學術產出-學位論文

文章檢視/開啟

書目匯出

Google ScholarTM

政大圖書館

引文資訊

TAIR相關學術產出

題名 利用QEMU針對ARM虛擬機器上之行程進行動態函式追蹤
Real-time Application-aware Function Call Tracing for ARM Virtual Machine using QEMU
作者 林履誠
Lin, Lu-Cheng
貢獻者 蕭舜文
Hsiao, Shun-Wen
林履誠
Lin, Lu-Cheng
關鍵詞 動態追蹤
虛擬化
虛擬機器內省
ARM
Dynamic tracing
Virtualization
Virtual machine introspection
日期 2022
上傳時間 1-八月-2022 17:21:58 (UTC+8)
摘要 ARM硬體架構於行動裝置、個人電腦和雲端伺服器上面的市場份額占比越來越高,進而使針對ARM裝置的網路攻擊也隨之增加。因此,協助分析ARM裝置上的惡意攻擊行為的工具的需求也日益浮現。virtual machine introspection (VMI) 是一個利用virtual machine (VM) 來進行惡意軟體側錄跟惡意行為分析的技術,其先前在x86硬體架構上面已經有廣泛並且成熟的應用,然而此類工具在ARM裝置的支援仍然處遇前期的階段。本研究試圖利用QEMU,開發出一個能夠應用於ARM裝置上面的VMI系統。這個系統會專注於攔截並且側錄虛擬機器上面特定行程的函式呼叫。為了能夠開發出這樣的系統,我們在過程中面臨了兩個主要的問題:判斷需要監控的行程是否正在執行和如何在執行過程中攔截行程特定的函式呼叫。第一個問題我們主要利用行程的page table address跟ARM CPU上面的translation table base pointer比對,來解決判斷行程的問題。第二個問題我們利用了QEMU內部translation block的機制,進而找到適合的攔截函式呼叫的時機。
在實作這個VMI系統時,我們修改了QEMU的tiny code generator,並且在每一次QEMU執行一個translation block之前,植入了我們部分的VMI的程式。這樣可以確保我們的VMI程式可以於惡意程式在被執行之前,獲得執行的控制權,讓惡意程式無法偵測到我們的執行,然後隱藏他的攻擊足跡。我們在QEMU monitor commands內加入了幾個方便使用者可以輸入的指令,讓使用者可以透過輸入指令的方式來進行程式側錄,並且將結果輸出成log檔案。最後我們針對這個VMI系統進行效能測量,平均的效能影響僅有4%。
Besides the mobile and IoT device market, ARM has gained more market share in the personal desktop and cloud server markets. Accordingly, the number of attacks against ARM devices has increased. Thus, the need for monitoring and analyzing the malware targeting ARM device has emerged. Virtual machine introspection (VMI) is a mature technology used for malware analysis and intrusion detection. Previous research mainly focuses on building VMI on x86, and there is little research on ARM. We chose QEMU as our hypervisor among all approaches because it can emulate a range of ARM processors and allow us to intercept function calls without context switching, which reduces code complexity.
In this paper, we review QEMU`s tiny code generator and translation block and develop a naive approach to intercept function calls by inserting a small piece of code before each translation block is executed. We recognize the process by traversing the process list in the kernel using the QEMU built-in function. We identify the process by comparing the process`s page table pointer and ARM`s translation table pointer. To demonstrate the effectiveness and efficiency of our system, we first implement our VMI system as several QEMU monitor commands. The commands allow researchers to listen to a specific process`s execution and log its execution traces to log files. The benchmark results show an average performance degradation of 3.81 percent on single-threaded tasks and 4.88 percent on multi-threaded tasks.
參考文獻 B. C. Mark Lipacis, “4q21 cpu share: Pc armaggedon; amd server share poised to accelerate,” Feb. 2022

C. Beek, S. Chandana, T. Dunton, S. Grobman, R. Gupta, T. Holden, T. Hux, K. Mc- Grath, D. Mckee, L. Munson, K. Narayan, J. Olowo, C. Pak, C. Palm, T. Polzer, S. R. Ryu, R. Samani, Sekhar, Sarukkai, and C. Schmugar, “Mcafee labs threats report, november 2020,” McAfee, LLC, San Jose, Tech. Rep., Nov. 2020.

