research-article

Composable multi-level debugging with Stackdb

Authors:

Eric EideAuthors Info & Claims

VEE '14: Proceedings of the 10th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

Pages 213 - 226

https://doi.org/10.1145/2576195.2576212

Published: 01 March 2014 Publication History

Abstract

Virtual machine introspection (VMI) allows users to debug software that executes within a virtual machine. To support rich, whole-system analyses, a VMI tool must inspect and control systems at multiple levels of the software stack. Traditional debuggers enable inspection and control, but they limit users to treating a whole system as just one kind of target: e.g., just a kernel, or just a process, but not both.

We created Stackdb, a debugging library with VMI support that allows one to monitor and control a whole system through multiple, coordinated targets. A target corresponds to a particular level of the system's software stack; multiple targets allow a user to observe a VM guest at several levels of abstraction simultaneously. For example, with Stackdb, one can observe a PHP script running in a Linux process in a Xen VM via three coordinated targets at the language, process, and kernel levels. Within Stackdb, higher-level targets are components that utilize lower-level targets; a key contribution of Stackdb is its API that supports multi-level and flexible "stacks" of targets. This paper describes the challenges we faced in creating Stackdb, presents the solutions we devised, and evaluates Stackdb through its application to a security-focused, whole-system case study.

References

[1]

P. P. Bungale and C.-K. Luk. PinOS: A programmable framework for whole-system dynamic instrumentation. In Proc. VEE, pages 137--147, June 2007.

Digital Library

[2]

P. M. Chen and B. D. Noble. When virtual is better than real. In Proc. HotOS, pages 133--138, May 2001.

Digital Library

[3]

J.-H. Chiang, H.-L. Li, and T. Chiueh. Introspection-based memory de-duplication and migration. In Proc. VEE, pages 51--61, Mar. 2013.

Digital Library

[4]

[email protected]. distorm - Powerful Disassembler Library For x86/AMD64. http://code.google.com/p/distorm/.

[5]

B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proc. IEEE S&P, pages 297--312, May 2011.

Digital Library

[6]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. NDSS, Feb. 2003.

[7]

GDB Developers. GDB: The GNU Project Debugger. http://www.gnu.org/software/gdb/.

[8]

A. Ho. Personal communication, Nov. 2013.

[9]

A. Ho and S. Hand. On the design of a pervasive debugger. In Proc. AADEBUG, pages 117--122, Sept. 2005.

Digital Library

[10]

A. Ho, S. Hand, and T. Harris. PDB: Pervasive debugging with Xen. In Proc. GRID, pages 260--265, Nov. 2004.

Digital Library

[11]

A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proc. SOSP, pages 91--104, Oct. 2005.

Digital Library

[12]

B. Lee, M. Hirzel, R. Grimm, and K. S. McKinley. Debug all your code: Portable mixed-environment debugging. In Proc. OOPSLA, pages 207--226, Oct. 2009.

Digital Library

[13]

C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proc. PLDI, pages 190--200, June 2005.

Digital Library

[14]

MITRE CorporationThe MITRE Corporation. CVE--2013--1763, Feb. 19, 2013. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1763.

[15]

B. Payne et al. vmitools - virtual machine introspection tools. http://code.google.com/p/vmitools/.

[16]

PHP GroupThe PHP Group. PHP at the Core: A Hacker's Guide. http://www.php.net/manual/en/internals2.php.

[17]

A. Srivastava and J. Giffin. Automatic discovery of parasitic malware. In Recent Advances in Intrusion Detection, volume 6307 of LNCS, pages 97--117. Springer, 2010.

Digital Library

[18]

Volatile Systems. The Volatility Framework: Volatile memory artifact extraction utility framework. https://www.volatilesystems.com/default/volatility.

[19]

J. Wessel. Using kgdb, kdb and the kernel debugger internals. http://www.kernel.org/pub/linux/kernel/people/jwessel/kdb/.

[20]

B. White, J. Lepreau, L. Stoller, R. Ricci, S. Guruprasad, M. Newbold, M. Hibler, C. Barb, and A. Joglekar. An integrated experimental environment for distributed systems and networks. In Proc. OSDI, pages 255--270, Dec. 2002.

Digital Library

[21]

L. K. Yan and H. Yin. DroidScope: Seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis. In Proc. USENIX Security, pages 569--584, Aug. 2012.

Digital Library

[22]

F. Zhang, K. Leach, K. Sun, and A. Stavrou. SPECTRE: A dependable introspection framework via system management mode. In Proc. DSN, pages 1--12, June 2013.

