VoiDbg: Projeto e Implementação de um Debugger Transparente para Inspeção de Aplicações Protegidas
Abstract
Debuggers are important tools for software development, as they support code inspection and, consequently, its validation. In systems security, debuggers can be used to assist malware analysis and reverse engineering, allowing researchers to investigate several execution paths. However, both legitimate software (for intellectual property protection) and malware (for detection avoidance) are often equipped with anti-debug techniques. Therefore, we need to accomplish transparency to overcome these techniques. To do so, we introduce VoiDbg, a novel debugger able to analyze protected software in a transparent way through hardware monitoring support. We present VoiDbg's design and implementation, as well as tests to validate it.
References
Araki, K., Furukawa, Z., and Cheng, J. (1991). A general framework for debugging. IEEE Software, 8(3):14–20.
Bruening, D., Zhao, Q., and Amarasinghe, S. (2012). Transparent dynamic instrumentation. In 8th ACM SIGPLAN/SIGOPS Conf. Virtual Execution Environments, VEE ’12, pages 133–144.
Chi¸s, A., Denker, M., Gîrba, T., and Nierstrasz, O. (2015). Practical Domain-specific Debuggers Using the Moldable Debugger Framework. Comput. Lang. Syst. Struct., 44(PA):89–113.
Fattori, A., Paleari, R., Martignoni, L., and Monga, M. (2010). Dynamic and Transparent Analysis of Commodity Production Systems. In Proc. IEEE/ACM Intl. Conf. on Automated Software Engineering, ASE ’10, pages 417–426, New York, NY, USA. ACM.
Frida (2015). Inject javascript to explore native apps. https://www.frida.re/.
GDB (2016). GDB: The GNU project debugger. https://www.gnu.org/software/gdb.
Ho, A. and Hand, S. (2005). On the Design of a Pervasive Debugger. In Proc. Sixth Intl. Symp. on Automated Analysis-driven Debugging, AADEBUG’05, pages 117–122, NY, USA. ACM.
Ho, A., Hand, S., and Harris, T. (2004). Pdb: pervasive debugging with xen. In Grid Computing, 2004. Proceedings. Fifth IEEE/ACM International Workshop on, pages 260–265.
Hood, R. (1996). The p2d2 project: Building a portable distributed debugger. In Proc. SIGMETRICS Symp. on Parallel and Distributed Tools, SPDT ’96, pages 127–136, NY, USA. ACM.
Intel (2011). Intel 64 and ia-32 architectures software developer’s manual. http://www.intel.com/Assets/en_US/PDF/manual/253668.pdf.
Intel (2015). Intel Vtune. software.intel.com/en-us/intel-vtune-amplifier-xe.
Kaspersky, K. (2007). Hacker Disassembling Uncovered (Uncovered Series). A-List Publishing.
Linux (2015). Linux perf. https://perf.wiki.kernel.org/index.php/Main_Page.
Mäkelä, J.-M., Leppänen, V., and Forsell, M. (2013). Towards a parallel debugging framework for the massively multi-threaded, step-synchronous replica architecture. In Proc. 14th Intl. Conf. Computer Systems and Technologies, CompSysTech ’13, pages 153–160, NY, USA. ACM.
Microsoft (2016a). Createprocess function. [link].
Microsoft (2016b). Debugactiveprocess function. [link].
Microsoft (2016c). Debugging functions. [link].
Microsoft (2016d). Debugging tools for windows. [link].
Microsoft (2016e). Device input and output control (ioctl). [link].
Microsoft (2016f). Enumprocessmodules function. [link].
Microsoft (2016g). Getmodulehandle function. [link].
Microsoft (2016h). Getthreadcontext function. [link].
Microsoft (2016i). Isdebuggerpresent. [link].
Microsoft (2016j). Performance counters. [link].
Microsoft (2016k). Performancecounter class. [link].
Microsoft (2016l). Psgetcurrentprocessid routine. [link].
Microsoft (2016m). Readprocessmemory function. [link].
Microsoft (2016n). Suspendthread function. [link].
mseaborn (2014). gdb-debug-stub. https://github.com/mseaborn/gdb-debug-stub.
Nethercote, N. and Seward, J. (2003). Valgrind: A program supervision framework. Electronic Notes in Theoretical Computer Science, 89(2):44 – 66.
OllyDbg (2013). Ollydbg. https://www.ollydbg.de.
Rosenberg, J. B. (1996). How Debuggers Work: Algorithms, Data Structures, and Architecture. John Wiley & Sons, Inc., New York, NY, USA.
Schulz, D. and Mueller, F. (2000). A thread-aware debugger with an open interface. In Proc. 2000 ACM SIGSOFT Intl. Symp. Software Testing and Analysis, ISSTA ’00, pages 201–211.
Sharif, A. and Lee, H.-H. S. (2008). Total recall: A debugging framework for gpus. In Proceedings of the 23rd ACM SIGGRAPH/EUROGRAPHICS Symposium on Graphics Hardware, GH ’08, pages 13–20, Aire-la-Ville, Switzerland, Switzerland. Eurographics Association.
Woo, J. and Kim, H. K. (2012). Survey and research direction on online game security. In Proceedings of the Workshop at SIGGRAPH Asia, WASA ’12, pages 19–25.
Yi, T., Zong, A., Yu, M., Gao, S., Lin, Q., Yu, P., Ren, Z., and Qi, Z. (2009). Anti-debugging framework based on hardware virtualization technology. In Research Challenges in Computer Science, 2009. ICRCCS ’09. International Conference on, pages 218–220.
