Mingfeng Xin,Hui Wen,Liting Deng,Hong Li,Qiang Li,Limin Sun

DOI: https://doi.org/10.48550/arxiv.2107.09856

2021-01-01

Abstract: The rapid growth of the Industrial Internet of Things (IIoT) has brought embedded systems into focus as major targets for both security analysts and malicious adversaries. Due to the non-standard hardware and diverse software, embedded devices present unique challenges to security analysts for the accurate analysis of firmware binaries. The diversity in hardware components and tight coupling between firmware and hardware makes it hard to perform dynamic analysis, which must have the ability to execute firmware code in virtualized environments. However, emulating the large expanse of hardware peripherals makes analysts have to frequently modify the emulator for executing various firmware code in different virtualized environments, greatly limiting the ability of security analysis. In this work, we explore the problem of firmware re-hosting related to the real-time operating system (RTOS). Specifically, developers create a Board Support Package (BSP) and develop device drivers to make that RTOS run on their platform. By providing high-level replacements for BSP routines and device drivers, we can make the minimal modification of the firmware that is to be migrated from its original hardware environment into a virtualized one. We show that an approach capable of offering the ability to execute firmware at scale through patching firmware in an automated manner without modifying the existing emulators. Our approach, called static binary-level porting, first identifies the BSP and device drivers in target firmware, then patches the firmware with pre-built BSP routines and drivers that can be adapted to the existing emulators. Finally, we demonstrate the practicality of the proposed method on multiple hardware platforms and firmware samples for security analysis. The result shows that the approach is flexible enough to emulate firmware for vulnerability assessment and exploits development.

Qiang Liu,Cen Zhang,Lin Ma,Muhui Jiang,Yajin Zhou,Lei Wu,Wenbo Shen,Xiapu Luo,Yang Liu,Kui Ren

DOI: https://doi.org/10.1109/ase51524.2021.9678653

2021-01-01

Abstract:Linux kernel is widely used in embedded systems. To understand practical threats to the Linux kernel, we need to perform dynamic analysis with a full-system emulator, e.g., QEMU. However, due to hardware fragmentation, e.g., various types of peripherals, most embedded systems are not currently supported by QEMU. Though some progress has been made on rehosting firmware, it mainly focuses on user space programs or simple real-time operating systems.The goal of this work is to boost the capability of rehosting the embedded Linux kernels in QEMU. By doing so, dynamic analysis systems can be firstly applied on embedded Linux kernels by leveraging off-the-shelf tools upon QEMU. Accordingly, we proposed a new technique called model-guided kernel execution. It combines the peripheral abstractions in the Linux kernel and kernel-peripheral interactions to semi-automatically generate peripheral models that are then used to synthesize new QEMU virtual machines to start the dynamic analysis.We have implemented a prototype called FirmGuide. It generates 9 peripheral models with full functionality and 64 with minimum functionality covering 26 SoCs. Our evaluation with 6,188 firmware images shows that it can successfully rehost more than 95% of Linux kernels in 2 architectures and 22 versions. None of them can be rehosted in the vanilla QEMU. The result of the LTP benchmark shows the reliability and robustness of the rehosted Linux kernels. We further conduct two security applications, i.e., vulnerability analysis and fuzzing, on the rehosted Linux kernels to demonstrate the usage scenarios.

