research-article

Public Access

MOSE: Live Migration Based On-the-Fly Software Emulation

Authors:

Muhammad Azizul HakimAuthors Info & Claims

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Pages 221 - 230

https://doi.org/10.1145/2818000.2818022

Published: 07 December 2015 Publication History

Abstract

Software emulation has been proven useful in many scenarios, such as software testing, malware analysis, and intrusion response. However, fine-grained software emulation (e.g., at the instruction level) incurs considerable execution overhead (about 8x performance degradation), which hampers its use in production settings. In this paper, we propose MOSE (Live Migration based On-the-fly Software Emulation) that combines the performance advantages of hardware virtualization and the fine-grained analysis capability (comprehensiveness) of whole-system software emulation. Namely, a system can run as normal on a hardware-virtualized platform at near native speed, but when needed, it can be live-migrated to an emulator, not necessarily running on the same physical system, for in-depth analysis and triage; when the analysis is complete, the virtual machine can be migrated back to benefit from full hardware-virtualization again. In this way, the performance degradation is only experienced during analysis and triage. To demonstrate this new capability, we built a proof of concept on-the-fly software emulation system, based on QEMU/KVM and DECAF, the Dynamic Executable Code Analysis Framework. We also perform three case studies: automated kernel panic triage, live-patching a security vulnerability, and on-demand symbolic execution, to illustrate on-demand instruction level analysis.

References

[1]

Sean Cassidy. Diagnosis of the OpenSSL Heartbleed Bug. http://www.seancassidy.me/diagnosis-of-the-openssl-heartbleed-bug.html. Accessed May 17, 2015.

[2]

Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. The S2E Platform: Design, Implementation, and Applications. ACM Transactions on Computer Systems, February 2012.

Digital Library

[3]

Chow, J., Garfinkel, T., & Chen, P. Decoupling dynamic program analysis from execution in virtual environments. USENIX 2008 Annual Technical Conference, pp. 1--14.

Digital Library

[4]

B. Dolan-Gavitt, J. Hodosh, P. Hulin, T. Leek, R. Whelan. Repeatable Reverse Engineering for the Greater Good with PANDA. Columbia University Technical Report, CUCS-023-14, October, 2014.

[5]

Andrew Henderson, Aravind Prakash, Lok Kwong Yan, Xunchao Hu, Xujiewen Wang, Rundong Zhou, and Heng Yin. Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform. Proceedings of ISSTA'14.

Digital Library

[6]

Alex Ho, Michael Fetterman, Christopher Clark, Andrew Warfield, and Steven Hand. Practical taint-based protection using demand emulation. Proceedings of EuroSys '06.

Digital Library

[7]

Intel Corporation. Intel 64 and IA-32 Architectures: Software Developer's Manual, Volume 3A.

[8]

Kernel-based Virtual Machine. http://www.linux-kvm.org/page/Main_Page

[9]

Live migration in KVM. http://www.linux-kvm.org/page/Migration

[10]

Microsoft: Step by Step Guide for live migration. http://technet.microsoft.com/en-us/library/dd446679.aspx

[11]

OpenVZ checkpointing and live migration. http://wiki.openvz.org/Checkpointing_and_live_migration

[12]

QEMU. http://wiki.qemu.org/Main_Page

[13]

Swift, M. M., Annamalai, M., Bershad, B. N., & Levy, H. M. (2006). Recovering device drivers. ACM Transactions on Computer Systems, 24(4), 333--360.

Digital Library

[14]

s2e Team. Experimental KVM Snapshot Support. https://github.com/dslab-epfl/s2e/blob/master/docs/ImageInstallation.rst#experimental-kvm-snapshot-support

[15]

VMware vMotion: Virtual Machine Live Migration. http://www.vmware.com/products/vsphere/features/vmotion

[16]

HOWTO Article about Xen migration. http://www.linux.com/archive/feature/55773

[17]

Yan, L., Jayachandra, M., Zhang, M., & Yin, H. (2012). V2e: combining hardware virtualization and software emulation for transparent and extensible malware analysis. VEE (pp. 227--237).

Digital Library

[18]

netcat -- Linux man page, at http://linux.die.net/man/1/nc.