T. Garfinkel and M. Rosenblum, “A virtual machine introspection based architecture for intrusion detection,” NDSS, vol. 3, 05 2003

S.-W. Hsiao, Y. S. Sun, and M. C. Chen, “Hardware-assisted mmu redirection for in- guest monitoring and api profiling,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 2402–2416, 2020.

A. Dinaburg, P. Royal, M. Sharif, and W. Lee, “Ether: Malware analysis via hard- ware virtualization extensions,” in Proceedings of the ACM Conference on Computer and Communications Security, 01 2008, pp. 51–62.

J. Pfoh, C. Schneider, and C. Eckert, “Nitro: Hardware-based system call tracing for virtual machines,” in Advances in Information and Computer Security 6th Inter- national Workshop on Security, IWSEC 2011, Tokyo, Japan, November 8-10, 2011. Proceedings, 11 2011, pp. 96–112.

D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. New- some, P. Poosankam, and P. Saxena, “BitBlaze: A new approach to computer se- curity via binary analysis,” in Proceedings of the 4th International Conference on Information Systems Security. Keynote invited paper., Hyderabad, India, Dec. 2008

Z. Deng, X. Zhang, and D. Xu, “Spider: Stealthy binary program instrumentation and debugging via hardware virtualization,” in Proceedings of the 29th Annual Computer Security Applications Conference, ser. ACSAC ’13. New York, NY, USA: Association for Computing Machinery, 2013, p. 289–298. [Online]. Available: https://doi.org/10.1145/2523649.2523675

T. Lengyel, T. Kittel, and C. Eckert, “Virtual machine introspection with xen on arm,” 09 2015.

S. Proskurin, T. Lengyel, M. Momeu, C. Eckert, and A. Zarras, “Hiding in the shadows: Empowering arm for stealthy virtual machine introspection,” in Proceedings of the 34th Annual Computer Security Applications Conference, ser. ACSAC ’18. New York, NY, USA: Association for Computing Machinery, 2018, p. 407–417. [Online]. Available: https://doi.org/10.1145/3274694.3274698

Learn the architecture: Aarch64 exception model,” https://developer.arm.com/ documentation/102412/0100/Privilege-and-Exception-levels, accessed: 2022-04- 05.

“Virtualization in aarch64,” https://developer.arm.com/documentation/102142/ 0100/Virtualization-in-AArch64, accessed: 2022-03-26.

B. Ngabonziza, D. Martin, A. Bailey, H. Cho, and S. Martin, “Trustzone explained: Architectural features and use cases,” in 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC), 2016, pp. 445–451.

F. Bellard, “Qemu, a fast and portable dynamic translator,” in Proceedings of the Annual Conference on USENIX Annual Technical Conference, ser. ATEC ’05. USA: USENIX Association, 2005, p. 41.

“Translator internals,” https://qemu.readthedocs.io/en/latest/devel/tcg.html, ac- cessed: 2022-03-26.

S.-W. Hsiao and Y.-J. Lee, “Nn-based feature selection for text-based sequential data,” in 24th Pacific Asia Conference on Information Systems, PACIS 2020, Dubai, UAE, June 22-24, 2020, D. Vogel, K. N. Shen, P. S. Ling, C. H. 0001, J. Y. L. Thong, M. de Marco, M. Limayem, and S. X. Xu, Eds., 2020, p. 238. [Online]. Available: https://aisel.aisnet.org/pacis2020/238

S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff, “A sense of self for unix processes,” in Proceedings 1996 IEEE Symposium on Security and Privacy, 1996, pp. 120–128

A. S. Tanenbaum and H. Bos, Modern Operating Systems, 4th ed. Pearson Educa- tion Limited, 2015, ch. 7.

G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig, “Intel virtualization tech- nology: Hardware support for efficient processor virtualization,” Intel Technology Journal, vol. 10, 08 2006.

“tiny code generator,” https://gitlab.com/qemu-project/qemu/-/blob/master/tcg/ README, accessed: 2022-03-26.