Wenqiang Li,Le Guan,Jingqiang Lin,Jiameng Shi,Fengjun Li

DOI: https://doi.org/10.14722/ndss.2021.24308

2021-07-05

Abstract:Finding bugs in microcontroller (MCU) firmware is challenging, even for device manufacturers who own the source code. The MCU runs different instruction sets than x86 and exposes a very different development environment. This invalidates many existing sophisticated software testing tools on x86. To maintain a unified developing and testing environment, a straightforward way is to re-compile the source code into the native executable for a commodity machine (called rehosting). However, ad-hoc re-hosting is a daunting and tedious task and subject to many issues (library-dependence, kernel-dependence and hardware-dependence). In this work, we systematically explore the portability problem of MCU software and propose pararehosting to ease the porting process. Specifically, we abstract and implement a portable MCU (PMCU) using the POSIX interface. It models common functions of the MCU cores. For peripheral specific logic, we propose HAL-based peripheral function replacement, in which high-level hardware functions are replaced with an equivalent backend driver on the host. These backend drivers are invoked by well-designed para-APIs and can be reused across many MCU OSs. We categorize common HAL functions into four types and implement templates for quick backend development. Using the proposed approach, we have successfully rehosted nine MCU OSs including the widely deployed Amazon FreeRTOS, ARM Mbed OS, Zephyr and LiteOS. To demonstrate the superiority of our approach in terms of security testing, we used off-the-shelf dynamic analysis tools (AFL and ASAN) against the rehosted programs and discovered 28 previously-unknown bugs, among which 5 were confirmed by CVE and the other 19 were confirmed by vendors at the time of writing.

Programming Languages,Cryptography and Security,Distributed, Parallel, and Cluster Computing,Software Engineering

Muhui Jiang,Lin Ma,Yajin Zhou,Qiang Liu,Cen Zhang,Zhi Wang,Xiapu Luo,Lei Wu,Kui Ren

DOI: https://doi.org/10.1145/3460120.3484753

2021-11-12

Abstract:Dynamic analysis based on the full-system emulator QEMU is widely used for various purposes.However, it is challenging to run firmware images of embedded devices in QEMU, especially the process to boot the Linux kernel (we call this process rehosting the Linux kernel in this paper). That's because embedded devices usually use different system-on-chips (SoCs) from multiple vendors and only a limited number of SoCs are currently supported in QEMU. In this work, we propose a technique called peripheral transplantation. The main idea is to transplant the device drivers of designated peripherals into the Linux kernel binary. By doing so, it can replace the peripherals in the kernel that are currently unsupported in QEMU with supported ones, thus making the Linux kernel rehostable. After that, various applications can be built. We implemented this technique inside a prototype system called ECMO and applied it to 815 firmware images, which consist of 20 kernel versions and 37 device models. The result shows that ECMO can successfully transplant peripherals for all the 815 Linux kernels. Among them, 710 kernels can be successfully rehosted, i.e., launching a user-space shell (87.1% success rate). The failed cases are mainly because the root file system format (ramfs) is not supported by the kernel. Meanwhile, we are able to inject rather complex drivers (i.e., NIC driver) for all the rehosted Linux kernels by installing kernel modules. We further build three applications, i.e., kernel crash analysis, rootkit forensic analysis, and kernel fuzzing, based on the rehosted kernels to demonstrate the usage scenarios of ECMO.

Zitai Chen,Sam L. Thomas,Flavio D. Garcia

DOI: https://doi.org/10.48550/arXiv.2208.03528

2022-08-06

Abstract:In this paper we present MetaEmu, an architecture-agnostic emulator synthesizer geared towards rehosting and security analysis of automotive firmware. MetaEmu improves over existing rehosting environments in two ways: Firstly, it solves the hitherto open-problem of a lack of generic Virtual Execution Environments (VXEs) for rehosting by synthesizing processor simulators from Ghidra's language definitions. In doing so, MetaEmu can simulate any processor supported by a vast and growing library of open-source definitions. In MetaEmu, we use a specification-based approach to cover peripherals, execution models, and analyses, which allows our framework to be easily extended. Secondly, MetaEmu can rehost and analyze multiple targets, each of different architecture, simultaneously, and share analysis facts between each target's analysis environment, a technique we call inter-device analysis. We show that the flexibility afforded by our approach does not lead to a performance trade-off -- MetaEmu lifts rehosted firmware to an optimized intermediate representation, and provides performance comparable to existing emulation tools, such as Unicorn. Our evaluation spans five different architectures, bare-metal and RTOS-based firmware, and three kinds of automotive Electronic Control Unit (ECU) from four distinct vendors -- none of which can be rehosted or emulated by current tools, due to lack of processor support. Further, we show how MetaEmu enables a diverse set of analyses by implementing a fuzzer, a symbolic executor for solving peripheral access checks, a CAN ID reverse engineering tool, and an inter-device coverage tracker.

