Undetectable Debugger
| Název práce v češtině: | Undetectable Debugger |
|---|---|
| Název v anglickém jazyce: | Undetectable Debugger |
| Klíčová slova: | virtualization, debugging, malware |
| Klíčová slova anglicky: | virtualization, debugging, malware |
| Akademický rok vypsání: | 2011/2012 |
| Typ práce: | diplomová práce |
| Jazyk práce: | angličtina |
| Ústav: | Katedra distribuovaných a spolehlivých systémů (32-KDSS) |
| Vedoucí / školitel: | Mgr. Martin Děcký, Ph.D. |
| Řešitel: | skrytý - zadáno a potvrzeno stud. odd. |
| Datum přihlášení: | 14.10.2011 |
| Datum zadání: | 31.10.2011 |
| Datum potvrzení stud. oddělením: | 07.12.2011 |
| Datum a čas obhajoby: | 03.09.2012 10:30 |
| Datum odevzdání elektronické podoby: | 03.08.2012 |
| Datum odevzdání tištěné podoby: | 03.08.2012 |
| Datum proběhlé obhajoby: | 03.09.2012 |
| Oponenti: | RNDr. Mgr. Lukáš Marek, Ph.D. |
| Zásady pro vypracování |
| Using debuggers is a common means for identifying and analysing malware (such as viruses, trojan horses, worms, spyware, rootkits, etc.). However, most user-space and even kernel-based debuggers can be detected by malware via observing different behaviour of specific OS API calls, continuous checksumming of the malware code and identifying breakpoint instructions and observing discrepancies in CPU behaviour, effectively hiding the malicious code from the person analysing the malware and making the process tedious and error-prone at best.
The goal of this thesis is to implement a basic debugger server which uses hardware virtualization (based on QEMU/KVM) to hide completely its existence from the debugee and at the same time creating a safe sandbox where the malware is free to execute its malicious code without actually endangering any valuable assets. Although the debugger can technically control the entire virtual machine, it also keeps track of the internal data structures of the guest operating system to be able to follow the execution path of a single thread in the guest operating system (and ignore other threads, context switches, kernel exception handling, etc.), thus providing the same comfort to the end-user as in the case of any common user-space debugger. |
| Seznam odborné literatury |
| Tanenbaum, Woodhull: Operating Systems Design and Implementation
Hofmann: The Solaris Operating System on x86 Platforms, Crashdump Analysis, Operating System Internals Jackson: An Anti-Reverse Engineering Guide (http://www.codeproject.com/KB/security/AntiReverseEngineering.aspx) |
| Předběžná náplň práce |
| Using debuggers is a common means for identifying and analysing malware (such as viruses, trojan horses, worms, spyware, rootkits, etc.). However, most user-space and even kernel-based debuggers can be detected by malware via observing different behaviour of specific OS API calls, continuous checksumming of the malware code and identifying breakpoint instructions and observing discrepancies in CPU behaviour, effectively hiding the malicious code from the person analysing the malware and making the process tedious and error-prone at best.
The goal of this thesis is to implement a basic debugger server which uses hardware virtualization (based on QEMU/KVM) to hide completely its existence from the debugee and at the same time creating a safe sandbox where the malware is free to execute its malicious code without actually endangering any valuable assets. Although the debugger can technically control the entire virtual machine, it also keeps track of the internal data structures of the guest operating system to be able to follow the execution path of a single thread in the guest operating system (and ignore other threads, context switches, kernel exception handling, etc.), thus providing the same comfort to the end-user as in the case of any common user-space debugger. |
| Předběžná náplň práce v anglickém jazyce |
| Using debuggers is a common means for identifying and analysing malware (such as viruses, trojan horses, worms, spyware, rootkits, etc.). However, most user-space and even kernel-based debuggers can be detected by malware via observing different behaviour of specific OS API calls, continuous checksumming of the malware code and identifying breakpoint instructions and observing discrepancies in CPU behaviour, effectively hiding the malicious code from the person analysing the malware and making the process tedious and error-prone at best.
The goal of this thesis is to implement a basic debugger server which uses hardware virtualization (based on QEMU/KVM) to hide completely its existence from the debugee and at the same time creating a safe sandbox where the malware is free to execute its malicious code without actually endangering any valuable assets. Although the debugger can technically control the entire virtual machine, it also keeps track of the internal data structures of the guest operating system to be able to follow the execution path of a single thread in the guest operating system (and ignore other threads, context switches, kernel exception handling, etc.), thus providing the same comfort to the end-user as in the case of any common user-space debugger. |