基於虛擬機器做整體系統狀態回復

Abstract

在除錯系統跟惡意軟體分析領域之中，系統執行狀態回復是一項很重要的議題。系統回復不僅僅可以讓使用者清楚地知道當時出錯的狀況，也可以用於事後的還原。然而，現今的系統日誌和系統回復的技術並無法被廣泛的被利用。原因就在於系統回復的功能很難達成，且無法完全地、清楚地讓使用者詳細的知道系統狀況。系統回復實做的難處在於下列幾點：1)大多數的狀態回復，只能針對單一程序。2) 由於要獲得回復的資訊，可能要修改現有的作業系統或是軟體。3) 硬體中斷和程序排程的資訊很難從軟體層獲得。4) 在系統回復的同時，要確保不會影響到執行的結果。基於以上四點原因，我們利用虛擬機器實做出一個具有回復性、準確性的回復系統。此系統對於軟體除錯、惡意程式分析和系統還原都具有極大的貢獻。由於本系統只考慮紀錄不可變因素，已達到有效的減低系統回復的運算量與其記錄的空間量。根據這些有效的記錄資訊，我們可以精確的回復系統執行狀態，甚至確保指令執行的順序不被更變，而達到更正確的分析結果。

Replaying of execution sequence and state transition of a system is very useful for software testing, malware analysis and post-attack recovery. However, existing system logging and replaying techniques have restricted abilities and hence cannot be applied widely. Most of them are unable to perform a general whole-system analysis for the following reasons: 1) It can only replay a single process's running. 2) Modification needs to be done in OS kernel 3) Non-deterministic events such as interrupts and context switches cannot be replayed. 4) An intrusive analysis might influence the replaying result. This paper proposed a general whole-system VM-based logging and replaying mechanism. To record efficiently, our scheme only takes non-deterministic information into account such as most hardware interrupts and non-deterministic data from external I/O devices. Based on the recorded data, the accuracy of the replaying is assured. The state transition of the whole-system can be perfectly replayed; even the execution sequence of all instructions is preserved.