Cryptography and Security

Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Yesheng Zhi,Yuanyuan Zhang,Juanru Li,Dawu Gu

DOI: https://doi.org/10.1007/978-3-319-59288-6_47

2016-01-01

Abstract:Security testing of software on embedded devices is often impeded for lacking advanced program analysis tools. The main obstacle is that state-of-the-art tools do not support the instruction set of common architectures of embedded device (e.g., MIPS). It requires either developing new program analysis tool aiming to architecture or introducing many manual efforts to help security testing. However, re-implementing a program analysis tool needs considerable amount of time and is generally a repetitive task. To address this issue efficiently, our observation is that most programs on embedded devices are compiled from source code of high level languages, and it is feasible to compile the same source code to different platforms. Therefore, it is also expected to directly translate the compiled executable to support another platform. This paper presents a binary translation based security testing approach for software on embedded devices. Our approach first translates a MIPS executable to an x86 executable leveraging the LLVM-IR, then reuses existing x86 program analysis tools to help employ in-depth security testing. This approach is not only efficient for it reuses existing tools and utilizes the x86 platform with higher performance to conduct security analysis and testing, but also more flexible for it can test code fragment with different levels of granularity (e.g., a function or an entire program). Our evaluation on frequently used data transformation algorithms and utilities illustrates the accuracy and efficiency of the proposed approach.

Xinyu Wang,Jianling Sun,Xiaohu Yang,Chao Huang,Zhijun He,Srinivasa R. Maddineni

DOI: https://doi.org/10.1145/1134285.1134359

2006-01-01

Abstract:ABSTRACTMany enterprise systems are developed in C++ language and most of them are standalone. Because the standalone software can not follow the new market environment, reengineering the standalone legacy systems into distributed environment becomes a critical problem. Some methods have been proposed on related topics such as design recovery, the identification of the component, modeling the interfaces of components and components allocation. Up to now, there does not exist a reengineering process for partition distributed environment, which will offer distinct advantages on horizontal scalability and performance over normal distributed solutions. This paper presents a new process to reengineer C++ legacy systems into the J2EE partition distributed environment. The process consists of four steps: translation from C++ to Java code; extraction of components using the cluster technology; modeling component interfaces and partition of the components in J2EE distribute environment. It has been applied to a large equity-trading legacy system which has proved to be successful.

Alexis Engelke,Dominik Okwieka,Martin Schulz

DOI: https://doi.org/10.1145/3453933.3454022

2021-04-07

Abstract:Emulation of other or newer processor architectures is necessary for a wide variety of use cases, from ensuring compatibility to offering a vehicle for computer architecture research. This problem is usually approached using dynamic binary translation, where machine code is translated, on the fly, to the host architecture during program execution. Existing systems, like QEMU, usually focus on translation performance rather than the overall program execution, and extensions, like HQEMU, are limited by their underlying implementation. Conversely, performance-focused systems are typically used for binary instrumentation. E.g., DynamoRIO reuses original instructions where possible, while Instrew utilizes the LLVM compiler infrastructure, but only supports same-architecture code generation. In this short paper, we generalize Instrew to support different guest and host architectures by refactoring the lifter and by implementing target-independent optimizations to re-use host hardware features for emulated code. We demonstrate this flexibility by adding support for RISC-V as guest architecture and AArch64 as host architecture. Our performance results on SPEC CPU2017 show significant improvements compared to QEMU, HQEMU as well as the original Instrew.