X. Jiang, X. Wang, and D. Xu, “Stealthy malware detection through vmm-based ”out-of-the-box” semantic view reconstruction,” in Proceedings of the 14th ACM Conference on Computer and Communications Security, ser. CCS ’07. New York NY, USA: Association for Computing Machinery, 2007, p. 128–138. [Online]. Available: https://doi.org/10.1145/1315245.1315262

Y. Fu and Z. Lin, “Bridging the semantic gap in virtual machine introspection via online kernel data redirection,” ACM Trans. Inf. Syst. Secur., vol. 16, no. 2, sep 2013. [Online]. Available: https://doi.org/10.1145/2505124

J. Xiao, L. Lu, H. Wang, and X. Zhu, “Hyperlink: Virtual machine intro- spection and memory forensic analysis without kernel source code,” in 2016 IEEE International Conference on Autonomic Computing (ICAC), 2016, pp. 127–136.

A. Henderson, L. K. Yan, X. Hu, A. Prakash, H. Yin, and S. McCamant, “Decaf: A platform-neutral whole-system dynamic binary analysis plat- form,” IEEE Transactions on Software Engineering, vol. 43, no. 2, pp. 164–184, 2017.

H.-L. Wei, C.-T. King, B. Das, M.-C. Peng, C.-C. Wang, H.-L. Huang, and J.-M. Lu, “Application specific component-service-aware trace gen- eration on android-qemu,” in 2017 30th IEEE International System-on- Chip Conference (SOCC), 2017, pp. 316–321.

“Qemu support arm cpu list,” https://elixir.bootlin.com/qemu/v5.2.0/ source/target/arm/cpu tcg.c#L635, accessed: 2022-04-05.

P. Varanasi and G. Heiser, “Hardware-supported virtualization on arm,” in Proceedings of the Second Asia-Pacific Workshop on Systems, ser. APSys ’11. New York, NY, USA: Association for Computing Machinery, 2011. [Online]. Available: https://doi.org/10.1145/2103799. 2103813

“Learn the architecture: Aarch64 virtualization - stage 2 translation,” https://developer.arm.com/documentation/102142/0100/ Stage-2-translation, accessed: 2022-03-26.

“Learn the architecture: Trustzone for aarch64,” https://developer.arm. com/documentation/102418/0101/TrustZone-in-the-processor, accessed: 2022-03-26.

L. Jia, M. Zhu, and B. Tu, “T-vmi: Trusted virtual machine introspection in cloud environments,” in 2017 17th IEEE/ACM International Sym- posium on Cluster, Cloud and Grid Computing (CCGRID), 2017, pp. 478–487

M. Guerra, B. Taubmann, H. P. Reiser, S. Yalew, and M. Correia, “Introspection for arm trustzone with the itz library,” in 2018 IEEE International Conference on Software Quality, Reliability and Security (QRS), 2018, pp. 123–134.

S. Wan, J. Sun, K. Sun, N. Zhang, and Q. Li, “Satin: A secure and trustworthy asynchronous introspection on multi-core arm processors,” in 2019 49th Annual IEEE/IFIP International Conference on Depend- able Systems and Networks (DSN), June 2019, pp. 289–301.

S. Chylek, “Collecting program execution statistics with qemu processor emulator,” in 2009 International Multiconference on Computer Science and Information Technology, 2009, pp. 555–558.

P. Dovgalyuk, N. Fursova, I. Vasiliev, and V. Makarov, “Qemu-based framework for non-intrusive virtual machine instrumentation and introspection,” in Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, ser. ESEC/FSE 2017. New York, NY, USA: Association for Computing Machinery, 2017, p. 944–948. [Online]. Available: https://doi.org/10.1145/3106237.3122817

“sched.h,” https://elixir.bootlin.com/linux/v5.4.74/source/include/linux/ sched.h#L624, accessed: 2022-04-05.

“Arm armv8-a architecture registers,” https://developer. arm.com/documentation/ddi0595/2021-12/AArch32-Registers/ TTBR0--Translation-Table-Base-Register-0?lang=en, accessed: 2022- 04-05.

Procedure Call Standard for the Arm Architecture, Arm Limited, 4 2022.