Digital Library

Cited By

Benyo BClark SPaulos APal P(2018)HYDRAProceedings of the 13th International Conference on Availability, Reliability and Security10.1145/3230833.3230861(1-10)Online publication date: 27-Aug-2018
https://dl.acm.org/doi/10.1145/3230833.3230861
Bushouse MReeves DZhao ZAhn GKrishnan RGhinita G(2018)HyperagentsProceedings of the Eighth ACM Conference on Data and Application Security and Privacy10.1145/3176258.3176317(212-223)Online publication date: 13-Mar-2018
https://dl.acm.org/doi/10.1145/3176258.3176317
Walter MKarlsson S(2017)Software Tools for Low-Level Software and Operating Systems ClassesProceedings of the 19th Workshop on Computer Architecture Education10.1145/3116214.3116241(16-23)Online publication date: 24-Jun-2017
https://dl.acm.org/doi/10.1145/3116214.3116241
Show More Cited By

Index Terms

Composable multi-level debugging with Stackdb
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Composable multi-level debugging with Stackdb
VEE '14

Virtual machine introspection (VMI) allows users to debug software that executes within a virtual machine. To support rich, whole-system analyses, a VMI tool must inspect and control systems at multiple levels of the software stack. Traditional ...
Performance Analysis of Virtual Machine Introspection Tools in Cloud Environment
ICIA-16: Proceedings of the International Conference on Informatics and Analytics

Virtual Machine (VM) security is one of the biggest issues with a cloud environment. This issue could be solved with the help of Virtual Machine Introspection (VMI) tools. VMI tools monitor the state of Virtual machine running in the cloud environment. ...
Virtual Machine Introspection
SIN '14: Proceedings of the 7th International Conference on Security of Information and Networks

Due to exposure to the Internet, virtual machines (VMs) as forms of delivering virtualized infrastructures and resources represent a first point-of-target for security attackers who want to gain access into the virtualization environment. In-VM ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

VEE '14: Proceedings of the 10th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

March 2014

236 pages

ISBN:9781450327640

DOI:10.1145/2576195

General Chair:
Martin Hirzel
IBM Research
,
Program Chairs:
Erez Petrank
Technion
,
Dan Tsafrir
Technion

ACM SIGPLAN Notices Volume 49, Issue 7
VEE '14
July 2014
222 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2674025
Editors:
Mark W. Bailey
Hamilton College, Clinton, NY
,
Rajeev Balasubramonian
University of Utah
,
Al Davis
University of Utah
,
Sarita Adve
University of Illinois at Urbana-Champ
Issue’s Table of Contents

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 March 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

VEE '14

Sponsor:

VEE '14: 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

March 1 - 2, 2014

Utah, Salt Lake City, USA

Acceptance Rates

VEE '14 Paper Acceptance Rate 18 of 56 submissions, 32%;

Overall Acceptance Rate 80 of 235 submissions, 34%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
255
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Benyo BClark SPaulos APal P(2018)HYDRAProceedings of the 13th International Conference on Availability, Reliability and Security10.1145/3230833.3230861(1-10)Online publication date: 27-Aug-2018
https://dl.acm.org/doi/10.1145/3230833.3230861
Bushouse MReeves DZhao ZAhn GKrishnan RGhinita G(2018)HyperagentsProceedings of the Eighth ACM Conference on Data and Application Security and Privacy10.1145/3176258.3176317(212-223)Online publication date: 13-Mar-2018
https://dl.acm.org/doi/10.1145/3176258.3176317
Walter MKarlsson S(2017)Software Tools for Low-Level Software and Operating Systems ClassesProceedings of the 19th Workshop on Computer Architecture Education10.1145/3116214.3116241(16-23)Online publication date: 24-Jun-2017
https://dl.acm.org/doi/10.1145/3116214.3116241
Taubmann BKolosnjaji B(2017)Architecture for Resource-Aware VMI-based Cloud Malware AnalysisProceedings of the 4th Workshop on Security in Highly Connected IT Systems10.1145/3099012.3099015(43-48)Online publication date: 19-Jun-2017
https://dl.acm.org/doi/10.1145/3099012.3099015
Bushouse MAhn SReeves DTrien JProwell SGoodall JBeaver JBridges R(2017)AravProceedings of the 12th Annual Conference on Cyber and Information Security Research10.1145/3064814.3064829(1-8)Online publication date: 4-Apr-2017
https://dl.acm.org/doi/10.1145/3064814.3064829
Du MLi F(2017)ATOM: Efficient Tracking, Monitoring, and Orchestration of Cloud ResourcesIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2017.265246728:8(2172-2189)Online publication date: 1-Aug-2017
https://doi.org/10.1109/TPDS.2017.2652467
Nayak PHibler MJohnson DEide E(2017)A Wingman for Virtual AppliancesRuntime Verification10.1007/978-3-319-67531-2_25(390-399)Online publication date: 6-Sep-2017
https://doi.org/10.1007/978-3-319-67531-2_25
Du MLi F(2015)ATOMProceedings of the 2015 IEEE International Conference on Big Data (Big Data)10.1109/BigData.2015.7363764(271-278)Online publication date: 29-Oct-2015
https://dl.acm.org/doi/10.1109/BigData.2015.7363764
Zhou HBa HWang YWang ZMa JLi YQiao H(2019)Tenant-Oriented Monitoring for Customized Security Services in the CloudSymmetry10.3390/sym1102025211:2(252)Online publication date: 18-Feb-2019
https://doi.org/10.3390/sym11020252
Benyo BClark SPaulos APal P(2018)HYDRAProceedings of the 13th International Conference on Availability, Reliability and Security10.1145/3230833.3230861(1-10)Online publication date: 27-Aug-2018
https://dl.acm.org/doi/10.1145/3230833.3230861

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents