Tracing Privileged Memory Accesses to Discover Software Vulnerabilities

Shared Memory is an important mechanism for efficient inter-process communication. When one side of the communication has higher privileges than its counterpart, the shared memory interface becomes a trust boundary and privileged code operating on it needs to be audited for security vulnerabilities. In this thesis we present an approach based on memory tracing to discover vulnerabilities in shared memory interfaces. In contrast to other works in this area, the presented implementation is based on hardware-assisted virtualization and uses manipulation of EPT permissions to intercept memory accesses. We evaluate our implementation against paravirtualized device drivers for the Xen hypervisor, which use shared memory for inter-domain communication. Besides successfully identifying the privileged components responsible for processing untrusted shared memory data, the presented analysis algorithms are used to discover three novel security vulnerabilities in security critical backend components.

[1]  Sally A. McKee,et al.  METRIC: Memory tracing via dynamic binary rewriting to identify cache inefficiencies , 2007, TOPL.

[2]  Shlomo Weiss,et al.  Virtio network paravirtualization driver: Implementation and performance of a de-facto standard , 2012, Comput. Stand. Interfaces.

[3]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[4]  Armando Solar-Lezama,et al.  Towards optimization-safe systems: analyzing the impact of undefined behavior , 2013, SOSP.

[5]  David Chisnall,et al.  The Definitive Guide to the Xen Hypervisor , 2007 .

[6]  Carsten Willems,et al.  CXPInspector: Hypervisor-Based, Hardware-Assisted System Monitoring , 2012 .

[7]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[8]  Samuel Kounev,et al.  Experience Report: An Analysis of Hypercall Handler Vulnerabilities , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[9]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[10]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.

[11]  Axel Simon Value-Range Analysis of C Programs: Towards Proving the Absence of Buffer Overflow Vulnerabilities , 2008 .

[12]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[13]  Konstantin Serebryany,et al.  ThreadSanitizer: data race detection in practice , 2009, WBIA '09.

[14]  Peter Oehlert,et al.  Violating Assumptions with Fuzzing , 2005, IEEE Secur. Priv..

[15]  Patrice Godefroid,et al.  SAGE: Whitebox Fuzzing for Security Testing , 2012, ACM Queue.

[16]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[17]  Intel Corp,et al.  Virtualization Without Direct Execution or Jitting: Designing a Portable Virtual Machine Infrastructure , 2008 .

[18]  Frank Bellosa,et al.  Simutrace: A Toolkit for Full System Memory Tracing , 2015 .

[19]  Gynvael Coldwind,et al.  Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns , 2013 .

[20]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[21]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[22]  James E. Smith,et al.  Virtual machines - versatile platforms for systems and processes , 2005 .

[23]  R. P. Abbott,et al.  Security Analysis and Enhancements of Computer Operating Systems , 1976 .

[24]  Bryan D. Payne,et al.  Simplifying virtual machine introspection using LibVMI. , 2012 .

[25]  Brendan Dolan-Gavitt,et al.  Repeatable Reverse Engineering for the Greater Good with PANDA , 2014 .

[26]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[27]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.