“mmtypes.h,” https://elixir.bootlin.com/linux/v5.4.74/source/include/ linux/mm types.h#L370, accessed: 2022-04-05.

“kernel.h,” https://elixir.bootlin.com/linux/v5.4.74/source/tools/include/ linux/kernel.h#L22, accessed: 2022-04-05.

“byte-unixbench,” https://github.com/kdlucas/byte-unixbench, accessed: 2022-03-26.

“Curl: command line tool and library for transferring data with urls,” https://curl.se/, accessed: 2022-04-05.

T. Van Dung, I. Taniguchi, T. Hieda, and H. Tomiyama, “Function profiling for embedded software by utilizing qemu and analyzer tool,” in 2013 IEEE 56th International Midwest Symposium on Circuits and Systems (MWSCAS), 2013, pp. 1251–1254.
描述 碩士
國立政治大學
資訊管理學系
109356017
資料來源 http://thesis.lib.nccu.edu.tw/record/#G0109356017
資料類型 thesis
dc.contributor.advisor 蕭舜文zh_TW
dc.contributor.advisor Hsiao, Shun-Wenen_US
dc.contributor.author (作者) 林履誠zh_TW
dc.contributor.author (作者) Lin, Lu-Chengen_US
dc.creator (作者) 林履誠zh_TW
dc.creator (作者) Lin, Lu-Chengen_US
dc.date (日期) 2022en_US
dc.date.accessioned 1-八月-2022 17:21:58 (UTC+8)-
dc.date.available 1-八月-2022 17:21:58 (UTC+8)-
dc.date.issued (上傳時間) 1-八月-2022 17:21:58 (UTC+8)-
dc.identifier (其他 識別碼) G0109356017en_US
dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/141034-
dc.description (描述) 碩士zh_TW
dc.description (描述) 國立政治大學zh_TW
dc.description (描述) 資訊管理學系zh_TW
dc.description (描述) 109356017zh_TW
dc.description.abstract (摘要) ARM硬體架構於行動裝置、個人電腦和雲端伺服器上面的市場份額占比越來越高,進而使針對ARM裝置的網路攻擊也隨之增加。因此,協助分析ARM裝置上的惡意攻擊行為的工具的需求也日益浮現。virtual machine introspection (VMI) 是一個利用virtual machine (VM) 來進行惡意軟體側錄跟惡意行為分析的技術,其先前在x86硬體架構上面已經有廣泛並且成熟的應用,然而此類工具在ARM裝置的支援仍然處遇前期的階段。本研究試圖利用QEMU,開發出一個能夠應用於ARM裝置上面的VMI系統。這個系統會專注於攔截並且側錄虛擬機器上面特定行程的函式呼叫。為了能夠開發出這樣的系統,我們在過程中面臨了兩個主要的問題:判斷需要監控的行程是否正在執行和如何在執行過程中攔截行程特定的函式呼叫。第一個問題我們主要利用行程的page table address跟ARM CPU上面的translation table base pointer比對,來解決判斷行程的問題。第二個問題我們利用了QEMU內部translation block的機制,進而找到適合的攔截函式呼叫的時機。
在實作這個VMI系統時,我們修改了QEMU的tiny code generator,並且在每一次QEMU執行一個translation block之前,植入了我們部分的VMI的程式。這樣可以確保我們的VMI程式可以於惡意程式在被執行之前,獲得執行的控制權,讓惡意程式無法偵測到我們的執行,然後隱藏他的攻擊足跡。我們在QEMU monitor commands內加入了幾個方便使用者可以輸入的指令,讓使用者可以透過輸入指令的方式來進行程式側錄,並且將結果輸出成log檔案。最後我們針對這個VMI系統進行效能測量,平均的效能影響僅有4%。
zh_TW
dc.description.abstract (摘要) Besides the mobile and IoT device market, ARM has gained more market share in the personal desktop and cloud server markets. Accordingly, the number of attacks against ARM devices has increased. Thus, the need for monitoring and analyzing the malware targeting ARM device has emerged. Virtual machine introspection (VMI) is a mature technology used for malware analysis and intrusion detection. Previous research mainly focuses on building VMI on x86, and there is little research on ARM. We chose QEMU as our hypervisor among all approaches because it can emulate a range of ARM processors and allow us to intercept function calls without context switching, which reduces code complexity.
In this paper, we review QEMU`s tiny code generator and translation block and develop a naive approach to intercept function calls by inserting a small piece of code before each translation block is executed. We recognize the process by traversing the process list in the kernel using the QEMU built-in function. We identify the process by comparing the process`s page table pointer and ARM`s translation table pointer. To demonstrate the effectiveness and efficiency of our system, we first implement our VMI system as several QEMU monitor commands. The commands allow researchers to listen to a specific process`s execution and log its execution traces to log files. The benchmark results show an average performance degradation of 3.81 percent on single-threaded tasks and 4.88 percent on multi-threaded tasks.
en_US
dc.description.tableofcontents Abstract i
摘要 iii
Contents v
List of Figures vii
List of Tables viii
1 Introduction 1
2 Background 6
2.1 Virtualization 6
2.2 Virtual Machine Introspection 7
2.3 QEMU and TCG 8
2.4 Related Works 10
2.4.1 ARM Virtualization Extension Approach 10
2.4.2 ARM Trustzone Approach 11
2.4.3 Emulator Approach 11
3 Design 13
3.1 Architecture 13
3.2 Tracing Executing Process 15
3.3 Instrumenting Function Call 16
4 Implementation 18
4.1 QEMU 18
4.2 Tracing Executing Process 20
4.3 Instrumenting Function Call 22
5 Evaluation 24
5.1 Efficiency 24
5.1.1 Benchmark 24
5.2 Effectiveness 26
5.2.1 Tracing Function Call 26
5.2.2 Replacing Function Return Value 27
6 Discussion 30
6.1 Locating Address of Userspace and Kernel Function Call 30
6.1.1 Multi-Threaded Process Tracing 31
6.2 Findings 31
6.3 Conclusion 32
Reference 33
zh_TW
dc.format.extent 644601 bytes-
dc.format.mimetype application/pdf-
dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0109356017en_US
dc.subject (關鍵詞) 動態追蹤zh_TW
dc.subject (關鍵詞) 虛擬化zh_TW
dc.subject (關鍵詞) 虛擬機器內省zh_TW
dc.subject (關鍵詞) ARMen_US
dc.subject (關鍵詞) Dynamic tracingen_US
dc.subject (關鍵詞) Virtualizationen_US
dc.subject (關鍵詞) Virtual machine introspectionen_US
dc.title (題名) 利用QEMU針對ARM虛擬機器上之行程進行動態函式追蹤zh_TW
dc.title (題名) Real-time Application-aware Function Call Tracing for ARM Virtual Machine using QEMUen_US
dc.type (資料類型) thesisen_US
dc.relation.reference (參考文獻) B. C. Mark Lipacis, “4q21 cpu share: Pc armaggedon; amd server share poised to accelerate,” Feb. 2022

