TUM Logo

Application Debugging using Virtual Machine Introspection

Application security has become more important with the increasing impact of computer science on our everyday life. For this purpose analysing threats, such as malware, is becoming more and more essential to protect modern systems. In order to provide a closed box environment where malicious code can be analysed virtualization is used to isolate an operating system, while the virtual machine manager keeps control over the underlying hardware. In this thesis we present our implementation of native debugging functionalities which are applied to a target application inside a virtualized environment. Breakpoints are going to be placed, removed and handled from outside of the virtualized operating system, allowing the us to further increase the security of the debugger. We will explain how we make sure the virtualized environment executes our breakpoints and explore ways of keeping the existence of breakpoints even hidden from the target application. The tool presented in this thesis allows to debug applications without interfering with the integrity of the target, while supporting self-modifying binaries by installing stealth hardware breakpoints.

Application Debugging using Virtual Machine Introspection

Supervisor(s): Fatih Kilic
Status: finished
Topic: Monitoring (VMI etc.)
Author: Hannes Laner
Submission: 2016-09-14
Type of Thesis: Masterthesis
Proof of Concept No
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching

Astract:

Application security has become more important with the increasing impact of computer science on our everyday life. For this purpose analysing threats, such as malware, is becoming more and more essential to protect modern systems. In order to provide a closed box environment where malicious code can be analysed virtualization is used to isolate an operating system, while the virtual machine manager keeps control over the underlying hardware. In this thesis we present our implementation of native debugging functionalities which are applied to a target application inside a virtualized environment. Breakpoints are going to be placed, removed and handled from outside of the virtualized operating system, allowing the us to further increase the security of the debugger. We will explain how we make sure the virtualized environment executes our breakpoints and explore ways of keeping the existence of breakpoints even hidden from the target application. The tool presented in this thesis allows to debug applications without interfering with the integrity of the target, while supporting self-modifying binaries by installing stealth hardware breakpoints.