政大機構典藏-National Chengchi University Institutional Repository(NCCUR):Item 140.119/141034
English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  全文筆數/總筆數 : 113148/144119 (79%)
造訪人次 : 50711600      線上人數 : 283
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
搜尋範圍 查詢小技巧:
  • 您可在西文檢索詞彙前後加上"雙引號",以獲取較精準的檢索結果
  • 若欲以作者姓名搜尋,建議至進階搜尋限定作者欄位,可獲得較完整資料
  • 進階搜尋
    政大機構典藏 > 商學院 > 資訊管理學系 > 學位論文 >  Item 140.119/141034
    請使用永久網址來引用或連結此文件: https://nccur.lib.nccu.edu.tw/handle/140.119/141034


    題名: 利用QEMU針對ARM虛擬機器上之行程進行動態函式追蹤
    Real-time Application-aware Function Call Tracing for ARM Virtual Machine using QEMU
    作者: 林履誠
    Lin, Lu-Cheng
    貢獻者: 蕭舜文
    Hsiao, Shun-Wen
    林履誠
    Lin, Lu-Cheng
    關鍵詞: 動態追蹤
    虛擬化
    虛擬機器內省
    ARM
    Dynamic tracing
    Virtualization
    Virtual machine introspection
    日期: 2022
    上傳時間: 2022-08-01 17:21:58 (UTC+8)
    摘要: ARM硬體架構於行動裝置、個人電腦和雲端伺服器上面的市場份額占比越來越高,進而使針對ARM裝置的網路攻擊也隨之增加。因此,協助分析ARM裝置上的惡意攻擊行為的工具的需求也日益浮現。virtual machine introspection (VMI) 是一個利用virtual machine (VM) 來進行惡意軟體側錄跟惡意行為分析的技術,其先前在x86硬體架構上面已經有廣泛並且成熟的應用,然而此類工具在ARM裝置的支援仍然處遇前期的階段。本研究試圖利用QEMU,開發出一個能夠應用於ARM裝置上面的VMI系統。這個系統會專注於攔截並且側錄虛擬機器上面特定行程的函式呼叫。為了能夠開發出這樣的系統,我們在過程中面臨了兩個主要的問題:判斷需要監控的行程是否正在執行和如何在執行過程中攔截行程特定的函式呼叫。第一個問題我們主要利用行程的page table address跟ARM CPU上面的translation table base pointer比對,來解決判斷行程的問題。第二個問題我們利用了QEMU內部translation block的機制,進而找到適合的攔截函式呼叫的時機。
    在實作這個VMI系統時,我們修改了QEMU的tiny code generator,並且在每一次QEMU執行一個translation block之前,植入了我們部分的VMI的程式。這樣可以確保我們的VMI程式可以於惡意程式在被執行之前,獲得執行的控制權,讓惡意程式無法偵測到我們的執行,然後隱藏他的攻擊足跡。我們在QEMU monitor commands內加入了幾個方便使用者可以輸入的指令,讓使用者可以透過輸入指令的方式來進行程式側錄,並且將結果輸出成log檔案。最後我們針對這個VMI系統進行效能測量,平均的效能影響僅有4%。
    Besides the mobile and IoT device market, ARM has gained more market share in the personal desktop and cloud server markets. Accordingly, the number of attacks against ARM devices has increased. Thus, the need for monitoring and analyzing the malware targeting ARM device has emerged. Virtual machine introspection (VMI) is a mature technology used for malware analysis and intrusion detection. Previous research mainly focuses on building VMI on x86, and there is little research on ARM. We chose QEMU as our hypervisor among all approaches because it can emulate a range of ARM processors and allow us to intercept function calls without context switching, which reduces code complexity.
    In this paper, we review QEMU`s tiny code generator and translation block and develop a naive approach to intercept function calls by inserting a small piece of code before each translation block is executed. We recognize the process by traversing the process list in the kernel using the QEMU built-in function. We identify the process by comparing the process`s page table pointer and ARM`s translation table pointer. To demonstrate the effectiveness and efficiency of our system, we first implement our VMI system as several QEMU monitor commands. The commands allow researchers to listen to a specific process`s execution and log its execution traces to log files. The benchmark results show an average performance degradation of 3.81 percent on single-threaded tasks and 4.88 percent on multi-threaded tasks.
    參考文獻: B. C. Mark Lipacis, “4q21 cpu share: Pc armaggedon; amd server share poised to accelerate,” Feb. 2022

    C. Beek, S. Chandana, T. Dunton, S. Grobman, R. Gupta, T. Holden, T. Hux, K. Mc- Grath, D. Mckee, L. Munson, K. Narayan, J. Olowo, C. Pak, C. Palm, T. Polzer, S. R. Ryu, R. Samani, Sekhar, Sarukkai, and C. Schmugar, “Mcafee labs threats report, november 2020,” McAfee, LLC, San Jose, Tech. Rep., Nov. 2020.