C. Beek, S. Chandana, T. Dunton, S. Grobman, R. Gupta, T. Holden, T. Hux, K. Mc- Grath, D. Mckee, L. Munson, K. Narayan, J. Olowo, C. Pak, C. Palm, T. Polzer, S. R. Ryu, R. Samani, Sekhar, Sarukkai, and C. Schmugar, “Mcafee labs threats report, november 2020,” McAfee, LLC, San Jose, Tech. Rep., Nov. 2020.

T. Garfinkel and M. Rosenblum, “A virtual machine introspection based architecture for intrusion detection,” NDSS, vol. 3, 05 2003

S.-W. Hsiao, Y. S. Sun, and M. C. Chen, “Hardware-assisted mmu redirection for in- guest monitoring and api profiling,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 2402–2416, 2020.

A. Dinaburg, P. Royal, M. Sharif, and W. Lee, “Ether: Malware analysis via hard- ware virtualization extensions,” in Proceedings of the ACM Conference on Computer and Communications Security, 01 2008, pp. 51–62.

J. Pfoh, C. Schneider, and C. Eckert, “Nitro: Hardware-based system call tracing for virtual machines,” in Advances in Information and Computer Security 6th Inter- national Workshop on Security, IWSEC 2011, Tokyo, Japan, November 8-10, 2011. Proceedings, 11 2011, pp. 96–112.

