Yeongung Park,Seokwoo Choi,Un Yeong Choi,Haimin Jin,Nurul Harzira Mohamad Nor,Yongsu Park

DOI: https://doi.org/10.1038/s41598-024-65374-w

2024-06-26

Abstract:As IoT devices are being widely used, malicious code is increasingly appearing in Linux environments. Sophisticated Linux malware employs various evasive techniques to deter analysis. The embedded trace microcell (ETM) supported by modern Arm CPUs is a suitable hardware tracer for analyzing evasive malware because it is almost artifact-free and has negligible overhead. In this paper, we present an efficient method to automatically find debugger-detection routines using the ETM hardware tracer. The proposed scheme reconstructs the execution flow of the compiled binary code from ETM trace data. In addition, it automatically identifies and patches the debugger-detection routine by comparing two traces (with and without the debugger). The proposed method was implemented using the Ghidra plug-in program, which is one of the most widely used disassemblers. To verify its effectiveness, 15 debugger-detection techniques were investigated in the Arm-Linux environment to determine whether they could be detected. We also confirmed that our implementation works successfully for the popular malicious Mirai malware in Linux. Experiments were further conducted on 423 malware samples collected from the Internet, demonstrating that our implementation works well for real malware samples.

Lu Han,Pan Xuezeng,Ping Lingdi

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.02.048

2007-01-01

Abstract:With the popularity of the uClinux system,it became very important to port and debug the uClinux system on Linux.In this paper,we will introduce a cheap resolvent based on JTAG and GDB,which can give better support for porting and debugging the uClinux system.

Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Adhokshaj Mishra,Manjesh Kumar Hanawal

DOI: https://doi.org/10.48550/arXiv.2210.11047

2022-10-20

Abstract:Software piracy is one of the concerns in the IT sector. Pirates leverage the debugger tools to reverse engineer the logic that verifies the license keys or bypass the entire verification process. Anti-debugging techniques are used to defeat piracy using self-healing codes. However, anti-debugging methods can be defeated when the licensing protections are limited to CPU-based implementation by writing custom codes to deactivate the anti-debugging methods. In the paper, we demonstrate how GPU implementation can prevent pirates from deactivating the anti-debugging methods by using the limitations of debugging on GPU. Generally, GPUs do not support debugging directly on the hardware, and therefore all the debugging is limited to CPU-based emulation. Also, a process running on CPU generally does not have any visibility on codes running on GPU, which comes as an added benefit for our work. We provide an implementation on GPU to show the feasibility of our method. As GPUs are getting widespread with the raise in popularity of gaming software, our technique provides a method to protect against piracy. Our method thwarts any attempts to bypass the license verification step thus offering a better anti-piracy mechanism.

Cryptography and Security

Mohammad Sina Karvandi,MohammadHossein Gholamrezaei,Saleh Khalaj Monfared,Soroush Meghdadizanjani,Behrooz Abbassi,Ali Amini,Reza Mortazavi,Saeid Gorgin,Dara Rahmati,Michael Schwarz

DOI: https://doi.org/10.48550/arXiv.2207.05676

2022-09-02

Abstract:Software analysis, debugging, and reverse engineering have a crucial impact in today's software industry. Efficient and stealthy debuggers are especially relevant for malware analysis. However, existing debugging platforms fail to address a transparent, effective, and high-performance low-level debugger due to their detectable fingerprints, complexity, and implementation restrictions. In this paper, we present HyperDbg, a new hypervisor-assisted debugger for high-performance and stealthy debugging of user and kernel applications. To accomplish this, HyperDbg relies on state-of-the-art hardware features available in today's CPUs, such as VT-x and extended page tables. In contrast to other widely used existing debuggers, we design HyperDbg using a custom hypervisor, making it independent of OS functionality or API. We propose hardware-based instruction-level emulation and OS-level API hooking via extended page tables to increase the stealthiness. Our results of the dynamic analysis of 10,853 malware samples show that HyperDbg's stealthiness allows debugging on average 22% and 26% more samples than WinDbg and x64dbg, respectively. Moreover, in contrast to existing debuggers, HyperDbg is not detected by any of the 13 tested packers and protectors. We improve the performance over other debuggers by deploying a VMX-compatible script engine, eliminating unnecessary context switches. Our experiment on three concrete debugging scenarios shows that compared to WinDbg as the only kernel debugger, HyperDbg performs step-in, conditional breaks, and syscall recording, 2.98x, 1319x, and 2018x faster, respectively. We finally show real-world applications, such as a 0-day analysis, structure reconstruction for reverse engineering, software performance analysis, and code-coverage analysis.

