VoiDbg: Projeto e Implementação de um Debugger Transparente para Inspeção de Aplicações Protegidas
Resumo
Debuggers são ferramentas importantes no desenvolvimento de software, pois auxiliam na inspeção de código e, com isso, sua validação. Em segurança de sistemas, debuggers podem ser usados em análise de malware e engenharia reversa, permitindo a investigação de vários caminhos de execução de aplicações. Entretanto, programas legítimos (para proteção de propriedade intelectual) e maliciosos (para evitar detecção) podem ser equipados com técnicas de anti-debug. Logo, sua inspeção deve ser feita transparentemente. Para tanto, introduz-se o VoiDbg, um debugger inovador capaz de analisar programas protegidos de modo transparente via suporte de monitoração em hardware. Além do projeto e implementação, apresenta-se testes de validação do VoiDbg.
Referências
Bruening, D., Zhao, Q., and Amarasinghe, S. (2012). Transparent dynamic instrumentation. In 8th ACM SIGPLAN/SIGOPS Conf. Virtual Execution Environments, VEE ’12, pages 133–144.
Chi¸s, A., Denker, M., Gîrba, T., and Nierstrasz, O. (2015). Practical Domain-specific Debuggers Using the Moldable Debugger Framework. Comput. Lang. Syst. Struct., 44(PA):89–113.
Fattori, A., Paleari, R., Martignoni, L., and Monga, M. (2010). Dynamic and Transparent Analysis of Commodity Production Systems. In Proc. IEEE/ACM Intl. Conf. on Automated Software Engineering, ASE ’10, pages 417–426, New York, NY, USA. ACM.
Frida (2015). Inject javascript to explore native apps. https://www.frida.re/.
GDB (2016). GDB: The GNU project debugger. https://www.gnu.org/software/gdb.
Ho, A. and Hand, S. (2005). On the Design of a Pervasive Debugger. In Proc. Sixth Intl. Symp. on Automated Analysis-driven Debugging, AADEBUG’05, pages 117–122, NY, USA. ACM.
Ho, A., Hand, S., and Harris, T. (2004). Pdb: pervasive debugging with xen. In Grid Computing, 2004. Proceedings. Fifth IEEE/ACM International Workshop on, pages 260–265.
Hood, R. (1996). The p2d2 project: Building a portable distributed debugger. In Proc. SIGMETRICS Symp. on Parallel and Distributed Tools, SPDT ’96, pages 127–136, NY, USA. ACM.
Intel (2011). Intel 64 and ia-32 architectures software developer’s manual. http://www.intel.com/Assets/en_US/PDF/manual/253668.pdf.
Intel (2015). Intel Vtune. software.intel.com/en-us/intel-vtune-amplifier-xe.
Kaspersky, K. (2007). Hacker Disassembling Uncovered (Uncovered Series). A-List Publishing.
Linux (2015). Linux perf. https://perf.wiki.kernel.org/index.php/Main_Page.
Mäkelä, J.-M., Leppänen, V., and Forsell, M. (2013). Towards a parallel debugging framework for the massively multi-threaded, step-synchronous replica architecture. In Proc. 14th Intl. Conf. Computer Systems and Technologies, CompSysTech ’13, pages 153–160, NY, USA. ACM.
Microsoft (2016a). Createprocess function. [link].
Microsoft (2016b). Debugactiveprocess function. [link].
Microsoft (2016c). Debugging functions. [link].
Microsoft (2016d). Debugging tools for windows. [link].
Microsoft (2016e). Device input and output control (ioctl). [link].
Microsoft (2016f). Enumprocessmodules function. [link].
Microsoft (2016g). Getmodulehandle function. [link].
Microsoft (2016h). Getthreadcontext function. [link].
Microsoft (2016i). Isdebuggerpresent. [link].
Microsoft (2016j). Performance counters. [link].
Microsoft (2016k). Performancecounter class. [link].
Microsoft (2016l). Psgetcurrentprocessid routine. [link].
Microsoft (2016m). Readprocessmemory function. [link].
Microsoft (2016n). Suspendthread function. [link].
mseaborn (2014). gdb-debug-stub. https://github.com/mseaborn/gdb-debug-stub.
Nethercote, N. and Seward, J. (2003). Valgrind: A program supervision framework. Electronic Notes in Theoretical Computer Science, 89(2):44 – 66.
OllyDbg (2013). Ollydbg. https://www.ollydbg.de.
Rosenberg, J. B. (1996). How Debuggers Work: Algorithms, Data Structures, and Architecture. John Wiley & Sons, Inc., New York, NY, USA.
Schulz, D. and Mueller, F. (2000). A thread-aware debugger with an open interface. In Proc. 2000 ACM SIGSOFT Intl. Symp. Software Testing and Analysis, ISSTA ’00, pages 201–211.
Sharif, A. and Lee, H.-H. S. (2008). Total recall: A debugging framework for gpus. In Proceedings of the 23rd ACM SIGGRAPH/EUROGRAPHICS Symposium on Graphics Hardware, GH ’08, pages 13–20, Aire-la-Ville, Switzerland, Switzerland. Eurographics Association.
Woo, J. and Kim, H. K. (2012). Survey and research direction on online game security. In Proceedings of the Workshop at SIGGRAPH Asia, WASA ’12, pages 19–25.
Yi, T., Zong, A., Yu, M., Gao, S., Lin, Q., Yu, P., Ren, Z., and Qi, Z. (2009). Anti-debugging framework based on hardware virtualization technology. In Research Challenges in Computer Science, 2009. ICRCCS ’09. International Conference on, pages 218–220.
Zhang, F., Leach, K., Stavrou, A., Wang, H., and Sun, K. (2015). Using hardware features for increased debugging transparency. In IEEE Symp. Security and Privacy (SP), pages 55–69.