Virtual Breakpoints for x86_64

Presented at BSidesLV 2019, Aug. 7, 2019, 2 p.m. (55 minutes)

Efficient, reliable trapping of execution in a program at the desired location is a linchpin technique for dynamic malware analysis. The progression of debuggers and malware is akin to a game of cat and mouse - each are constantly in a state of trying to thwart one another. At the core of most efficient debuggers today is a combination of virtual machines and traditional binary modification breakpoints (int3). In this paper, we present a design for Virtual Breakpoints - a modification to the x86 MMU which brings breakpoint management into hardware alongside page tables. In this paper we demonstrate the fundamental abstraction failures of current trapping methods, and rebuild the mechanism from the ground up. Our design incorporates the lessons learned from 40 years of virtualization and debugger design to deliver fast, reliable trapping without the pitfalls of traditional binary modification.

Presenters:

• Gregory Price
  Gregory Price is a Principal Cyber Security Researcher at Raytheon Cyber Security Innovations. He has his Bachelors and Masters degrees in Computer Science from Northeastern University, with a specialization in virtualization technologies. He served in the U.S. Navy as a Cryptologic Technician - Networks from 2007 through 2013. Overall he has 12 years of experience in the cyber security field, having served in both defense and offensive capacities. Today he works as the Lead of Research and Development for Virtualization and Dynamic Analysis at Raytheon Cyber Security Innovations. He is more generally a goober and should be regarded as such.