skip to main content
research-article

Composable multi-level debugging with Stackdb

Published:01 March 2014Publication History
Skip Abstract Section

Abstract

Virtual machine introspection (VMI) allows users to debug software that executes within a virtual machine. To support rich, whole-system analyses, a VMI tool must inspect and control systems at multiple levels of the software stack. Traditional debuggers enable inspection and control, but they limit users to treating a whole system as just one kind of target: e.g., just a kernel, or just a process, but not both.

We created Stackdb, a debugging library with VMI support that allows one to monitor and control a whole system through multiple, coordinated targets. A target corresponds to a particular level of the system's software stack; multiple targets allow a user to observe a VM guest at several levels of abstraction simultaneously. For example, with Stackdb, one can observe a PHP script running in a Linux process in a Xen VM via three coordinated targets at the language, process, and kernel levels. Within Stackdb, higher-level targets are components that utilize lower-level targets; a key contribution of Stackdb is its API that supports multi-level and flexible "stacks" of targets. This paper describes the challenges we faced in creating Stackdb, presents the solutions we devised, and evaluates Stackdb through its application to a security-focused, whole-system case study.

References

  1. P. P. Bungale and C.-K. Luk. PinOS: A programmable framework for whole-system dynamic instrumentation. In Proc. VEE, pages 137--147, June 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. P. M. Chen and B. D. Noble. When virtual is better than real. In Proc. HotOS, pages 133--138, May 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. J.-H. Chiang, H.-L. Li, and T. Chiueh. Introspection-based memory de-duplication and migration. In Proc. VEE, pages 51--61, Mar. 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. [email protected]. distorm - Powerful Disassembler Library For x86/AMD64. http://code.google.com/p/distorm/.Google ScholarGoogle Scholar
  5. B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proc. IEEE S&P, pages 297--312, May 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. NDSS, Feb. 2003.Google ScholarGoogle Scholar
  7. GDB Developers. GDB: The GNU Project Debugger. http://www.gnu.org/software/gdb/.Google ScholarGoogle Scholar
  8. A. Ho. Personal communication, Nov. 2013.Google ScholarGoogle Scholar
  9. A. Ho and S. Hand. On the design of a pervasive debugger. In Proc. AADEBUG, pages 117--122, Sept. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. A. Ho, S. Hand, and T. Harris. PDB: Pervasive debugging with Xen. In Proc. GRID, pages 260--265, Nov. 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proc. SOSP, pages 91--104, Oct. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. B. Lee, M. Hirzel, R. Grimm, and K. S. McKinley. Debug all your code: Portable mixed-environment debugging. In Proc. OOPSLA, pages 207--226, Oct. 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proc. PLDI, pages 190--200, June 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. MITRE CorporationThe MITRE Corporation. CVE--2013--1763, Feb. 19, 2013. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1763.Google ScholarGoogle Scholar
  15. B. Payne et al. vmitools - virtual machine introspection tools. http://code.google.com/p/vmitools/.Google ScholarGoogle Scholar
  16. PHP GroupThe PHP Group. PHP at the Core: A Hacker's Guide. http://www.php.net/manual/en/internals2.php.Google ScholarGoogle Scholar
  17. A. Srivastava and J. Giffin. Automatic discovery of parasitic malware. In Recent Advances in Intrusion Detection, volume 6307 of LNCS, pages 97--117. Springer, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Volatile Systems. The Volatility Framework: Volatile memory artifact extraction utility framework. https://www.volatilesystems.com/default/volatility.Google ScholarGoogle Scholar
  19. J. Wessel. Using kgdb, kdb and the kernel debugger internals. http://www.kernel.org/pub/linux/kernel/people/jwessel/kdb/.Google ScholarGoogle Scholar
  20. B. White, J. Lepreau, L. Stoller, R. Ricci, S. Guruprasad, M. Newbold, M. Hibler, C. Barb, and A. Joglekar. An integrated experimental environment for distributed systems and networks. In Proc. OSDI, pages 255--270, Dec. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. L. K. Yan and H. Yin. DroidScope: Seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis. In Proc. USENIX Security, pages 569--584, Aug. 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. F. Zhang, K. Leach, K. Sun, and A. Stavrou. SPECTRE: A dependable introspection framework via system management mode. In Proc. DSN, pages 1--12, June 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Composable multi-level debugging with Stackdb

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!