Virtual Breakpoints for x86/64

01/28/2018

∙

Efficient, reliable trapping of execution in a program at the desired location is a linchpin technique for dynamic malware analysis. The progression of debuggers and malware is akin to a game of cat and mouse - each are constantly in a state of trying to thwart one another. At the core of most efficient debuggers today is a combination of virtual machines and traditional binary modification breakpoints (int3). In this paper, we present a design for Virtual Breakpoints. a modification to the x86 MMU which brings breakpoint management into hardware alongside page tables. In this paper we demonstrate the fundamental abstraction failures of current trapping methods, and design a new mechanism from the hardware up. This design incorporates lessons learned from 50 years of virtualization and debugger design to deliver fast, reliable trapping without the pitfalls of traditional binary modification.

READ FULL TEXT

Virtual Breakpoints for x86/64

Cichlid: Explicit physical memory management for large machines

A Generic Checkpoint-Restart Mechanism for Virtual Machines

A Bayesian Model Combination-based approach to Active Malware Analysis

Out of Hypervisor (OoH): When Nested Virtualization Becomes Practical

Drndalo: Lightweight Control Flow Obfuscation Through Minimal Processor/Compiler Co-Design

Devil is Virtual: Reversing Virtual Inheritance in C++ Binaries

Virtual Breakpoints for x86/64

Related Research

Cichlid: Explicit physical memory management for large machines

A Generic Checkpoint-Restart Mechanism for Virtual Machines

A Bayesian Model Combination-based approach to Active Malware Analysis

Out of Hypervisor (OoH): When Nested Virtualization Becomes Practical

Drndalo: Lightweight Control Flow Obfuscation Through Minimal Processor/Compiler Co-Design

Devil is Virtual: Reversing Virtual Inheritance in C++ Binaries