Please enable JavaScript.
Coggle requires JavaScript to display documents.
2013 - Tappan Zee (North) Bridge: Mining Memory Accesses for Introspection
2013 - Tappan Zee (North) Bridge: Mining Memory Accesses for Introspection
Information
Approach
Memory accesses observed at runtime as an information source about system and application activity
e.g. when visiting a URL, a web browser must write to memory the URL that is being visited, and it will generally do so at the same point in the program. By intercepting memory accesses made at this program point we can observe all URLs visited.
Challange
There's a sheer amount of
data that must be sifted through.
Analyzing every memory access online is not practical and extremely costly performance wise
Tap points
Defined as (caller, program counter, address space)
caller and the address space
Separates out memory accesses into streams that contains the same data
Correlated tap points
Deals with data that should logically be kept
together
Run a pass over the recorded execution that notices when two tap points write to adjacent locations in memory in a short period of time
Idea is that these tap points may be more usefully considered jointly
e.g. single data structure may have its fields set by successive
writes
These writes would come from different program
counters
Would be split into different tap points
May be more useful to examine the data structure as a
whole
Finding tap points
Create recording of whole system execution
Approach
Known knows
Tap points where the content of the desired data is known
e.g. find a tap point that can be used to notify the hypervisor whenever a URL is entered in a browser
One can visit a known sequence of URLs, and then monitor all tap points, searching for specific byte sequences that make up those URLs.
Known unknown
Tap points where the kind of data sought is known, but its precise format is not
Unknown unknowns
Tap points where the type and format of the data sought are not known, and we are instead simply trying to find “interesting” tap points
As PANDA plugin
Called on each memory access made during a replayed execution and, at the end, write out a report on the tap points analyzed.
Tap points found should be validated to ensure that they
do provide the desired information
TZB in PANDA
The ability to introspect into the behavior of software at
runtime is crucial for many security-related tasks, e.g. as
virtual machine-based intrusion detection and low-artifact
malware analysis.
Goals
Problem
Difficult to extract useful information
from user-level applications, as observation is at lower level
Discovering points within the OS and applications
to hook for active monitoring is still an entirely manual
process