Cryptography and Security,Hardware Architecture,Operating Systems

Davide Pizzolotto,Stefano Berlato,Mariano Ceccato

DOI: https://doi.org/10.1145/3631971

IF: 3.685

2024-01-25

ACM Transactions on Software Engineering and Methodology

Abstract:Java bytecode is a quite high-level language and, as such, it is fairly easy to analyze and decompile with malicious intents, e.g., to tamper with code and skip license checks. Code obfuscation was a first attempt to mitigate malicious reverse engineering based on static analysis. However, obfuscated code can still be dynamically analyzed with standard debuggers to perform step-wise execution and to inspect (or change) memory content at important execution points, e.g., to alter the verdict of license validity checks. Although some approaches have been proposed to mitigate debugger-based attacks, they are only applicable to binary compiled code and none address the challenge of protecting Java bytecode. In this paper, we propose a novel approach to protect Java bytecode from malicious debugging. Our approach is based on automated program transformation to manipulate Java bytecode and split it into two binary processes that debug each other (i.e., a self-debugging solution). In fact, when the debugging interface is already engaged, an additional malicious debugger cannot attach. To be resilient against typical attacks, our approach adopts a series of technical solutions, e.g., an encoded channel is shared by the two processes to avoid leaking information, an authentication protocol is established to avoid Man-in-the-Middle attacks and the computation is spread between the two processes to prevent the attacker to replace or terminate either of them. We test our solution on 18 real-world Java applications, showing that our approach can effectively block the most common debugging tasks (either with the Java debugger or the GNU debugger) while preserving the functional correctness of the protected programs. While the final decision on when to activate this protection is still up to the developers, the observed performance overhead was acceptable for common desktop application domains.

computer science, software engineering

Xiong Bing,Wang Yanlin,Li Dong

DOI: https://doi.org/10.1109/icemi.2015.7494306

2015-01-01

Abstract:In the past several years, we are all the witness of complex multi-core processors' growing. In the meanwhile, more and more engineers and researchers dedicate to multi-core processor program development. Debug isan essential part in most of program development and efficient debugging can fix the bugs in development more quickly.It is hard for a GDB session to debug multiply cores at the same time like the traditional debugging way, especially, debugging heterogeneous multi-core processor. This paper puts forward a multi-port embedded debugger agent for heterogeneous multi-core ASIP (Application Specific Instruction-set Processor) debugging. The multi-port debugger agent will bind numbers of IP ports and each port corresponds to a core in ASIP, therefore each debugger host can debug corresponding core independently and remotely via TCPat the same time. The construction of debugger agent includes 3 sections: RSP processing part, monitorand JTAG (Joint Test Action Group)[1]driver.RSP processing and monitor are made up with multiply threads. Monitor is a single thread, and the RSP processing part's thread number should be the same as the core number which you want to debug. The communication between debugger agent and debugger host is based on RSP, which is mean debugger agent is compatible with GDB, the most popular C and C++ debugger.Each core in ASIP is independent, that means it has its own program memory, data memory and register memory. Meanwhile, every core can access others' memories for data sharing.Every debugger host can load binary program, setting breakpoints, single stepping, reading data from register and memory and monitoring status of the core etc. for the core it supported.User can debug heterogeneous multi-core ASIP like debugging other general purpose processor. Multi-port debuggeragent is simple, reliable and efficient method for debugging heterogeneous multi-core ASIP.