Jiaqi Gu,Ruoyao Wang,Jian Wang,Jinmei Lai,Qinghua Duan

DOI: https://doi.org/10.1109/ASICON.2017.8252498

2017-01-01

Abstract:Projects involving both software design and hardware design are usually retarded by expensive equipments, complex simulation and challenging modification. In order to retrench the designers' time and economic costs in SW/HW (Software/Hardware) co-design simulation, this paper demonstrates a remote embedded simulation system to help multiple users manage and simulate their SW/HW co-design projects remotely while scheduling the access to on-chip FPGA resources. We built a small-scale, high-concurrent multiuser management service system on board. The system offers TCP/IP connection and transmission, flexible Wi-Fi network, secure multiuser information and files management, real-time task progress notification, compilation and execution of multiple programming languages, run-time FPGA configuration and simulation, which considerably augments the exploitability for embedded simulation service. Meanwhile, we offer users a supporting PC (Personal Computer) application to attain pertinent features, which has a multithreading GUI (Graphical User Interface). In order to verify this design, we deploy a prototype on a Xilinx Zynq (TM)-7000 AP (All Programmable) SoC (System on Chips) Z-7010 on a ZYBO Board. We apply an image processing SW/HW co-design project to our prototype. The experiment result demonstrates the system's portability and efficacy when dealing with remote access, and flexibility when simulating SW/HW co-design projects through PR (Partial Reconfiguration) technique within reasonable latency. The latency for the end-to-end reconfiguration of a 306.60KB partial bitfile is 8.819ms.

Boyu Chang,Binbin Zhao,Qiao Zhang,Peiyu Liu,Yuan Tian,Raheem Beyah,Shouling Ji

2024-10-24

Abstract:While fuzzing has demonstrated its effectiveness in exposing vulnerabilities within embedded firmware, the discovery of crashing test cases is only the first step in improving the security of these critical systems. The subsequent fault localization process, which aims to precisely identify the root causes of observed crashes, is a crucial yet time-consuming post-fuzzing work. Unfortunately, the automated root cause analysis on embedded firmware crashes remains an underexplored area, which is challenging from several perspectives: (1) the fuzzing campaign towards the embedded firmware lacks adequate debugging mechanisms, making it hard to automatically extract essential runtime information for analysis; (2) the inherent raw binary nature of embedded firmware often leads to over-tainted and noisy suspicious instructions, which provides limited guidance for analysts in manually investigating the root cause and remediating the underlying vulnerability. To address these challenges, we design and implement FirmRCA, a practical fault localization framework tailored specifically for embedded firmware. FirmRCA introduces an event-based footprint collection approach to aid and significantly expedite reverse execution. Next, to solve the complicated memory alias problem, FirmRCA proposes a history-driven method by tracking data propagation through the execution trace, enabling precise identification of deep crash origins. Finally, FirmRCA proposes a novel strategy to highlight key instructions related to the root cause, providing practical guidance in the final investigation. We evaluate FirmRCA with both synthetic and real-world targets, including 41 crashing test cases across 17 firmware images. The results show that FirmRCA can effectively (92.7% success rate) identify the root cause of crashing test cases within the top 10 instructions.

Cryptography and Security

Yiqi Sun,Baojiang Cui,Chen Chen,Yifei Wang

DOI: https://doi.org/10.1007/978-3-030-50399-4_58

2020-01-01

Abstract:The IoT device firmware binary program contains many functions for interacting with the hardware, making it difficult to perform emulation without being patched after leaving the original hardware environment. The current solution generally adopts the method of hijacking the runtime library, and requires the development environment compatible with the target device. The development cost is high and the efficiency is low. Therefore, this paper proposes a static instrumentation-based ELF binary emulation patch technology for IoT firmware, which is used for binary patching of Linux system base IoT device firmware under ARM architecture. Experiments show that our prototype tool can patch the ELF binary program of the IoT device firmware based on Linux operating system, so that the patched binary can be correctly run by the QEMU on the desktop computer of the same architecture.

