News

VMware Pioneers Decouple Dynamic Analysis

Researchers at VMware have pioneered a novel technique in dynamic analysis, one that separates the running program from the analysis tool, by use of virtual containers.

Such an approach can vastly speed the dynamic analysis of programs, noted Jim Chow, a VMware engineer who was a member of the research team.

"Separating analysis from execution is great because we can parallelize" the operations of each program, Chow said.

Chow presented the work at the USENIX 2008 conference being held this week in Boston. USENIX designated the paper describing the work, "Decoupling Dynamic Program Analysis From Execution in Virtual Environments," as the best paper submitted for this year's conference. Chow, Tal Garfinkel and Peter Chen conducted the research.

Dynamic analysis is a technique of studying a software program to find bugs and security bugs. The process usually involves either instrumenting the program -- that is, adding hooks that can measure certain conditions as the program runs -- or periodically stopping the program and examining its state.

Dynamic analysis can be good for finding such hard-to-trace problems as race conditions, or those circumstances in which a program locks up due to two processes vying for the same resource.

The problem with most commercial and open source dynamic analysis tools is that they slow the performance of the application being studied, sometimes by a factor of 100 or more, according to Chow. Factors such as context switching between the program and the analysis tool also contribute to this slowness.

The team's approach is to use the VMware virtual environments. The program under study runs in one virtual environment, while the analysis tools run in a second virtual environment on the same machine. Running the two programs in parallel, each with its own thread, means performance can be improved.

"Decoupled analysis moves analysis off the computer that is executing the main workload by separating execution and analysis into two tasks: recording, where system execution is recorded in full with minimal interference, and analysis, where the log of the execution is replayed and analyzed," the paper states.

The research team created a program called Aftersight to analyze software; however, further work is needed to bring Aftersight up to speed with the execution of the program itself, Chow said.

The research team tried the software on VMware's own ESX Server, the Linux kernel and the Putty secure shell client. Bugs were found in all. "We replay all the inputs that the machine saw, then that replayed execution will go through all the same instructions," Chow said.

USENIX, which stands for the Advanced Computing Systems Association, is an association for sharing information among technicians, scientists, system administrators and engineers on developments in the field of computer scientists.

About the Author

Joab Jackson is the chief technology editor of Government Computing News (GCN.com).

comments powered by Disqus

Featured

Subscribe on YouTube