• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文会议>IEEE Conference on Communications and Network Security >On-chip system call tracing: A feasibility study and open prototype
【24h】

On-chip system call tracing: A feasibility study and open prototype

机译:片上系统调用跟踪:可行性研究和开放原型

获取原文
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Several tools for program tracing and introspection exist. These tools can be used to analyze potentially malicious or untrusted programs. In this setting, it is important to prevent that the target program determines whether it is being traced or not. This is typically achieved by minimizing the code of the introspection routines and any artifact or side-effect that the program can leverage. Indeed, the most recent approaches consist of lightly instrumented operating systems or thin hypervisors running directly on bare metal. Following this research trend, we investigate the feasibility of transparently tracing a Linux/ARM program without modifying the software stack, while keeping the analysis cost and flexibility compatible with state of the art emulation- or bare-metal-based approaches. As for the typical program tracing task, our goal is to reconstruct the stream of system call invocations along with the respective un-marshalled arguments. We propose to leverage the availability of on-chip debugging interfaces of modern ARM systems, which are accessible via JTAG. More precisely, we developed OpenST, an open-source prototype tracer that allowed us to analyze the performance overhead and to assess the transparency with respect to evasive, real-world malicious programs. OpenST has two tracing modes: In-kernel dynamic tracing and external tracing. The in-kernel dynamic tracing mode uses the JTAG interface to "hot-patch" the system calls at run time, injecting introspection code. This mode is more transparent than emulator based approaches, but assumes that the traced program does not have access to the kernel memory - where the introspection code is loaded. The external tracing mode removes this assumption by using the JTAG interface to manage hardware breakpoints. Our tests show that OpenST's greater transparency comes at the price of a steep performance penalty. However, with a cost model, we show that OpenST scales better than the state of the art, bare-metal-based approach, while remaining equally stealthy to evasive malware.
机译:存在用于程序追踪和内省的几个工具。这些工具可用于分析可能的恶意或不受信任的程序。在此设置中,重要的是要防止目标程序确定是否正在跟踪。这通常是通过最小化内省例程的代码和程序可以利用的任何伪像或副作用来实现的。实际上,最近的方法包括直接在裸金属上直接运行的轻型仪表操作系统或薄的虚拟机管理程序。在这项研究趋势之后,我们调查了在不修改软件堆栈的情况下透明跟踪Linux / ARM程序的可行性,同时保持分析成本和灵活性与最先进的仿真或裸金属的方法兼容。至于典型的程序跟踪任务,我们的目标是重建系统调用调用流以及相应的un-marshalled参数。我们建议利用现代臂系统的片上调试接口的可用性,这些臂系统可通过JTAG访问。更确切地说,我们开发了一个开放式原型示踪剂,使我们能够分析性能开销,并评估透明度,以评估避免,现实世界恶意计划。 Openst有两个跟踪模式:内核动态跟踪和外部跟踪。内核动态跟踪模式使用JTAG接口在运行时“热贴”系统调用,注入内省码。此模式比基于模拟器的方法更透明,但假定跟踪程序无法访问内核存储器 - 其中加载了内省代码。外部跟踪模式通过使用JTAG接口来管理硬件断点来消除此假设。我们的测试表明,Openst的更大透明度来自陡峭的表现罚款。然而,通过成本模型,我们表明开放式比例优于艺术状态,基于裸金属的方法,同时仍然是监视恶意软件的同样隐秘。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号