    T. Garfinkel and M. Rosenblum, “A virtual machine introspection based architecture for intrusion detection,” NDSS, vol. 3, 05 2003

    S.-W. Hsiao, Y. S. Sun, and M. C. Chen, “Hardware-assisted mmu redirection for in- guest monitoring and api profiling,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 2402–2416, 2020.

    A. Dinaburg, P. Royal, M. Sharif, and W. Lee, “Ether: Malware analysis via hard- ware virtualization extensions,” in Proceedings of the ACM Conference on Computer and Communications Security, 01 2008, pp. 51–62.

    J. Pfoh, C. Schneider, and C. Eckert, “Nitro: Hardware-based system call tracing for virtual machines,” in Advances in Information and Computer Security 6th Inter- national Workshop on Security, IWSEC 2011, Tokyo, Japan, November 8-10, 2011. Proceedings, 11 2011, pp. 96–112.

    D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. New- some, P. Poosankam, and P. Saxena, “BitBlaze: A new approach to computer se- curity via binary analysis,” in Proceedings of the 4th International Conference on Information Systems Security. Keynote invited paper., Hyderabad, India, Dec. 2008

    Z. Deng, X. Zhang, and D. Xu, “Spider: Stealthy binary program instrumentation and debugging via hardware virtualization,” in Proceedings of the 29th Annual Computer Security Applications Conference, ser. ACSAC ’13. New York, NY, USA: Association for Computing Machinery, 2013, p. 289–298. [Online]. Available: https://doi.org/10.1145/2523649.2523675

    T. Lengyel, T. Kittel, and C. Eckert, “Virtual machine introspection with xen on arm,” 09 2015.

    S. Proskurin, T. Lengyel, M. Momeu, C. Eckert, and A. Zarras, “Hiding in the shadows: Empowering arm for stealthy virtual machine introspection,” in Proceedings of the 34th Annual Computer Security Applications Conference, ser. ACSAC ’18. New York, NY, USA: Association for Computing Machinery, 2018, p. 407–417. [Online]. Available: https://doi.org/10.1145/3274694.3274698

    Learn the architecture: Aarch64 exception model,” https://developer.arm.com/ documentation/102412/0100/Privilege-and-Exception-levels, accessed: 2022-04- 05.

    “Virtualization in aarch64,” https://developer.arm.com/documentation/102142/ 0100/Virtualization-in-AArch64, accessed: 2022-03-26.

    B. Ngabonziza, D. Martin, A. Bailey, H. Cho, and S. Martin, “Trustzone explained: Architectural features and use cases,” in 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC), 2016, pp. 445–451.

    F. Bellard, “Qemu, a fast and portable dynamic translator,” in Proceedings of the Annual Conference on USENIX Annual Technical Conference, ser. ATEC ’05. USA: USENIX Association, 2005, p. 41.

    “Translator internals,” https://qemu.readthedocs.io/en/latest/devel/tcg.html, ac- cessed: 2022-03-26.

    S.-W. Hsiao and Y.-J. Lee, “Nn-based feature selection for text-based sequential data,” in 24th Pacific Asia Conference on Information Systems, PACIS 2020, Dubai, UAE, June 22-24, 2020, D. Vogel, K. N. Shen, P. S. Ling, C. H. 0001, J. Y. L. Thong, M. de Marco, M. Limayem, and S. X. Xu, Eds., 2020, p. 238. [Online]. Available: https://aisel.aisnet.org/pacis2020/238

    S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff, “A sense of self for unix processes,” in Proceedings 1996 IEEE Symposium on Security and Privacy, 1996, pp. 120–128

    A. S. Tanenbaum and H. Bos, Modern Operating Systems, 4th ed. Pearson Educa- tion Limited, 2015, ch. 7.

    G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig, “Intel virtualization tech- nology: Hardware support for efficient processor virtualization,” Intel Technology Journal, vol. 10, 08 2006.

    “tiny code generator,” https://gitlab.com/qemu-project/qemu/-/blob/master/tcg/ README, accessed: 2022-03-26.

    X. Jiang, X. Wang, and D. Xu, “Stealthy malware detection through vmm-based ”out-of-the-box” semantic view reconstruction,” in Proceedings of the 14th ACM Conference on Computer and Communications Security, ser. CCS ’07. New York NY, USA: Association for Computing Machinery, 2007, p. 128–138. [Online]. Available: https://doi.org/10.1145/1315245.1315262

    Y. Fu and Z. Lin, “Bridging the semantic gap in virtual machine introspection via online kernel data redirection,” ACM Trans. Inf. Syst. Secur., vol. 16, no. 2, sep 2013. [Online]. Available: https://doi.org/10.1145/2505124

    J. Xiao, L. Lu, H. Wang, and X. Zhu, “Hyperlink: Virtual machine intro- spection and memory forensic analysis without kernel source code,” in 2016 IEEE International Conference on Autonomic Computing (ICAC), 2016, pp. 127–136.

    A. Henderson, L. K. Yan, X. Hu, A. Prakash, H. Yin, and S. McCamant, “Decaf: A platform-neutral whole-system dynamic binary analysis plat- form,” IEEE Transactions on Software Engineering, vol. 43, no. 2, pp. 164–184, 2017.