Hai-liang YOU,Hai-tong GE,Xiao-lang YAN

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.05.005

2007-01-01

Abstract:A new design method for embedded debug interface is presented.Designers can reuse JTAG standard serial port to monitor,trace,and profile the execution of the programs running on an embedded microprocessor.By using pipeline shadow registers and special data path in debug interface circuit,scan chain is no longer needed to insert in the critical path of CPU to facilitate non-intrusive debug capability.To improve data transmission rate of JTAG interface,instruction register and related control logic are redesigned.JTAG proxy debug protocol is also illustrated in JTAG protocol converter implementation to facilitate the porting of debug tools.The solution has been proven by silicon,and debug interface is successfully implemented in CK510 platform.

Zhiqiang Zuo,Kai Ji,Yifei Wang,Wei Tao,Linzhang Wang,Xuandong Li,Guoqing Harry Xu

DOI: https://doi.org/10.1145/3453483.3454096

2021-01-01

Abstract:Hardware tracing modules such as Intel Processor Trace perform continuous control-flow tracing of an end-to-end program execution with an ultra-low overhead. PT has been used in a variety of contexts to support applications such as testing, debugging, and performance diagnosis. However, these hardware modules have so far been used only to trace native programs, which are directly compiled down to machine code. As high-level languages (HLL) such as Java and Go become increasingly popular, there is a pressing need to extend these benefits to the HLL community. This paper presents JPortal, a JVM-based profiling tool that bridges the gap between HLL applications and low-level hardware traces by using a set of algorithms to precisely recover an HLL program’s control flow from PT traces. An evaluation of JPortal with the DaCapo benchmark shows that JPortal achieves an overall 80% accuracy for end-to-end control flow profiling with only a 4-16% runtime overhead.

Jens Van den Broeck,Bart Coppens,Bjorn De Sutter

DOI: https://doi.org/10.48550/arXiv.1907.01445

2019-07-03

Abstract:To counter man-at-the-end attacks such as reverse engineering and tampering, software is often protected with techniques that require support modules to be linked into the application. It is well-known, however, that attackers can exploit the modular nature of applications and their protections to speed up the identification and comprehension process of the relevant code, the assets, and the applied protections. To counter that exploitation of modularity at different levels of granularity, the boundaries between the modules in the program need to be obfuscated. We propose to do so by combining three cross-boundary protection techniques that thwart the disassembly process and in particular the reconstruction of functions: code layout randomization, interprocedurally coupled opaque predicates, and code factoring with intraprocedural control flow idioms. By means of an elaborate experimental evaluation and an extensive sensitivity analysis on realistic use cases and state-of-the-art tools, we demonstrate our technique's potency and resilience to advanced attacks. All relevant code is publicly available online.

Cryptography and Security

Tingyuan Nie,Jie Sun,Aiguo Ji,Zhe-Ming Lu

DOI: https://doi.org/10.1587/elex.10.20130138

2013-01-01

IEICE Electronics Express

Abstract:The continuously widening design productivity gap in the past few decades gives high incentives to counterfeiting ICs. Existing intellectual property (IP) protection schemes demand high overheads, and some techniques like watermarking do not facilitate tracing of illegal users. In this letter, we propose a novel fingerprinting method based on post-processing on circuit partitions. We evaluate our method on the ISPD98 benchmark suite. The experimental results demonstrate the effectiveness of the proposal. The fingerprinting design is distinct because the Hamming distance between fingerprinted IP designs is large enough to resist a collusion attack.

Jiashuo Liang,Guancheng Li,Chao Zhang,Ming Yuan,Xingman Chen,Xinhui Han

DOI: https://doi.org/10.1145/3372297.3420021

2020-01-01

Abstract:Given the same input, a program may not behave the same in two runs due to some non-deterministic features, e.g., context switch and randomization. Such behaviors would cause non-deterministic program bugs which are hard to discover or diagnose. Record-and-replay is a promising technique to address such issues, however, performance and transparency are the main obstacles of existing works. In this poster, we propose a novel record-and-replay system named RIPT. RIPT utilizes Intel Processor Trace to record control flow information with very low overhead, and transparently captures non-deterministic sources such as system calls and signals with a kernel module. During replay, RIPT recovers the effect of non-deterministic events from the collected information, and makes target programs behave the same as recorded. We evaluate it with real-world program bugs and show that RIPT works well in practice.