Zhang, F., Leach, K., Stavrou, A., Wang, H., and Sun, K. (2015). Using hardware features for increased debugging transparency. In IEEE Symp. Security and Privacy (SP), pages 55–69.
Bruening, D., Zhao, Q., and Amarasinghe, S. (2012). Transparent dynamic instrumentation. In 8th ACM SIGPLAN/SIGOPS Conf. Virtual Execution Environments, VEE ’12, pages 133–144.
Chi¸s, A., Denker, M., Gîrba, T., and Nierstrasz, O. (2015). Practical Domain-specific Debuggers Using the Moldable Debugger Framework. Comput. Lang. Syst. Struct., 44(PA):89–113.
Fattori, A., Paleari, R., Martignoni, L., and Monga, M. (2010). Dynamic and Transparent Analysis of Commodity Production Systems. In Proc. IEEE/ACM Intl. Conf. on Automated Software Engineering, ASE ’10, pages 417–426, New York, NY, USA. ACM.
Frida (2015). Inject javascript to explore native apps. https://www.frida.re/.
GDB (2016). GDB: The GNU project debugger. https://www.gnu.org/software/gdb.
Ho, A. and Hand, S. (2005). On the Design of a Pervasive Debugger. In Proc. Sixth Intl. Symp. on Automated Analysis-driven Debugging, AADEBUG’05, pages 117–122, NY, USA. ACM.
Ho, A., Hand, S., and Harris, T. (2004). Pdb: pervasive debugging with xen. In Grid Computing, 2004. Proceedings. Fifth IEEE/ACM International Workshop on, pages 260–265.
Hood, R. (1996). The p2d2 project: Building a portable distributed debugger. In Proc. SIGMETRICS Symp. on Parallel and Distributed Tools, SPDT ’96, pages 127–136, NY, USA. ACM.
Intel (2011). Intel 64 and ia-32 architectures software developer’s manual. http://www.intel.com/Assets/en_US/PDF/manual/253668.pdf.
Intel (2015). Intel Vtune. software.intel.com/en-us/intel-vtune-amplifier-xe.
Kaspersky, K. (2007). Hacker Disassembling Uncovered (Uncovered Series). A-List Publishing.
Linux (2015). Linux perf. https://perf.wiki.kernel.org/index.php/Main_Page.
Mäkelä, J.-M., Leppänen, V., and Forsell, M. (2013). Towards a parallel debugging framework for the massively multi-threaded, step-synchronous replica architecture. In Proc. 14th Intl. Conf. Computer Systems and Technologies, CompSysTech ’13, pages 153–160, NY, USA. ACM.
Microsoft (2016a). Createprocess function. [link].
Microsoft (2016b). Debugactiveprocess function. [link].
Microsoft (2016c). Debugging functions. [link].
Microsoft (2016d). Debugging tools for windows. [link].
Microsoft (2016e). Device input and output control (ioctl). [link].
Microsoft (2016f). Enumprocessmodules function. [link].
Microsoft (2016g). Getmodulehandle function. [link].
Microsoft (2016h). Getthreadcontext function. [link].
Microsoft (2016i). Isdebuggerpresent. [link].
Microsoft (2016j). Performance counters. [link].
Microsoft (2016k). Performancecounter class. [link].
Microsoft (2016l). Psgetcurrentprocessid routine. [link].
Microsoft (2016m). Readprocessmemory function. [link].
Microsoft (2016n). Suspendthread function. [link].
mseaborn (2014). gdb-debug-stub. https://github.com/mseaborn/gdb-debug-stub.
Nethercote, N. and Seward, J. (2003). Valgrind: A program supervision framework. Electronic Notes in Theoretical Computer Science, 89(2):44 – 66.
OllyDbg (2013). Ollydbg. https://www.ollydbg.de.
Rosenberg, J. B. (1996). How Debuggers Work: Algorithms, Data Structures, and Architecture. John Wiley & Sons, Inc., New York, NY, USA.
Schulz, D. and Mueller, F. (2000). A thread-aware debugger with an open interface. In Proc. 2000 ACM SIGSOFT Intl. Symp. Software Testing and Analysis, ISSTA ’00, pages 201–211.
Sharif, A. and Lee, H.-H. S. (2008). Total recall: A debugging framework for gpus. In Proceedings of the 23rd ACM SIGGRAPH/EUROGRAPHICS Symposium on Graphics Hardware, GH ’08, pages 13–20, Aire-la-Ville, Switzerland, Switzerland. Eurographics Association.
Woo, J. and Kim, H. K. (2012). Survey and research direction on online game security. In Proceedings of the Workshop at SIGGRAPH Asia, WASA ’12, pages 19–25.
Yi, T., Zong, A., Yu, M., Gao, S., Lin, Q., Yu, P., Ren, Z., and Qi, Z. (2009). Anti-debugging framework based on hardware virtualization technology. In Research Challenges in Computer Science, 2009. ICRCCS ’09. International Conference on, pages 218–220.
Zhang, F., Leach, K., Stavrou, A., Wang, H., and Sun, K. (2015). Using hardware features for increased debugging transparency. In IEEE Symp. Security and Privacy (SP), pages 55–69.
Published
2016-11-07
How to Cite
BOTACIN, Marcus; GEUS, Paulo Lício de; GRÉGIO, André.
VoiDbg: Projeto e Implementação de um Debugger Transparente para Inspeção de Aplicações Protegidas. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 16. , 2016, Niterói.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2016
.
p. 282-295.
DOI: https://doi.org/10.5753/sbseg.2016.19314.