Jiameng Shi,Le Guan,Wenqiang Li,Dayou Zhang,Ping Chen,Ning Zhang

DOI: https://doi.org/10.1109/eurosp53844.2022.00039

2022-01-01

Abstract:Microcontroller-based embedded systems have become ubiquitous with the emergence of IoT technology. Given its critical roles in many applications, its security is becoming increasingly important. Unfortunately, MCU devices are especially vulnerable. Code reuse attacks are particularly noteworthy since the memory address of firmware code is static. This work seeks to combat code reuse attacks, including ROP and more advanced JIT-ROP via continuous randomization. Previous proposals are geared towards full-fledged OSs with rich runtime environments, and therefore cannot be applied to MCUs. We propose the first solution for ARM-based MCUs. Our system, named HARM, comprises a secure runtime and a binary analysis tool with rewriting module. The secure runtime, protected inside the secure world, proactively triggers and performs non-bypassable randomization to the firmware running in a sandbox in the normal world. Our system does not rely on any firmware feature, and therefore is generally applicable to both bare-metal and RTOS-powered firmware. We have implemented a prototype on a development board. Our evaluation results indicate that HARM can effectively thaw code reuse attacks while keeping the performance and energy overhead low.

FENG Qing,SANG Nan,XIONG Guang-Ze

2005-01-01

Computer Science

Abstract:To enhance the embedded software reuse and portability, shorten the developing cycle, based on a research for some main popular component-based runtime-supporting techniques, brought forward a kind of runtime-supporting frameworks for embedded systems. In this paper, to realize a flexible and open embedded application platform, a com- ponent-based runtime-supporting framework model is firstly constructed. Then, some critical techniques, such as an open HLA infrastructure and a virtual OS platform, are analyzed for the PDA software application platforms. Finally, some methods of customizing and extending those platforms are discussed in the form of pseudo code.

Bo Feng,Meng Luo,Changming Liu,Long Lu,Engin Kirda

2023-12-03

Abstract:The security of microcontrollers, which drive modern IoT and embedded devices, continues to raise major concerns. Within a microcontroller (MCU), the firmware is a monolithic piece of software that contains the whole software stack, whereas a variety of peripherals represent the hardware. As MCU firmware contains vulnerabilities, it is ideal to test firmware with off-the-shelf software testing techniques, such as dynamic symbolic execution and fuzzing. Nevertheless, no emulator can emulate the diverse MCU peripherals or execute/test the firmware. Specifically, the interrupt interface, among all I/O interfaces used by MCU peripherals, is extremely challenging to emulate. In this paper, we present AIM -- a generic, scalable, and hardware-independent dynamic firmware analysis framework that supports unemulated MCU peripherals by a novel interrupt modeling mechanism. AIM effectively and efficiently covers interrupt-dependent code in firmware by a novel, firmware-guided, Just-in-Time Interrupt Firing technique. We implemented our framework in angr and performed dynamic symbolic execution for eight real-world MCU firmware. According to testing results, our framework covered up to 11.2 times more interrupt-dependent code than state-of-the-art approaches while accomplishing several challenging goals not feasible previously. Finally, a comparison with a state-of-the-art firmware fuzzer demonstrates dynamic symbolic execution and fuzzing together can achieve better firmware testing coverage.

Cryptography and Security,Software Engineering

René Helmke,Johannes vom Dorp

DOI: https://doi.org/10.48550/arXiv.2209.05217

2022-09-12

Abstract:In vulnerability assessments, software component-based CVE attribution is a common method to identify possibly vulnerable systems at scale. However, such version-centric approaches yield high false-positive rates for binary distributed Linux kernels in firmware images. Not filtering included vulnerable components is a reason for unreliable matching, as heterogeneous hardware properties, modularity, and numerous development streams result in a plethora of vendor-customized builds. To make a step towards increased result reliability while retaining scalability of the analysis method, we enrich version-based CVE matching with kernel-specific build data from binary images using automated static firmware analysis. We open source an attribution pipeline that gathers kernel configuration and target architecture to dry build the present kernel version and filter CVEs based on affected file references in record descriptions. In a case study with 127 router firmware images, we show that in comparison to naive version matching, our approach identifies 68% of all version CVE matches as false-positives and reliably removes them from the result set. For 12% of all matches it provides additional evidence of issue applicability. For 19.4%, our approach does not improve reliability because required file references in CVEs are missing.