Qun Yang,Xiaotian Li,Hu He

DOI: https://doi.org/10.3969/j.issn.1000-386x.2015.05.019

2015-01-01

Abstract:In this paper we describe the debugger design, which is based on GDB and with hybrid architecture of Superscalar and VLIW double-mode.The debugger design is divided into two parts, the proxy debugging side and the client.The proxy debugging side realises the RSP ( remote serial protocol )-based basic debugging proxy function, and the client side realises the target processor adding, debugger initialisation, and the processing of registers data and opcodes, etc.Test results demonstrate that this debugger achieves the program debugging functions such as remote debugging, checking, modifying the values of registers and memories, adding and deleting breakpoints, disassembly, checking stack information and single stepping, etc.

Gregory Michael Price

DOI: https://doi.org/10.48550/arXiv.1801.09250

2019-08-21

Abstract:Efficient, reliable trapping of execution in a program at the desired location is a linchpin technique for dynamic malware analysis. The progression of debuggers and malware is akin to a game of cat and mouse - each are constantly in a state of trying to thwart one another. At the core of most efficient debuggers today is a combination of virtual machines and traditional binary modification breakpoints (int3). In this paper, we present a design for Virtual Breakpoints. a modification to the x86 MMU which brings breakpoint management into hardware alongside page tables. In this paper we demonstrate the fundamental abstraction failures of current trapping methods, and design a new mechanism from the hardware up. This design incorporates lessons learned from 50 years of virtualization and debugger design to deliver fast, reliable trapping without the pitfalls of traditional binary modification.

Operating Systems,Cryptography and Security

Fan Zhang,Chen Dong,Wucheng Hu,Jinghui Chen,Guorong He

DOI: https://doi.org/10.1109/IAEAC47372.2019.8997863

2019-01-01

Abstract:EDA tools almost completely automate the current chip design. However, EDA tools are all provided by third-party companies, therefore the credibility of EDA tools and the trust issues brought by their process libraries have attracted people's attention. Given these problems, this paper proposes a self-training hardware Trojan confrontation framework based on machine learning embedded in EDA tools. The framework focuses on the gate-level netlist files generated during the integrated chip comprehensive optimization phase, thereby detects, locates and deletes hardware Trojans that may appear. The experimental results show that the framework can achieve more than 85% detection effect for unknown hardware Trojans. Moreover, for known hardware Trojans, this framework can achieve almost 100% detection. Accordingly, hardware Trojans can be located and deleted.

Ziming Zhao,Zhaoxuan Li,Tingting Li,Fan Zhang

DOI: https://doi.org/10.1109/tcad.2024.3444712

IF: 2.9

2024-11-09

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:With the widespread use of Internet of Things (IoT) devices, malware detection has become a hot spot for both academic and industrial communities. A series of solutions based on system calls, system logs, or hardware performance counters achieve promising results. However, such internal monitors are easily tampered with, especially against adaptive adversaries. In addition, existing system log records typically exhibit substantial volume, resulting in data explosion problems. In this article, we present TPE-Det, a side-channel-based external monitor to cope with these issues. Specifically, TPE-Det leverages the serial peripheral interface bus to extract the on-chip traces and designs a recovery pipeline for operating logs. The advantages of this external monitor are adversary-unperceived and tamper-proof. The restored logs mainly include file operation commands, which are lightweight compared to complete records. Meanwhile, we deploy a series of machine learning models with respect to statistical, sequence, and graph features to identify malware. Empirical evaluation shows that our proposal has tamper-proof capability, high-detection accuracy, and low-time/space overhead compared to state-of-the-art methods.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Jun Xu,Dongliang Mu,Xinyu Xing,Peng Liu,Ping Chen,Bing Mao