D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. New- some, P. Poosankam, and P. Saxena, “BitBlaze: A new approach to computer se- curity via binary analysis,” in Proceedings of the 4th International Conference on Information Systems Security. Keynote invited paper., Hyderabad, India, Dec. 2008

Z. Deng, X. Zhang, and D. Xu, “Spider: Stealthy binary program instrumentation and debugging via hardware virtualization,” in Proceedings of the 29th Annual Computer Security Applications Conference, ser. ACSAC ’13. New York, NY, USA: Association for Computing Machinery, 2013, p. 289–298. [Online]. Available: https://doi.org/10.1145/2523649.2523675

T. Lengyel, T. Kittel, and C. Eckert, “Virtual machine introspection with xen on arm,” 09 2015.

S. Proskurin, T. Lengyel, M. Momeu, C. Eckert, and A. Zarras, “Hiding in the shadows: Empowering arm for stealthy virtual machine introspection,” in Proceedings of the 34th Annual Computer Security Applications Conference, ser. ACSAC ’18. New York, NY, USA: Association for Computing Machinery, 2018, p. 407–417. [Online]. Available: https://doi.org/10.1145/3274694.3274698

Learn the architecture: Aarch64 exception model,” https://developer.arm.com/ documentation/102412/0100/Privilege-and-Exception-levels, accessed: 2022-04- 05.

“Virtualization in aarch64,” https://developer.arm.com/documentation/102142/ 0100/Virtualization-in-AArch64, accessed: 2022-03-26.

B. Ngabonziza, D. Martin, A. Bailey, H. Cho, and S. Martin, “Trustzone explained: Architectural features and use cases,” in 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC), 2016, pp. 445–451.

F. Bellard, “Qemu, a fast and portable dynamic translator,” in Proceedings of the Annual Conference on USENIX Annual Technical Conference, ser. ATEC ’05. USA: USENIX Association, 2005, p. 41.

“Translator internals,” https://qemu.readthedocs.io/en/latest/devel/tcg.html, ac- cessed: 2022-03-26.

S.-W. Hsiao and Y.-J. Lee, “Nn-based feature selection for text-based sequential data,” in 24th Pacific Asia Conference on Information Systems, PACIS 2020, Dubai, UAE, June 22-24, 2020, D. Vogel, K. N. Shen, P. S. Ling, C. H. 0001, J. Y. L. Thong, M. de Marco, M. Limayem, and S. X. Xu, Eds., 2020, p. 238. [Online]. Available: https://aisel.aisnet.org/pacis2020/238

S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff, “A sense of self for unix processes,” in Proceedings 1996 IEEE Symposium on Security and Privacy, 1996, pp. 120–128

A. S. Tanenbaum and H. Bos, Modern Operating Systems, 4th ed. Pearson Educa- tion Limited, 2015, ch. 7.

G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig, “Intel virtualization tech- nology: Hardware support for efficient processor virtualization,” Intel Technology Journal, vol. 10, 08 2006.

“tiny code generator,” https://gitlab.com/qemu-project/qemu/-/blob/master/tcg/ README, accessed: 2022-03-26.

X. Jiang, X. Wang, and D. Xu, “Stealthy malware detection through vmm-based ”out-of-the-box” semantic view reconstruction,” in Proceedings of the 14th ACM Conference on Computer and Communications Security, ser. CCS ’07. New York NY, USA: Association for Computing Machinery, 2007, p. 128–138. [Online]. Available: https://doi.org/10.1145/1315245.1315262

Y. Fu and Z. Lin, “Bridging the semantic gap in virtual machine introspection via online kernel data redirection,” ACM Trans. Inf. Syst. Secur., vol. 16, no. 2, sep 2013. [Online]. Available: https://doi.org/10.1145/2505124

J. Xiao, L. Lu, H. Wang, and X. Zhu, “Hyperlink: Virtual machine intro- spection and memory forensic analysis without kernel source code,” in 2016 IEEE International Conference on Autonomic Computing (ICAC), 2016, pp. 127–136.

