AMD SimNow Simulator 4.4.4 Manuel d'utilisateur

c 2012 Anh Minh Nguyen

1.3 Thesis OutlineChapter 2 examines some of the related works in. We present the generaldesign of MAVMM in chapter 3 and describe specific implementat

CHAPTER 2RELATED WORKSA significant motivation for our project is prior works on malware analysis innon-virtualized environment, including in-guest deb

is known to be harder to detect hardware virtualization, malware is unlikelyto go to great length to detect and avoid hardware virtualization platform

CHAPTER 3SYSTEM DESIGNTo develop our architecture, we study various techniques for virtualizing thesystem, extracting analytic features from the guest

features that are not necessary for malware analysis. Needless to say, thiscomplexity is a fruitful land for software bugs. A recent study shows thatp

3.3 Boot-strapping the HypervisorTo get an accurate view of the monitored system’s activities, MAVMM needsto start earlier and run at a higher CPU pri

control of each device’s view of the main memory. This is done by using atranslation table, to control the mapping from device virtual addresses tomem

logical address to guest physical address. Because we use an identity map inour nested page table, this guest physical address and its corresponding h

3.5.3 Selective AnalysisWe want the hypervisor to be as efficient and as unobtrusive as possible.Thus, we enable full analysis capabilities only when ne

CHAPTER 4IMPLEMENTATIONIn this chapter, we discuss specific details related to the hardware virtu-alization technology and guest OS that we have chosen

LIGHTWEIGHT AND PURPOSE BUILT HYPERVISOR FORMALWARE ANALYSISBYANH MINH NGUYENTHESISSubmitted in partial fulfillment of the requirementsfor the degree o

files. When our system boots up, GRUB starts in host mode and beginsto load MAVMM. GRUB passes a multiboot info structure to MAVMM,which defines the mem

accesses. It uses a user-given bitmap to decide which memory pages areavailable for external DMA. We simply mark the VMM region as unavailable,and set

MAVMM uses VMM introspection to get the ID of current thread. It thenlooks up information about the system call that this thread invoked. If it isa sy

4.4.3 Getting Analysis DataGiven that we can use Simnow to bind a virtual serial port in the simulator toa real port on the hosting system, we current

by itself. To get around this, we implement a transparent event forwardingmechanism using the single stepping TF flag in rflags register. When IRETor CR

CHAPTER 5EVALUATIONWe have evaluated MAVMM in three aspects: functionality, detectability,and performance. We executed our experiments inside the AMD

when we monitor a simple “Hello world” program. This information can beforwarded to a dissasember for further analysis, or it can be combined withhigh

system calls, as shown in Figure 5.2.>> unlink( Filename: /etc/passwd~ )>> link( Old Filename: /etc/passwd, New Filename:/etc/passwd~ )>

technique [50]. This technique can detect fully virtualized VMWare, whichcannot be detected by IDT check. The results of our experiments are shownin T

CPU cycles, an external timing source and some prior knowledge about thetarget system. This goes directly against common malware’s incentive to bestea

ABSTRACTMalicious software is rampant on the Internet and costs billions of dollarseach year. Safe and thorough analysis of malware is key to protecti

Figure 5.3: MAVMM performance overhead. Each group has three bars.First bar is execution time when MAVMM is disabled, second bar withMAVMM in compact

CHAPTER 6CONCLUSIONIn this thesis, we design, implement, and evaluate the architecture of MAVMM,a lightweight VMM designed specially for malware analy

APPENDIX ALOGGING SYSTEM CALLS OF AROOTKIT+++++ process name: sh+++++ process name: sh+++++ process name: sh+++++ process name: rootkitprocess tracked

lp:*:7:7:lp:/var/spool/lpd:/bin/falsehttpd:*:41:41:HTTP Daemon:/var/lib/httpd:/bin/falseftpd:*:42:42:FTP Daemon:/var/lib/ftpd:/bin/falsesshd:*:42:42:S

REFERENCES[1] C. Economics, “2007 Malware Report: The Economic Impact of Viruses,Spyware, Adware, Botnests and Other Malicious Code,” Tech. Rep., Jun2

[13] L. Zeltser, “Using VMware for Malware Analysis,” SearchSecurity.com,May 2007.[14] A. Dinaburg, P. Royal, M. I. Sharif, and W. Lee, “Ether: malwar

[28] T. Garfinkel and M. Rosenblum, “A Virtual Machine IntrospectionBased Architecture for Intrusion Detection,” in ISOC Network and Dis-tributed Syste

[41] T. J. Ostrand and E. J. Weyuker, “The distribution of faults in a largeindustrial software system,” in ACM SIGSOFT international sympo-sium on So

To my parents, friends, and colleagues for their love and support.iii

ACKNOWLEDGMENTSI would like to thank my adviser Prof. Samuel T. King for the advice andsupport he has given me along the way. Prof. Carl A. Gunter als

TABLE OF CONTENTSCHAPTER 1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . 11.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .

CHAPTER 1INTRODUCTION1.1 OverviewMalware - a representative term for viruses, worms, spyware, trojan horses,adware and rootkits - is a major threat to

isolation, and its ability to take snapshots and roll back the guest’s state. Inaddition, VMM-based analyzers have a unique ability to monitor virtual

support for virtualization [25, 26] and focusing only on malware analysisfunctionality, we were able to keep MAVMM small and simple. The TCBof our sys