TY - GEN
T1 - Improving Transparency of Hardware Breakpoints with Virtual Machine Introspection
AU - Sato, Masaya
AU - Nakamura, Ryosuke
AU - Yamauchi, Toshihiro
AU - Taniguchi, Hideo
N1 - Funding Information:
This work was partially supported by KAKENHI Grant Numbers JP19H04109 and JP22H03592.
Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - Hardware breakpoints are used to monitor the behavior of a program on a virtual machine (VM). Although a virtual machine monitor (VMM) can inspect programs on a VM at hardware breakpoints, the programs themselves can detect hardware breakpoints by reading debug registers. Malicious programs may change their behavior to avoid introspection and other security mechanisms if a hardware breakpoint is detected. To prevent introspection evasion, methods for hiding hardware breakpoints by returning a fake value to the VM are proposed. These methods detect the read and write operations of the debug register from the VM and then return the processing to the VM as if their access has succeeded. However, VM introspection remains detectable from the VM by confirming the availability of the debug exception in the address set. While the previous work handles the read and write operations of the debug register, the debug exception is not delivered to the VM program. To address this problem, this study presents a method for making hardware breakpoints compatible with VM introspection. The proposed method uses surplus debug address registers to deliver the debug exception at the hardware breakpoint set by the VM program. If a VM program attempts to write a value to a debug register, the VMM detects and stores the value in a real debug register that is not used for VM introspection. Because debug exception at the hardware breakpoint was delivered to the VM, hardware breakpoints set by the VM were compatible with VM introspection. The evaluation results showed that the proposed method had a low performance overhead.
AB - Hardware breakpoints are used to monitor the behavior of a program on a virtual machine (VM). Although a virtual machine monitor (VMM) can inspect programs on a VM at hardware breakpoints, the programs themselves can detect hardware breakpoints by reading debug registers. Malicious programs may change their behavior to avoid introspection and other security mechanisms if a hardware breakpoint is detected. To prevent introspection evasion, methods for hiding hardware breakpoints by returning a fake value to the VM are proposed. These methods detect the read and write operations of the debug register from the VM and then return the processing to the VM as if their access has succeeded. However, VM introspection remains detectable from the VM by confirming the availability of the debug exception in the address set. While the previous work handles the read and write operations of the debug register, the debug exception is not delivered to the VM program. To address this problem, this study presents a method for making hardware breakpoints compatible with VM introspection. The proposed method uses surplus debug address registers to deliver the debug exception at the hardware breakpoint set by the VM program. If a VM program attempts to write a value to a debug register, the VMM detects and stores the value in a real debug register that is not used for VM introspection. Because debug exception at the hardware breakpoint was delivered to the VM, hardware breakpoints set by the VM were compatible with VM introspection. The evaluation results showed that the proposed method had a low performance overhead.
KW - anti-evasion
KW - hardware breakpoints
KW - virtual machine introspection
UR - http://www.scopus.com/inward/record.url?scp=85139557581&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85139557581&partnerID=8YFLogxK
U2 - 10.1109/IIAIAAI55812.2022.00031
DO - 10.1109/IIAIAAI55812.2022.00031
M3 - Conference contribution
AN - SCOPUS:85139557581
T3 - Proceedings - 2022 12th International Congress on Advanced Applied Informatics, IIAI-AAI 2022
SP - 113
EP - 117
BT - Proceedings - 2022 12th International Congress on Advanced Applied Informatics, IIAI-AAI 2022
A2 - Matsuo, Tokuro
A2 - Takamatsu, Kunihiko
A2 - Ono, Yuichi
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 12th International Congress on Advanced Applied Informatics, IIAI-AAI 2022
Y2 - 2 July 2022 through 7 July 2022
ER -