350 rub
Journal Highly available systems №3 for 2013 г.
Article in number:
Solving computer security problems through deterministic replay of virtual machines
Keywords:
security of software
vulnerabilities
simulator
deterministic replay
reverse debugging
tracing
Authors:
P.M. Dovgalyuk - Ph.D., Assistant professor in Yaroslav-the-Wise Novgorod State University. E-mail: Pavel.Dovgaluk@ispras.ru
N.I. Fursova - Student of Yaroslav-the-Wise Novgorod State University. E-mail: Natalia.Fursova@ispras.ru
D.S. Dmitriev - Student of Yaroslav-the-Wise Novgorod State University. E-mail: Denis.Dmitriev@ispras.ru
N.I. Fursova - Student of Yaroslav-the-Wise Novgorod State University. E-mail: Natalia.Fursova@ispras.ru
D.S. Dmitriev - Student of Yaroslav-the-Wise Novgorod State University. E-mail: Denis.Dmitriev@ispras.ru
Abstract:
Deterministic replay of software
Deterministic replay of software is a technology which can replay previously recorded execution of a program. It preserves input data and environment of the program to make it replaying deterministically.
Our solution is based on open source QEMU simulator (1.0 version) and supports deterministic replay of the whole virtual machine. Workflow of the deterministic replay consists of two steps: recording and replaying. In recording mode user has to execute the scenario which has to be recorded in the log. After that this scenario can be replayed. Behavior of the system will be the same in replaying mode. It means that all the instruction will be executed in the same order and states of the peripheral devices (including HDD) will be the same as in recording mode.
Supported platforms
Deterministic replay currently supports x86/64 and ARM hardware platforms. It supports all virtual devices and also microphone, network, serial port, keyboard, and mouse input devices.
Tracing
Our deterministic replay implementation was originally made for the tracing of software. Traces consist of sequence of processor states saved after execution of every instruction and require huge amount of memory to store them. This also leads to slowdown of trace capturing compared to non-traced execution. This slowdown makes using of the trace inconvenient and also can affect on behavior of the programs.
Execution time overhead of replay log recording process varies from 0 to 90 %. Such small overhead makes possible convenient execution of the program to be analyzed or debugged. Slow trace capturing process may be performed in replay mode when interaction with user is not needed.
Reverse debugging
Reverse debugging is a process of debugging of the program using it-s «backward» execution. Backward execution means stopping at breakpoints or watchpoints that were hit just before bug in the program became visible to developer. Backward execution uses virtual machine snapshots captured with the replay log recording process.
Deterministic replay of the program allows replaying debug scenarios for multiple times. It is particularly useful when debugged program is not stable and it-s behavior differs from one execution to another.
Malware analysis
Deterministic replay may be used not only for debugging of the own programs, but also for analysis of malware. User can setup the environment (including network) and run the malware once inside the virtual machine. After that he can analyze the malware without any setup of the complex environment and network settings.
Honeypot
Honeypot - is a trap set to detect unauthorized using of a computer. Virtual machine working in recording mode may be used as a honeypot. When unauthorized access happened recorded log may be used for post-mortem analysis of this case.
Future work
We plan to extend our work in two directions. First one is extending dynamic analysis methods (e.g. adding taint analysis to simulator). Second one is extending number of supported platforms and devices (support of mobile platforms, host USB-devices, etc).
Pages: 46-50
References
- Bhansali, Sanjay and Chen, Wen-Ke and de Jong, Stuart and Edwards, Andrew and Murray, Ron and Drini\'{c}, Milenko and Miho\v{c}ka, Darek and Chau, Joe. Framework for instruction-level tracing and analysis of program executions // VEE '06 Proceedings of the 2nd international conference on Virtual execution environments. 2006.
- Harish Patil, Cristiano Pereira, Mack Stallcup, Gregory Lueck and James Cownie. PinPlay: a framework for deterministic replay and reproducible analysis of parallel programs. CGO '10 Proceedings of the 8th annual IEEE/ACM international symposium on Code generation and optimization. 2010.
