Using Hardware Performance Events for Instruction-Level Monitoring on the x86 Architecture

Full virtualization has become one of the basic technologies for the development of security applications. This is due to the fact that full virtualization provides important properties such as isolation and transparency that are essential for the development of robust security mechanisms. However, a fact that is often overlooked is that full virtualization also enables developers to make full use of the existing hardware features. By using these features in novel ways, it is possible to create new robust hardware-based security mechanisms. In this paper we make use of the Performance Monitoring Counters (PMCs), which are available on most mainstream processors, to provide PMC-based trapping, a general concept for trapping hardware performance events to the hypervisor. We make use of this concept by proposing a novel approach to monitoring applications running within a virtual machine on the instruction-level from the hypervisor. In contrast to existing approaches, this course of action allows us to not only monitor all instructions of a program, but also enables us to limit the monitoring to specific instruction types. To demonstrate the possibilities of such an approach we implemented a shadow stack that protects the return addresses of functions running within a virtual machine from the hypervisor by only trapping call and return instructions.

[1]  Claudia Eckert,et al.  Nitro: Hardware-Based System Call Tracing for Virtual Machines , 2011, IWSEC.

[2]  Ramesh Karri,et al.  Are hardware performance counters a cost effective way for integrity checking of programs , 2011, STC '11.

[3]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[4]  Godmar Back,et al.  Perfctr-Xen: a framework for performance counter virtualization , 2011, VEE '11.

[5]  Willy Zwaenepoel,et al.  Performance profiling of virtual machines , 2011, VEE '11.

[6]  Claudia Eckert,et al.  Exploiting the x86 Architecture to Derive Virtual Machine State Information , 2010, 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies.

[7]  Heng Yin TEMU: Binary Code Analysis via Whole-System Layered Annotative Execution , 2010 .

[8]  Samuel T. King,et al.  MAVMM: Lightweight and Purpose Built VMM for Malware Analysis , 2009, 2009 Annual Computer Security Applications Conference.

[9]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[10]  Tal Garfinkel,et al.  VMwareDecoupling Dynamic Program Analysis from Execution in Virtual Environments , 2008, USENIX Annual Technical Conference.

[11]  Tal Garfinkel,et al.  Compatibility Is Not Transparency: VMM Detection Myths and Realities , 2007, HotOS.

[12]  Sanjay Bhansali,et al.  Framework for instruction-level tracing and analysis of program executions , 2006, VEE '06.

[13]  Amit Vasudevan,et al.  Stealth breakpoints , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[14]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[15]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[16]  Brinkley Sprunt,et al.  The Basics of Performance-Monitoring Hardware , 2002, IEEE Micro.