SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization

Proceedings of the 29th Annual Computer Security Applications Conference Pub Date : 2013-12-09 DOI:10.1145/2523649.2523675

Zhui Deng, X. Zhang, Dongyan Xu

{"title":"SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization","authors":"Zhui Deng, X. Zhang, Dongyan Xu","doi":"10.1145/2523649.2523675","DOIUrl":null,"url":null,"abstract":"The ability to trap the execution of a binary program at desired instructions is essential in many security scenarios such as malware analysis and attack provenance. However, an increasing percent of both malicious and legitimate programs are equipped with anti-debugging and anti-instrumentation techniques, which render existing debuggers and instrumentation tools inadequate. In this paper, we present Spider, a stealthy program instrumentation framework which enables transparent, efficient and flexible instruction-level trapping based on hardware virtualization. Spider uses invisible breakpoint, a novel primitive we develop that inherits the efficiency and flexibility of software breakpoint, and utilizes hardware virtualization to hide its side-effects from the guest. We have implemented a prototype of Spider on KVM. Our evaluation shows that Spider succeeds in remaining transparent against state-of-the-art anti-debugging and anti-instrumentation techniques; the overhead of invisible breakpoint is comparable with traditional hardware breakpoint. We also demonstrate Spider's usage in various security applications.","PeriodicalId":127404,"journal":{"name":"Proceedings of the 29th Annual Computer Security Applications Conference","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"94","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 29th Annual Computer Security Applications Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2523649.2523675","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 94

Abstract

The ability to trap the execution of a binary program at desired instructions is essential in many security scenarios such as malware analysis and attack provenance. However, an increasing percent of both malicious and legitimate programs are equipped with anti-debugging and anti-instrumentation techniques, which render existing debuggers and instrumentation tools inadequate. In this paper, we present Spider, a stealthy program instrumentation framework which enables transparent, efficient and flexible instruction-level trapping based on hardware virtualization. Spider uses invisible breakpoint, a novel primitive we develop that inherits the efficiency and flexibility of software breakpoint, and utilizes hardware virtualization to hide its side-effects from the guest. We have implemented a prototype of Spider on KVM. Our evaluation shows that Spider succeeds in remaining transparent against state-of-the-art anti-debugging and anti-instrumentation techniques; the overhead of invisible breakpoint is comparable with traditional hardware breakpoint. We also demonstrate Spider's usage in various security applications.

查看原文本刊更多论文

SPIDER:通过硬件虚拟化实现的隐蔽二进制程序检测和调试

在许多安全场景(如恶意软件分析和攻击来源)中，按照所需指令捕获二进制程序执行的能力是必不可少的。然而，越来越多的恶意程序和合法程序都配备了反调试和反检测技术，这使得现有的调试器和检测工具不足。在本文中，我们提出了一个基于硬件虚拟化的隐形程序检测框架Spider，它可以实现透明、高效和灵活的指令级捕获。Spider使用不可见的断点，这是我们开发的一种新的原语，继承了软件断点的效率和灵活性，并利用硬件虚拟化对客户机隐藏其副作用。我们已经在KVM上实现了一个Spider的原型。我们的评估表明，Spider成功地保持了对最先进的反调试和反检测技术的透明性;不可见断点的开销与传统硬件断点相当。我们还演示了Spider在各种安全应用程序中的用法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 29th Annual Computer Security Applications Conference

自引率

0.00%

发文量