Research On High-performance Instruction Flow Tracing Based On Dual View

The abnormal behavior analysis of the program is one of the effective measures to protect the security of the operating system.The instruction flow can reflect both the execution path of the program and the various behaviors of the program at runtime.Therefore,analyzing program behavior based on program dynamic instruction flow is a common method of program analysis.However,there are many difficulties in the acquisition of instructions in instruction flow analysis.On the one hand,it is necessary to efficiently obtain the instruction flow information generated when the program runs;on the other hand,it is necessary to filter out the useless instruction flow information.Therefore,there is an urgent need for an efficient instruction flow tracing scheme.Based on the dual view technology,the Intel Processor Trace(IPT)hardware components can be used to accurately and efficiently obtain the instruction flow of the program at runtime.There are two sets of views for each guest and then we place the target program component or target memory area in the monitored view.When attempting to access the target area,the monitored view is activated to continue execution and simultaneously IPT is enabled.When attempting to access a non-target area,non-monitored view is activated and IPT is disabled.To reduce the extra time overhead of the system,VMFUNC is introduced for efficient view switching.Virtualization Exception(VE)is introduced to reduce VM-exit caused by specific EPT violations.By dual-view technology and IPT hardware components,accurate recording of multiple target programs in a virtualized environment is completed,which avoids the generation of a large amount of useless data and improves the performance of IPT.The system was tested against an instruction flow scenario that uses IPT to simultaneously record multiple running programs,and compared with the existing IPT system-wide recording mode that has to be adopted.Experiments have shown that instruction flow tracing scheme based on dual view technology can effectively reduce the generation of useless compressed packages.