TUM Logo

Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection

ARM has become the leading processor architecture for mobile and IoT devices, while it has recently started claiming a bigger slice of the server market pie as well. As such, it will not be long before malware more regularly target the ARM architecture. Therefore, the stealthy operation of Virtual Machine Introspection (VMI) is an obligation to successfully analyze and proactively mitigate this growing threat. Stealthy VMI has proven itself perfectly suitable for malware analysis on Intel’s architecture, yet, it often lacks the foundation required to be equally effective on ARM. In this paper, we closely examine both ARMv7 and ARMv8 architectures to identify shortcomings and develop novel techniques necessary for effective virtualization-based dynamic malware analysis. We implement and open-source a prototype, named altp2m, for the open source Xen Project hypervisor on ARM. Compared to traditional VMI approaches, our solution enables hypervisors to dynamically allocate and switch among multiple guest memory views by utilizing the Second Level Address Translation (SLAT). Further, we implement an alternative single-stepping mechanism and leverage the execute-only capability of the SLAT mechanism on ARMv8 to enable stealthy in-guest instrumentation. To target also ARMv7-based systems, we manipulate the TLB organization through altp2m to coordinate the guest kernel execution flow. To demonstrate the effectiveness of our system, we combine all building blocks of our work to form the foundation for the dynamic malware analysis system DRAKVUF on ARM. Overall, our experiments reveal that our novel dynamic analysis system is stealthy, efficient, and is perfectly suited to assist malware analysts to quickly comprehend the behavior and reduce the mitigation time of malware targeting ARM.

Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection

Authors: Sergej Proskurin, Tamas Lengyel, Marius Momeu, Claudia Eckert, and Apostolis Zarras
Year/month: 2018/12
Booktitle: Annual Computer Security Applications Conference (ACSAC)
Note: Outstanding Paper Award
Fulltext: 2018-acsac-arm-altp2m.pdf

Abstract

ARM has become the leading processor architecture for mobile and IoT devices, while it has recently started claiming a bigger slice of the server market pie as well. As such, it will not be long before malware more regularly target the ARM architecture. Therefore, the stealthy operation of Virtual Machine Introspection (VMI) is an obligation to successfully analyze and proactively mitigate this growing threat. Stealthy VMI has proven itself perfectly suitable for malware analysis on Intel’s architecture, yet, it often lacks the foundation required to be equally effective on ARM. In this paper, we closely examine both ARMv7 and ARMv8 architectures to identify shortcomings and develop novel techniques necessary for effective virtualization-based dynamic malware analysis. We implement and open-source a prototype, named altp2m, for the open source Xen Project hypervisor on ARM. Compared to traditional VMI approaches, our solution enables hypervisors to dynamically allocate and switch among multiple guest memory views by utilizing the Second Level Address Translation (SLAT). Further, we implement an alternative single-stepping mechanism and leverage the execute-only capability of the SLAT mechanism on ARMv8 to enable stealthy in-guest instrumentation. To target also ARMv7-based systems, we manipulate the TLB organization through altp2m to coordinate the guest kernel execution flow. To demonstrate the effectiveness of our system, we combine all building blocks of our work to form the foundation for the dynamic malware analysis system DRAKVUF on ARM. Overall, our experiments reveal that our novel dynamic analysis system is stealthy, efficient, and is perfectly suited to assist malware analysts to quickly comprehend the behavior and reduce the mitigation time of malware targeting ARM.

Bibtex:

@conference {
author = { Sergej Proskurin and Tamas Lengyel and Marius Momeu and Claudia Eckert and Apostolis Zarras },
title = { Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection },
year = { 2018 },
month = { December },
booktitle = { Annual Computer Security Applications Conference (ACSAC) },
note = { Outstanding Paper Award },
url = {https://www.sec.in.tum.de/i20/publications/hiding-in-the-shadows-empowering-arm-for-stealthy-virtual-machine-introspection/@@download/file/2018-acsac-arm-altp2m.pdf}
}