    H.-L. Wei, C.-T. King, B. Das, M.-C. Peng, C.-C. Wang, H.-L. Huang, and J.-M. Lu, “Application specific component-service-aware trace gen- eration on android-qemu,” in 2017 30th IEEE International System-on- Chip Conference (SOCC), 2017, pp. 316–321.

    “Qemu support arm cpu list,” https://elixir.bootlin.com/qemu/v5.2.0/ source/target/arm/cpu tcg.c#L635, accessed: 2022-04-05.

    P. Varanasi and G. Heiser, “Hardware-supported virtualization on arm,” in Proceedings of the Second Asia-Pacific Workshop on Systems, ser. APSys ’11. New York, NY, USA: Association for Computing Machinery, 2011. [Online]. Available: https://doi.org/10.1145/2103799. 2103813

    “Learn the architecture: Aarch64 virtualization - stage 2 translation,” https://developer.arm.com/documentation/102142/0100/ Stage-2-translation, accessed: 2022-03-26.

    “Learn the architecture: Trustzone for aarch64,” https://developer.arm. com/documentation/102418/0101/TrustZone-in-the-processor, accessed: 2022-03-26.

    L. Jia, M. Zhu, and B. Tu, “T-vmi: Trusted virtual machine introspection in cloud environments,” in 2017 17th IEEE/ACM International Sym- posium on Cluster, Cloud and Grid Computing (CCGRID), 2017, pp. 478–487

    M. Guerra, B. Taubmann, H. P. Reiser, S. Yalew, and M. Correia, “Introspection for arm trustzone with the itz library,” in 2018 IEEE International Conference on Software Quality, Reliability and Security (QRS), 2018, pp. 123–134.

    S. Wan, J. Sun, K. Sun, N. Zhang, and Q. Li, “Satin: A secure and trustworthy asynchronous introspection on multi-core arm processors,” in 2019 49th Annual IEEE/IFIP International Conference on Depend- able Systems and Networks (DSN), June 2019, pp. 289–301.

    S. Chylek, “Collecting program execution statistics with qemu processor emulator,” in 2009 International Multiconference on Computer Science and Information Technology, 2009, pp. 555–558.

    P. Dovgalyuk, N. Fursova, I. Vasiliev, and V. Makarov, “Qemu-based framework for non-intrusive virtual machine instrumentation and introspection,” in Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, ser. ESEC/FSE 2017. New York, NY, USA: Association for Computing Machinery, 2017, p. 944–948. [Online]. Available: https://doi.org/10.1145/3106237.3122817

    “sched.h,” https://elixir.bootlin.com/linux/v5.4.74/source/include/linux/ sched.h#L624, accessed: 2022-04-05.

    “Arm armv8-a architecture registers,” https://developer. arm.com/documentation/ddi0595/2021-12/AArch32-Registers/ TTBR0--Translation-Table-Base-Register-0?lang=en, accessed: 2022- 04-05.

    Procedure Call Standard for the Arm Architecture, Arm Limited, 4 2022.

    “mmtypes.h,” https://elixir.bootlin.com/linux/v5.4.74/source/include/ linux/mm types.h#L370, accessed: 2022-04-05.

    “kernel.h,” https://elixir.bootlin.com/linux/v5.4.74/source/tools/include/ linux/kernel.h#L22, accessed: 2022-04-05.

    “byte-unixbench,” https://github.com/kdlucas/byte-unixbench, accessed: 2022-03-26.

    “Curl: command line tool and library for transferring data with urls,” https://curl.se/, accessed: 2022-04-05.

    T. Van Dung, I. Taniguchi, T. Hieda, and H. Tomiyama, “Function profiling for embedded software by utilizing qemu and analyzer tool,” in 2013 IEEE 56th International Midwest Symposium on Circuits and Systems (MWSCAS), 2013, pp. 1251–1254.
    描述: 碩士
    國立政治大學
    資訊管理學系
    109356017
    資料來源: http://thesis.lib.nccu.edu.tw/record/#G0109356017
    資料類型: thesis
    DOI: 10.6814/NCCU202200712
    顯示於類別:[資訊管理學系] 學位論文

    文件中的檔案:

    檔案 描述 大小格式瀏覽次數
    601701.pdf629KbAdobe PDF20檢視/開啟


    在政大典藏中所有的資料項目都受到原著作權保護.


    社群 sharing

    著作權政策宣告 Copyright Announcement
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    The digital content of this website is part of National Chengchi University Institutional Repository. It provides free access to academic research and public education for non-commercial use. Please utilize it in a proper and reasonable manner and respect the rights of copyright owners. For commercial use, please obtain authorization from the copyright owner in advance.

    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    NCCU Institutional Repository is made to protect the interests of copyright owners. If you believe that any material on the website infringes copyright, please contact our staff(nccur@nccu.edu.tw). We will remove the work from the repository and investigate your claim.
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 回饋