Cited By

Eswaran RYan MGopalan K(2024)Incorporating Memory Sharing-awareness in Multi-VM Live Migration2024 IEEE 24th International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid59990.2024.00084(667-670)Online publication date: 6-May-2024
https://doi.org/10.1109/CCGrid59990.2024.00084
Jiang MXu TZhou YHu YZhong MWu LLuo XRen KFalsafi BFerdman MLu SWenisch T(2022)EXAMINER: automatically locating inconsistent instructions between real devices and CPU emulators for ARMProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507736(846-858)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507736
Estrada ZSprabery RYan LYu ZCampbell RKalbarczyk ZIyer R(2017)Using OS Design Patterns to Provide Reliability and Security as-a-Service for VM-based CloudsACM SIGPLAN Notices10.1145/3140607.305075952:7(157-170)Online publication date: 8-Apr-2017
https://dl.acm.org/doi/10.1145/3140607.3050759
Show More Cited By

Index Terms

MOSE: Live Migration Based On-the-Fly Software Emulation
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

SRVM: Hypervisor Support for Live Migration with Passthrough SR-IOV Network Devices
VEE '16

Single-Root I/O Virtualization (SR-IOV) is a specification that allows a single PCI Express (PCIe) device (ysical function or PF) to be used as multiple PCIe devices (virtual functions or VF). In a virtualization system, each VF can be directly assigned ...
SRVM: Hypervisor Support for Live Migration with Passthrough SR-IOV Network Devices
VEE '16: Proceedings of the12th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

Single-Root I/O Virtualization (SR-IOV) is a specification that allows a single PCI Express (PCIe) device (ysical function or PF) to be used as multiple PCIe devices (virtual functions or VF). In a virtualization system, each VF can be directly assigned ...
Enabling Instantaneous Relocation of Virtual Machines with a Lightweight VMM Extension
CCGRID '10: Proceedings of the 2010 10th IEEE/ACM International Conference on Cluster, Cloud and Grid Computing

We are developing an efficient resource management system with aggressive virtual machine (VM) relocation among physical nodes in a data center. Existing live migration technology, however, requires a long time to change the execution host of a VM, it ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

December 2015

489 pages

ISBN:9781450336826

DOI:10.1145/2818000

Copyright © 2015 ACM.

© 2015 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the United States Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Air Force Research Laboratory

Conference

ACSAC 2015

ACSAC 2015: 2015 Annual Computer Security Applications Conference

December 7 - 11, 2015

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
375
Total Downloads

Downloads (Last 12 months)68
Downloads (Last 6 weeks)7

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Eswaran RYan MGopalan K(2024)Incorporating Memory Sharing-awareness in Multi-VM Live Migration2024 IEEE 24th International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid59990.2024.00084(667-670)Online publication date: 6-May-2024
https://doi.org/10.1109/CCGrid59990.2024.00084
Jiang MXu TZhou YHu YZhong MWu LLuo XRen KFalsafi BFerdman MLu SWenisch T(2022)EXAMINER: automatically locating inconsistent instructions between real devices and CPU emulators for ARMProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507736(846-858)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507736
Estrada ZSprabery RYan LYu ZCampbell RKalbarczyk ZIyer R(2017)Using OS Design Patterns to Provide Reliability and Security as-a-Service for VM-based CloudsACM SIGPLAN Notices10.1145/3140607.305075952:7(157-170)Online publication date: 8-Apr-2017
https://dl.acm.org/doi/10.1145/3140607.3050759
Estrada ZSprabery RYan LYu ZCampbell RKalbarczyk ZIyer R(2017)Using OS Design Patterns to Provide Reliability and Security as-a-Service for VM-based CloudsProceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments10.1145/3050748.3050759(157-170)Online publication date: 8-Apr-2017
https://dl.acm.org/doi/10.1145/3050748.3050759
Henderson AYan LHu XPrakash AYin HMcCamant S(2017)DECAFIEEE Transactions on Software Engineering10.1109/TSE.2016.258924243:2(164-184)Online publication date: 1-Feb-2017
https://dl.acm.org/doi/10.1109/TSE.2016.2589242

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents