Abstract
Virtual machine introspection (VMI) allows users to debug software that executes within a virtual machine. To support rich, whole-system analyses, a VMI tool must inspect and control systems at multiple levels of the software stack. Traditional debuggers enable inspection and control, but they limit users to treating a whole system as just one kind of target: e.g., just a kernel, or just a process, but not both.
We created Stackdb, a debugging library with VMI support that allows one to monitor and control a whole system through multiple, coordinated targets. A target corresponds to a particular level of the system's software stack; multiple targets allow a user to observe a VM guest at several levels of abstraction simultaneously. For example, with Stackdb, one can observe a PHP script running in a Linux process in a Xen VM via three coordinated targets at the language, process, and kernel levels. Within Stackdb, higher-level targets are components that utilize lower-level targets; a key contribution of Stackdb is its API that supports multi-level and flexible "stacks" of targets. This paper describes the challenges we faced in creating Stackdb, presents the solutions we devised, and evaluates Stackdb through its application to a security-focused, whole-system case study.
- P. P. Bungale and C.-K. Luk. PinOS: A programmable framework for whole-system dynamic instrumentation. In Proc. VEE, pages 137--147, June 2007. Google Scholar
Digital Library
- P. M. Chen and B. D. Noble. When virtual is better than real. In Proc. HotOS, pages 133--138, May 2001. Google Scholar
Digital Library
- J.-H. Chiang, H.-L. Li, and T. Chiueh. Introspection-based memory de-duplication and migration. In Proc. VEE, pages 51--61, Mar. 2013. Google Scholar
Digital Library
- [email protected]. distorm - Powerful Disassembler Library For x86/AMD64. http://code.google.com/p/distorm/.Google Scholar
- B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proc. IEEE S&P, pages 297--312, May 2011. Google Scholar
Digital Library
- T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. NDSS, Feb. 2003.Google Scholar
- GDB Developers. GDB: The GNU Project Debugger. http://www.gnu.org/software/gdb/.Google Scholar
- A. Ho. Personal communication, Nov. 2013.Google Scholar
- A. Ho and S. Hand. On the design of a pervasive debugger. In Proc. AADEBUG, pages 117--122, Sept. 2005. Google Scholar
Digital Library
- A. Ho, S. Hand, and T. Harris. PDB: Pervasive debugging with Xen. In Proc. GRID, pages 260--265, Nov. 2004. Google Scholar
Digital Library
- A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proc. SOSP, pages 91--104, Oct. 2005. Google Scholar
Digital Library
- B. Lee, M. Hirzel, R. Grimm, and K. S. McKinley. Debug all your code: Portable mixed-environment debugging. In Proc. OOPSLA, pages 207--226, Oct. 2009. Google Scholar
Digital Library
- C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proc. PLDI, pages 190--200, June 2005. Google Scholar
Digital Library
- MITRE CorporationThe MITRE Corporation. CVE--2013--1763, Feb. 19, 2013. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1763.Google Scholar
- B. Payne et al. vmitools - virtual machine introspection tools. http://code.google.com/p/vmitools/.Google Scholar
- PHP GroupThe PHP Group. PHP at the Core: A Hacker's Guide. http://www.php.net/manual/en/internals2.php.Google Scholar
- A. Srivastava and J. Giffin. Automatic discovery of parasitic malware. In Recent Advances in Intrusion Detection, volume 6307 of LNCS, pages 97--117. Springer, 2010. Google Scholar
Digital Library
- Volatile Systems. The Volatility Framework: Volatile memory artifact extraction utility framework. https://www.volatilesystems.com/default/volatility.Google Scholar
- J. Wessel. Using kgdb, kdb and the kernel debugger internals. http://www.kernel.org/pub/linux/kernel/people/jwessel/kdb/.Google Scholar
- B. White, J. Lepreau, L. Stoller, R. Ricci, S. Guruprasad, M. Newbold, M. Hibler, C. Barb, and A. Joglekar. An integrated experimental environment for distributed systems and networks. In Proc. OSDI, pages 255--270, Dec. 2002. Google Scholar
Digital Library
- L. K. Yan and H. Yin. DroidScope: Seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis. In Proc. USENIX Security, pages 569--584, Aug. 2012. Google Scholar
Digital Library
- F. Zhang, K. Leach, K. Sun, and A. Stavrou. SPECTRE: A dependable introspection framework via system management mode. In Proc. DSN, pages 1--12, June 2013. Google Scholar
Digital Library
Index Terms
Composable multi-level debugging with Stackdb
Recommendations
Composable multi-level debugging with Stackdb
VEE '14: Proceedings of the 10th ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsVirtual machine introspection (VMI) allows users to debug software that executes within a virtual machine. To support rich, whole-system analyses, a VMI tool must inspect and control systems at multiple levels of the software stack. Traditional ...
Virtual Machine Introspection
SIN '14: Proceedings of the 7th International Conference on Security of Information and NetworksDue to exposure to the Internet, virtual machines (VMs) as forms of delivering virtualized infrastructures and resources represent a first point-of-target for security attackers who want to gain access into the virtualization environment. In-VM ...
SecMon: A Secure Introspection Framework for Hardware Virtualization
PDP '13: Proceedings of the 2013 21st Euromicro International Conference on Parallel, Distributed, and Network-Based ProcessingWith the fusion of cloud computing and virtualization technology, system security under virtualization becomes a key point in recent research. As a foundational technology to construct a secure system, virtual machine introspection receives more ...







Comments