a program’s structure was exercised (covered) during execution. Coverage of every execution path is impossible due to infeasible paths and loops that result in an exponential or infinite number of paths. Instead, metrics such as the number of statements (nodes) or control-flow branches covered are used. Node and branch coverage require instrumentation probes to be present during program runtime. Traditionally, probes were statically inserted during compilation. These static probes remain even after coverage is recorded, incurring unnecessary overhead, reducing the number of tests that can be run, or requiring large amounts of memory In this dissertation, I present three novel techniques for improving branch and node coverage performance for the Java runtime. First, Demand-driven Structural Testing (DDST) uses dynamic insertion and removal of probes so they can be removed after recording coverage, avoiding the unnecessary overhead of static instrumentation. DDST is built on a new framework for developing and researching coverage techniques, Jazz. DDST for node coverage averages 19.7% faster than statically-inserted instrumentation on an industry-standard benchmark suite, SPECjvm98. Due to DDST’s higher-cost probes, no single branch coverage technique performs best on all programs or methods. To address this, I developed Hybrid Structural Testing (HST). HST combines different test techniques, including static and DDST, into one run. HST uses a cost model for analysis, reducing the cost of branch coverage testing an average of 48% versus Static and 56% versus DDST on SPECjvm98. HST never chooses certain techniques due to expensive analysis. I developed a third technique, Test Plan Caching (TPC), that exploits the inherent repetition in testing over a suite. TPC saves analysis results to avoid recomputation. Combined with HST, TPC produces a mix of techniques that record coverage quickly and efficiently. My three techniques reduce the average cost of branch coverage by 51.6–90.8% over previous approaches on SPECjvm98, allowing twice as many test cases in a given time budget