News
VMware Pioneers Decouple Dynamic Analysis
- By Joab Jackson
- 06/26/2008
Researchers at VMware have pioneered a novel technique in dynamic analysis,
one that separates the running program from the analysis tool, by use of virtual
containers.
Such an approach can vastly speed the dynamic analysis of programs, noted Jim
Chow, a VMware engineer who was a member of the research team.
"Separating analysis from execution is great because we can parallelize"
the operations of each program, Chow said.
Chow presented the work at the USENIX
2008 conference being held this week in Boston. USENIX designated the paper
describing the work, "Decoupling Dynamic Program Analysis From Execution
in Virtual Environments," as the best paper submitted for this year's conference.
Chow, Tal Garfinkel and Peter Chen conducted the research.
Dynamic analysis is a technique of studying a software program to find bugs
and security bugs. The process usually involves either instrumenting the program
-- that is, adding hooks that can measure certain conditions as the program
runs -- or periodically stopping the program and examining its state.
Dynamic analysis can be good for finding such hard-to-trace problems as race
conditions, or those circumstances in which a program locks up due to two
processes vying for the same resource.
The problem with most commercial and open source dynamic analysis tools is
that they slow the performance of the application being studied, sometimes by
a factor of 100 or more, according to Chow. Factors such as context switching
between the program and the analysis tool also contribute to this slowness.
The team's approach is to use the VMware virtual environments. The program
under study runs in one virtual environment, while the analysis tools run in
a second virtual environment on the same machine. Running the two programs in
parallel, each with its own thread, means performance can be improved.
"Decoupled analysis moves analysis off the computer that is executing
the main workload by separating execution and analysis into two tasks: recording,
where system execution is recorded in full with minimal interference, and analysis,
where the log of the execution is replayed and analyzed," the paper states.
The research team created a program called Aftersight to analyze software;
however, further work is needed to bring Aftersight up to speed with the execution
of the program itself, Chow said.
The research team tried the software on VMware's own ESX Server, the Linux
kernel and the Putty secure shell client. Bugs were found in all. "We replay
all the inputs that the machine saw, then that replayed execution will go through
all the same instructions," Chow said.
USENIX, which stands for the Advanced Computing Systems Association, is an
association for sharing information among technicians, scientists, system administrators
and engineers on developments in the field of computer scientists.
About the Author
Joab Jackson is the chief technology editor of Government Computing News (GCN.com).