ABSTRACT
We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion instruction boot of FreeBSD, e.g., is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugin architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. We demonstrate PANDA's effectiveness via a number of use cases, including enabling an old but legitimately purchased game to run despite a lost CD key, in-depth diagnosis of an Internet Explorer crash, and uncovering the censorship activities and mechanisms of an IM client.
- PANDA: Platform for architecture-neutral dynamic analysis. https://github.com/moyix/panda/.Google Scholar
- PANDA plugin documentation. https://github.com/moyix/panda/blob/master/docs/PANDA.md.Google Scholar
- PANDA plugin-plugin interaction. https://github.com/moyix/panda/blob/master/docs/ppp.md.Google Scholar
- perlsec: Taint mode. http://perldoc.perl.org/perlsec.html#Taint-mode.Google Scholar
- Volatility: An advanced memory forensics framework. https://github.com/volatilityfoundation/volatility.Google Scholar
- D. E. Bell and L. J. LaPadula. Secure computer systems: Mathematical foundations. Technical Report MTR-2547, MITRE Corp., Bedford, MA, 1973.Google Scholar
- Derek L. Bruening. Efficient, Transparent, and Comprehensive Runtime Code Manipulation. PhD thesis, Cambridge, MA, USA, 2004. AAI0807735. Google ScholarDigital Library
- Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. S2E: A platform for in-vivo multi-path analysis of software systems. In Proceedings of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XVI, pages 265--278, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- Jim Chow, Tal Garfinkel, and Peter M. Chen. Decoupling dynamic program analysis from execution in virtual environments. In USENIX 2008 Annual Technical Conference on Annual Technical Conference, ATC'08, pages 1--14, Berkeley, CA, USA, 2008. USENIX Association. Google ScholarDigital Library
- Jim Chow, Ben Pfaff, Tal Garfinkel, Kevin Christopher, and Mendel Rosenblum. Understanding data lifetime via whole system simulation. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13, SSYM'04, pages 22--22, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarDigital Library
- James Clause, Wanchun Li, and Alessandro Orso. Dytan: A generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis, ISSTA '07, pages 196--206, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- J. R. Crandall and F. T. Chong. Architectural support for software security through control data integrity. In International Symposium on Microarchitecture, 2004.Google Scholar
- Brendan Dolan-Gavitt. Breaking Spotify DRM with PANDA. http://moyix.blogspot.com/2014/07/breaking-spotify-drm-with-panda.html, July 2014.Google Scholar
- Brendan Dolan-Gavitt, Tim Leek, Josh Hodosh, and Wenke Lee. Tappan Zee (North) Bridge: Mining memory accesses for introspection. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2013. Google ScholarDigital Library
- Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), May 2011. Google ScholarDigital Library
- George W Dunlap, Samuel T King, Sukru Cinar, Murtaza A Basrai, and Peter M Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation (OSDI). ACM, 2002. Google ScholarDigital Library
- Ed Felten. Sony's web-based uninstaller opens a big security hole; Sony to recall discs. https://freedom-to-tinker.com/blog/felten/sonys-web-based-uninstaller-opens-big-security-hole-sony-recall-discs/, November 2005.Google Scholar
- Seth Hardy. Asia Chats: Investigating regionally-based keyword censorship in LINE. https://citizenlab.org/2013/11/asia-chats-investigating-regionally-based-keyword-censorship-line/, Nov 2013.Google Scholar
- Andrew Henderson, Aravind Prakash, Lok Kwong Yan, Xunchao Hu, Xujiewen Wang, Rundong Zhou, and Heng Yin. Make it work, make it right, make it fast: Building a platform-neutral whole-system dynamic binary analysis platform. In Proceedings of the 2014 International Symposium on Software Testing and Analysis, ISSTA 2014, pages 248--258, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- Ding-Yong Hong, Chun-Chen Hsu, Pen-Chung Yew, Jan-Jan Wu, Wei-Chung Hsu, Pangfeng Liu, Chien-Min Wang, and Yeh-Ching Chung. HQEMU: A multi-threaded and retargetable dynamic binary translator on multicores. In Proceedings of the Tenth International Symposium on Code Generation and Optimization, CGO '12, pages 104--113, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- Patrick Jackson. Upstreaming the Android Emulator. http://gsoc11-qemu-android.blogspot.com.Google Scholar
- Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song. DTA++: Dynamic taint analysis with targeted control-flow propagation. In Network and Distributed Systems Symposium (NDSS), 2011.Google Scholar
- Samuel T. King, George W. Dunlap, and Peter M. Chen. Debugging operating systems with time-traveling virtual machines. In Proceedings of the 2005 Usenix Annual Technical Conference, 2005. Google ScholarDigital Library
- Avi Kivity, Yaniv Kamay, Dor Laor, Uri Lublin, and Anthony Liguori. kvm: the Linux virtual machine monitor. In Proceedings of the Linux Symposium, volume 1, pages 225--230, 2007.Google Scholar
- Jeffrey Knockel, Jedidiah R. Crandall, and Jared Saia. Three Researchers, Five Conjectures: An Empirical Analysis of TOM-Skype Censorship and Surveillance. In Free and Open Communications on the Internet, San Francisco, CA, USA, 2011. USENIX.Google Scholar
- Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '05, pages 190--200, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- James Newsome and Dawn Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Network and Distributed Systems Symposium (NDSS), 2005.Google Scholar
- Mark Russinovich. Sony, rootkits and digital rights management gone too far. https://web.archive.org/web/20051102053346/http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html, October 2005.Google Scholar
- Adam Senft, Aim Sinpeng, Andrew Hilts, Byron Sonne, Greg Wiseman, Irene Poetranto, Jakub Dalek, Jason Q. Ng, Katie Kleemola, Masashi Crete-Nishihata, and Seth Hardy. Asia Chats: Analyzing information controls and privacy in Asian messaging applications. https://citizenlab.org/2013/11/asia-chats-analyzing-information-controls-privacy-asian-messaging-applications/, Nov 2013.Google Scholar
- Skywing. PatchGuard reloaded: A brief analysis of PatchGuard version 3. http://uninformed.org/index.cgi?v=8&a=5, September 2007.Google Scholar
- Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. BitBlaze: A new approach to computer security via binary analysis. In Information systems security. 2008. Google ScholarDigital Library
- VMWare. Enhanced execution record/replay in workstation 6.5, 2008. http://blogs.vmware.com/workstation/2008/04/enhanced-execut.html.Google Scholar
- Ruoyu Wang, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. Steal this movie: Automatically bypassing drm protection in streaming media services. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 687--702, Washington, D.C., 2013. USENIX. Google ScholarDigital Library
- Ryan Whelan, Tim Leek, and David Kaeli. Architecture-independent dynamic information flow tracking. In Proceedings of the 22Nd International Conference on Compiler Construction, CC'13, pages 144--163, Berlin, Heidelberg, 2013. Springer-Verlag. Google ScholarDigital Library
- Lok-Kwong Yan and Heng Yin. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 29--29, Berkeley, CA, USA, 2012. USENIX Association. Google ScholarDigital Library
- Repeatable Reverse Engineering with PANDA
Recommendations
QEMU-based framework for non-intrusive virtual machine instrumentation and introspection
ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software EngineeringThis paper presents the framework based on the emulator QEMU. Our framework provides set of multi-platform analysis tools for the virtual machines and mechanism for creating instrumentation and analysis tools. Our framework is based on a lightweight ...
PEMU: A Pin Highly Compatible Out-of-VM Dynamic Binary Instrumentation Framework
VEE '15: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution EnvironmentsOver the past 20 years, we have witnessed a widespread adoption of dynamic binary instrumentation (DBI) for numerous program analyses and security applications including program debugging, profiling, reverse engineering, and malware analysis. To date, ...
PEMU: A Pin Highly Compatible Out-of-VM Dynamic Binary Instrumentation Framework
VEE '15Over the past 20 years, we have witnessed a widespread adoption of dynamic binary instrumentation (DBI) for numerous program analyses and security applications including program debugging, profiling, reverse engineering, and malware analysis. To date, ...
Comments