Convergence Security Journal (융합보안논문지)

Korea convergence Security Association (한국융합보안학회)
권호 표지

A Study on Dynamic Code Analysis Method using 2nd Generation PT(Processor Trace)

2세대 PT(Processor Trace)를 이용한 동적 코드분석 방법 연구

  • 김현철 (남서울대학교 컴퓨터소프트웨어학과)
  • Received : 2019.03.03
  • Accepted : 2019.03.29
  • Published : 2019.03.31
Download PDF
⟨ Previous Next ⟩

Abstract

If the operating system's core file contains an Intel PT, the debugger can not only check the program state at the time of the crash, but can also reconfigure the control flow that caused the crash. We can also extend the execution trace scope to the entire system to debug kernel panics and other system hangs. The second-generation PT, the WinIPT library, includes an Intel PT driver with additional code to run process and core-specific traces through the IOCTL and registry mechanisms provided by Windows 10 (RS5). In other words, the PT trace information, which was limited access only by the first generation PT, can be executed by process and core by the IOCTL and registry mechanism provided by the operating system in the second generation PT. In this paper, we compare and describe methods for collecting, storing, decoding and detecting malicious codes of data packets in a window environment using 1/2 generation PT.

운영 체제의 코어에 Intel PT가 포함된 경우, 크래시 발생 시 디버거는 프로그램 상태를 검사할 수 있을 뿐만 아니라 크래시를 발생시킨 제어 플로우를 재구성할 수 있다. 또한, 커널 패닉 및 기타 시스템 정지와 같은 상황을 디버그하기 위해 실행 트레이스 범위를 전체 시스템으로 확장할 수도 있다. 2세대 PT인 WinIPT 라이브러리는 Windows 10 (버전 1809/Redstone 5)에서 제공하는 IOCTL 및 레지스트리 메커니즘을 통해 프로세스 별 및 코어 별 트레이스를 실행할 수 있는 추가 코드가 포함된 Intel PT 드라이버를 포함하고 있다. 즉 기존 1세대 PT에서 비정규화된 방식으로만 제한적인 접근이 가능했던 PT 트레이스 정보를 2세대 PT에서는 운영 체제에서 제공하는 IOCTL 및 레지스트리 메커니즘을 통해 프로세스 별 및 코어 별 트레이스를 실행할 수 있게 되었다. 본 논문에서는 1/2세대 PT를 이용하여 윈도우 환경에서 PT 데이터 패킷의 수집 저장 디코딩 및 악성코드 검출을 위한 방법을 비교 설명하였다.

Keywords

References

  1. Napoleon C. Paxton, "Cloud Security: A Review of Current Issues and Proposed Solutions," International Conference on Collaboration and Internet Computing (CIC), pp. 452-455, 2016
  2. Tahira Mahboob; Maryam Zahid; Gulnoor Ahmad, "Adopting information security techniques for cloud computing-A survey," International Conference on Information Technology, Information Systems and Electrical Engineering (ICITISEE), pp. 7-11, 2016
  3. Jorg Thalheim; Pramod Bhatotia; Christof Fetzer, "INSPECTOR: Data Provenance Using Intel Processor Trace (PT)," International Conference on Distributed Computing Systems (ICDCS), pp. 25-34, 2016
  4. Khalid El Makkaoui; Abdellah Ezzati; Abderrahim Beni-Hssane; Cina Motamed, "Cloud security and privacy model for providing secure cloud services," 2016 2nd International Conference on Cloud Computing Technologies and Applications (CloudTech), pp. 81-86, 2016
  5. Bob Duncan; Alfred Bratterud; Andreas Happe, "Enhancing cloud security and privacy: Time for a new approach?," International Conference on Innovative Computing Technology (INTECH), pp. 110-115, 2016
  6. Sin-Fu Lai; Hui-Kai Su; Wen-Hsu Hsiao; Kim-Joan Chen, "Design and implementation of cloud security defense system with software defined networking technologies," International Conference on Information and Communication Technology Convergence (ICTC), pp. 292-207, 2016
  7. Andi Kleen, "Simple Intel CPU processor tracing on Linux," https://github.com/andikleen/simple-pt
  8. Alex Ionescu, "The Windows Library for Intel Process Trace (WinIPT)", https://github.com/ionescu007/winipt