Cryptography and Security

Xiaorui Zhu,Xianping Tao,Tao Gu,Jian Lu

DOI: https://doi.org/10.1016/j.jpdc.2016.12.010

IF: 4.542

2017-01-01

Journal of Parallel and Distributed Computing

Abstract:Wireless sensor networks are shifting to application platforms that poses several challenges on reprogramming efficiency. To better support the efficient reprogramming, this paper proposes a systematic approach named ReLog which consists of a programming language, a compiler, and a virtual machine. To make application programs concise and easy to modify, the ReLog language extends from a traditional logical programming language and makes the extension part have the similar coding style. To reduce the size of data for reprogramming, the compiler first produces extremely compact executable code by compiling application programs into high-level representations. It also implements efficient incremental reprogramming to diminish differences between the current and new executable code. To mitigate the energy consumption incurred by interpretive execution, the virtual machine optimizes the executable code as well as the execution process to improve the runtime efficiency. We have implemented ReLog and evaluated it with respect to real reprogramming cases. Our experimental results show that it is easy to modify ReLog programs to satisfy new application requirements. Meanwhile, the compiler reduces the size of executable code by 61.4%-83.2% compared to the existing work. In addition, the lifetime of sensors running the ReLog virtual machine is close (97.04%-98.31%) to that running the native code. (C) 2016 Elsevier Inc. All rights reserved.

Xiao-Wei Wang,Wei-Nan Chen,Cheng-Lian Peng,Hong-jun You

DOI: https://doi.org/10.1109/ICESS.Symposia.2008.10

2008-01-01

Abstract:Dynamic partial reconfigurable embedded system includes at least one reconfigurable device, which is emerging as the new paradigm for satisfying the simultaneous demand for application performance and flexibility. But it brings difficulties in debugging, testing and performance measurement at the same time. Monitoring is an effective approach in debugging, testing and performance measurement in such complex systems. Dynamical partial reconfigurable monitor module based on the reconfigurability of the hardware platform and the implement methods were proposed in this paper, which decrease the chippsilas area consumption and reconfiguration time cost. The experiments about hardware-software monitoring approach showed expected results.

Hamed Okhravi,T. Baron,Nicholas F. Brown,R. Walls,Bryan C. Ward,Craig A. Shue

DOI: https://doi.org/10.4230/LIPICS.ECRTS.2019.2

Abstract:Attacks on real-time embedded systems can endanger lives and critical infrastructure. Despite this, techniques for securing embedded systems software have not been widely studied. Many existing security techniques for general-purpose computers rely on assumptions that do not hold in the embedded case. This paper focuses on one such technique, control-flow integrity (CFI), that has been vetted as an effective countermeasure against control-flow hijacking attacks on general-purpose computing systems. Without the process isolation and fine-grained memory protections provided by a general-purpose computer with a rich operating system, CFI cannot provide any security guarantees. This work proposes RECFISH, a system for providing CFI guarantees on ARM Cortex-R devices running minimal real-time operating systems. We provide techniques for protecting runtime structures, isolating processes, and instrumenting compiled ARM binaries with CFI protection. We empirically evaluate RECFISH and its performance implications for real-time systems. Our results suggest RECFISH can be directly applied to binaries without compromising real-time performance; in a test of over six million realistic task systems running FreeRTOS, 85% were still schedulable after adding RECFISH.

Computer Science,Engineering

Hao Shen,Mian-Muhammad Hamayun,Frederic Petrot

DOI: https://doi.org/10.1109/tcad.2012.2187526

IF: 2.9

2012-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Integration of multiple heterogeneous processors into a single system-on-a-chip is a clear trend in embedded devices. Designing and verifying these devices requires high-speed and easy-to-build simulation platforms. Among the software simulation approaches, native simulation is a good candidate since the embedded software is executed natively on the host machine, and no instruction set simulator development effort is necessary. However, existing native simulation approaches are such that the simulated software shares the memory space of the modeled hardware modules and the host operating system, making impractical the support of legacy code running on the target platform. To overcome this issue seldom mentioned in the literature, we propose the addition of a transparent address space translation layer to separate the target address space from the host simulator one. For this, we exploit the hardware-assisted virtualization technology now available on most general-purpose processors. Experiments show that this solution does not degrade the native simulation speed, while keeping the ability to accomplish software performance evaluation.