2017-01-01

Abstract:While a core dump carries a large amount of information, it barely serves as informative debugging aids in locating software faults because it carries information that indicates only a partial chronology of how program reached a crash site. Recently, this situation has been significantly improved. With the emergence of hardware assisted processor tracing, software developers and security analysts can trace program execution and integrate them into a core dump. In comparison with an ordinary core dump, the new post-crash artifact provides software developers and security analysts with more clues as to a program crash. To use it for failure diagnosis, however, it still requires strenuous manual efforts. In this work, we propose POMP, an automated tool to facilitate the analysis of post-crash artifacts. More specifically, POMP introduces a new reverse execution mechanism to construct the data flow that a program followed prior to its crash. By using the data flow, POMP then performs backward taint analysis and highlights those program statements that actually contribute to the crash. To demonstrate its effectiveness in pinpointing program statements truly pertaining to a program crash, we have implemented POMP for Linux system on x86-32 platform, and tested it against various program crashes resulting from 31 distinct real-world security vulnerabilities. We show that, POMP can accurately and efficiently pinpoint program statements that truly pertain to the crashes, making failure diagnosis significantly convenient.

Tony F. Wu,Karthik Ganesan,Yunqing Alexander Hu,H.-S. Philip Wong,Simon Wong,Subhasish Mitra

DOI: https://doi.org/10.1109/TCAD.2015.2474373

2015-08-25

Abstract:There are increasing concerns about possible malicious modifications of integrated circuits (ICs) used in critical applications. Such attacks are often referred to as hardware Trojans. While many techniques focus on hardware Trojan detection during IC testing, it is still possible for attacks to go undetected. Using a combination of new design techniques and new memory technologies, we present a new approach that detects a wide variety of hardware Trojans during IC testing and also during system operation in the field. Our approach can also prevent a wide variety of attacks during synthesis, place-and-route, and fabrication of ICs. It can be applied to any digital system, and can be tuned for both traditional and split-manufacturing methods. We demonstrate its applicability for both ASICs and FPGAs. Using fabricated test chips with Trojan emulation capabilities and also using simulations, we demonstrate: 1. The area and power costs of our approach can range between 7.4-165% and 0.07-60%, respectively, depending on the design and the attacks targeted; 2. The speed impact can be minimal (close to 0%); 3. Our approach can detect 99.998% of Trojans (emulated using test chips) that do not require detailed knowledge of the design being attacked; 4. Our approach can prevent 99.98% of specific attacks (simulated) that utilize detailed knowledge of the design being attacked (e.g., through reverse-engineering). 5. Our approach never produces any false positives, i.e., it does not report attacks when the IC operates correctly.

Hardware Architecture,Cryptography and Security

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

Dajia Peng,Yunlong Feng,Yong Liu,Xin Liu,Wei Xue,Dexun Chen,Jiawei Song,Zuoning Chen

DOI: https://doi.org/10.1109/tpds.2022.3157690

IF: 5.3

2022-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:This article presents Jdebug, a fast, non-intrusive and scalable fault locating tool for extreme-scale parallel applications. Large-scale debugging has drawn more attention with the increasing scale of supercomputers and applications. To eliminate program intrusion caused by traditional instrumentation or interception during debugging information acquisition, we introduce the out-of-band management into large-scale debugging. We propose a rapid information gathering scheme that separates user and debugging traffic to solve scalability problem and to eliminate program interference during merging data. Observations of Program Counters (PC) and performance characteristics in suspended applications find abnormalities and help locate abnormal threads caused by software errors or hardware failures effectively. Evaluation shows that Jdebug collects PCs of over 20 million cores on the new Sunway supercomputer within 1.97 seconds, and can locate the abnormal threads in 1.4 seconds with an accuracy of 92.5%. In the running test of three fundamental benchmarks (HPL, HPCG, Graph500) and seventeen real-world applications, Jdebug quickly and accurately locates abnormal threads to help find scalability errors and hardware failures including memory access failures, communication failures, and execution component failures, which validates its effectiveness.

computer science, theory & methods,engineering, electrical & electronic