- Dongyoon Lee, Benjamin Wester, Kaushik Veeraraghavan, Satish Narayanasamy, Peter M. Chen, Jason Flinn. Respec: Efficient Online Multiprocessor Replay via Speculation and External Determinism. ASPLOS '10 Proceedings of the fifteenth edition of ASPLOS on Architectural support for programming languages and operating systems. 2010
- Kaushik Veeraraghavan, Dongyoon Lee, Benjamin Wester, Jessica Ouyang, Peter M. Chen, Jason Flinn, Satish Narayanasamy. DoublePlay: Parallelizing Sequential Logging and Replay. ACM Transactions on Computer Systems (TOCS) ? Special Issue APLOS 2011. February 2012. V. 30. Issue 1.
- Gautam Altekar, Ion Stoica. ODR: output-deterministic replay for multicore debugging. SOSP '09 Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. 2009.
- Dunlap, George W., King, Samuel T., Cinar, Sukru, Basrai, Murtaza A., Chen, Peter M. ReVirt: enabling intrusion analysis through virtual-machine logging and replay. // ACM SIGOPS Operating Systems Review - OSDI '02: Proceedings of the 5th symposium on Operating systems design and implementation. 2002. V. 36. P. 211-224.
- Haikun Liu, Hai Jin, Xiaofei Liao, Zhengqiu Pan. XenLR: Xen-based Logging for Deterministic Replay // In proc. of Japan-China Joint Workshop on Frontier of Computer Science and Technology. 2008. P. 149-154.
- Jim Chow, Tal Garfinkel, Peter M. Chen. Decoupling dynamic program analysis from execution in virtual environments // Proceedings of the 2008 Annual USENIX Technical Conference. June 2008. P. 1-14.
- Daniela A. S. de Oliveira, Jedidiah R. Crandall, Gary Wassermann, S. Felix Wu, Zhendong Su, Frederic T.Chong. Exec Recorder: VM-based full-system replay for attack analysis and system recovery // Proc. of the 1st workshop on Architectural and system support for improving software dependability (ASID '06). 2006. P. 66-71.
- QEMU - Open Source Processor Emulator. http://wiki.qemu.org/Main_Page data obrashheniya 24 aprelya 2013.
- Chia-Wei Hsu, Shiuhpyng Shieh. FREE: A Fine-grain Replaying Executions by Using Emulation // The 20th Cryptology and Information Security Conference (CISC 2010). Taiwan. 2010.
- Dovgalyuk P. Determinirovannoe vosproizvedenie proczessa vy'polneniya programm v virtual'noj mashine / Trudy' Instituta sistemnogo programmirovaniya RAN. T. 21 / pod red. V.P. Ivannikova. M.: ISP RAN. 2011. S. 123-132.
- Batuzov K., Dovgalyuk P., Koshelev V., Padaryan V. Dva sposoba organizaczii mexanizma polnosistemnogo determinirovannogo vosproizvedeniya v simulyatore QEMU // Trudy' Instituta sistemnogo programmirovaniya RAN. T. 22 / pod red. V.P. Ivannikova. M.: ISP RAN. 2012. S. 77-94.
- Dovgalyuk P. Deterministic Replay of System's Execution with Multi-target QEMU Simulator for Dynamic Analysis and Reverse Debugging. Proceedings of Software Maintenance and Reengineering (CSMR). 2012 16th European Conference. P. 553-556.
- Padaryan V.A., Get'man A.I., Solov'ev M.A. Programmnaya sreda dlya dinamicheskogo analiza binarnogo koda // Trudy' Instituta Sistemnogo Programmirovaniya. T. 16. 2009. S. 51-72.
- Dovgalyuk P.M., Makarov V.A. Obratnaya otladka s pomoshh'yu determinirovannogo vosproizvedeniya programm v virtual'noj mashine // Vestnik Novgorodskogo gosudarstvennogo universiteta. Ser. Texnicheskie nauki. № 68. 2012. S. 51-56.