A. Henderson, L. K. Yan, X. Hu, A. Prakash, H. Yin, and S. McCamant, “Decaf: A platform-neutral whole-system dynamic binary analysis plat- form,” IEEE Transactions on Software Engineering, vol. 43, no. 2, pp. 164–184, 2017.

H.-L. Wei, C.-T. King, B. Das, M.-C. Peng, C.-C. Wang, H.-L. Huang, and J.-M. Lu, “Application specific component-service-aware trace gen- eration on android-qemu,” in 2017 30th IEEE International System-on- Chip Conference (SOCC), 2017, pp. 316–321.

“Qemu support arm cpu list,” https://elixir.bootlin.com/qemu/v5.2.0/ source/target/arm/cpu tcg.c#L635, accessed: 2022-04-05.

P. Varanasi and G. Heiser, “Hardware-supported virtualization on arm,” in Proceedings of the Second Asia-Pacific Workshop on Systems, ser. APSys ’11. New York, NY, USA: Association for Computing Machinery, 2011. [Online]. Available: https://doi.org/10.1145/2103799. 2103813

“Learn the architecture: Aarch64 virtualization - stage 2 translation,” https://developer.arm.com/documentation/102142/0100/ Stage-2-translation, accessed: 2022-03-26.

“Learn the architecture: Trustzone for aarch64,” https://developer.arm. com/documentation/102418/0101/TrustZone-in-the-processor, accessed: 2022-03-26.

L. Jia, M. Zhu, and B. Tu, “T-vmi: Trusted virtual machine introspection in cloud environments,” in 2017 17th IEEE/ACM International Sym- posium on Cluster, Cloud and Grid Computing (CCGRID), 2017, pp. 478–487

M. Guerra, B. Taubmann, H. P. Reiser, S. Yalew, and M. Correia, “Introspection for arm trustzone with the itz library,” in 2018 IEEE International Conference on Software Quality, Reliability and Security (QRS), 2018, pp. 123–134.

S. Wan, J. Sun, K. Sun, N. Zhang, and Q. Li, “Satin: A secure and trustworthy asynchronous introspection on multi-core arm processors,” in 2019 49th Annual IEEE/IFIP International Conference on Depend- able Systems and Networks (DSN), June 2019, pp. 289–301.

S. Chylek, “Collecting program execution statistics with qemu processor emulator,” in 2009 International Multiconference on Computer Science and Information Technology, 2009, pp. 555–558.

P. Dovgalyuk, N. Fursova, I. Vasiliev, and V. Makarov, “Qemu-based framework for non-intrusive virtual machine instrumentation and introspection,” in Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, ser. ESEC/FSE 2017. New York, NY, USA: Association for Computing Machinery, 2017, p. 944–948. [Online]. Available: https://doi.org/10.1145/3106237.3122817

“sched.h,” https://elixir.bootlin.com/linux/v5.4.74/source/include/linux/ sched.h#L624, accessed: 2022-04-05.

“Arm armv8-a architecture registers,” https://developer. arm.com/documentation/ddi0595/2021-12/AArch32-Registers/ TTBR0--Translation-Table-Base-Register-0?lang=en, accessed: 2022- 04-05.

Procedure Call Standard for the Arm Architecture, Arm Limited, 4 2022.

“mmtypes.h,” https://elixir.bootlin.com/linux/v5.4.74/source/include/ linux/mm types.h#L370, accessed: 2022-04-05.

“kernel.h,” https://elixir.bootlin.com/linux/v5.4.74/source/tools/include/ linux/kernel.h#L22, accessed: 2022-04-05.

“byte-unixbench,” https://github.com/kdlucas/byte-unixbench, accessed: 2022-03-26.

“Curl: command line tool and library for transferring data with urls,” https://curl.se/, accessed: 2022-04-05.

T. Van Dung, I. Taniguchi, T. Hieda, and H. Tomiyama, “Function profiling for embedded software by utilizing qemu and analyzer tool,” in 2013 IEEE 56th International Midwest Symposium on Circuits and Systems (MWSCAS), 2013, pp. 1251–1254.
zh_TW
dc.identifier.doi (DOI) 10.6814/NCCU202200712en_US