Monday, September 30, 2013

Announcing PANDA: A Platform for Architecture-Neutral Dynamic Analysis

I'm pleased to announce the initial release of a new open source dynamic analysis platform built on QEMU, named PANDA (Platform for Architecture-Neutral Dynamic Analysis). It has a number of features that combine to make it a uniquely powerful platform for analyzing software as it executes:

  • Record and Replay: PANDA is capable of recording the non-deterministic inputs during a whole-system execution and later deterministically replaying them. This means that heavyweight analyses that would be too slow to run on a live execution can be decoupled to run on the replayed execution instead. We recently used this in our 2013 ACM CCS paper to monitor every memory access made by an OS and applications, which would not have been feasible without record and replay. Record and replay is currently supported for i386, x86_64, and ARM, with more architectures planned. For more details see the record and replay documentation.
  • Android Support: Thanks to excellent work by Josh Hodosh, PANDA can act as an Android emulator, running modern versions of Android. See the Android documentation for more details.
  • Plugin Architecture: Plugins can be written in C and C++. PANDA supports callbacks for many types of event within QEMU, making it easy to write an analysis plugin; for example, a simple system call tracer is ~60 lines of code. Check out the plugin documentation for more information.
  • LLVM Execution: Borrowed from S2E, this execution mode translates guest code to LLVM and then JIT compiles it to native code; this means that plugins can analyze and transform the LLVM IR rather than working directly on native code. Unique to PANDA is the ability to also translate QEMU's helper functions (which are implemented in C and cover operations too complex to be handled in QEMU's native IR) to LLVM, meaning analyses in PANDA can be complete. This was recently used to implement architecture-neutral dynamic taint analysis.
  • Modern QEMU: PANDA is based on QEMU 1.0.1, with some additional fixes and enhancements backported. Unlike platforms such as BitBlaze/TEMU, which use QEMU 0.9.1, this allows PANDA to support modern OSes such as Windows 8.
If you want to get started, check out the project on GitHub, and read some of the documentation:
Thanks to all the people who have contributed to making PANDA a reality over the past year, including:
  • Josh Hodosh
  • Ryan Whelan
  • Tim Leek
  • Michael Zhivich
  • Patrick Hulin
  • Anthony Eden
  • Sam Coe
  • Nathan VanBenschoten


Peter Teoh said...
This comment has been removed by the author.
Brendan Dolan-Gavitt said...

So far, just Debian (stable and unstable). Recent versions of Ubuntu should be fine as well. If you run into trouble with another distro, I'd be happy to help debug, and of course we would love to add instructions for more distros to our documentation.

I will also look into creating a prebuilt VM that has PANDA and all its dependencies preinstalled to smooth the way for folks that just want to take a quick look.

Robert said...

Can you say anything about the overhead of running worloads in qemu with PANDA recording compared to native execution outside qemu? I see one of the papers says "10% to 20%" but it's not clear what that's comparing to.

Brendan Dolan-Gavitt said...

I'm not sure where you saw the 10-20%. Recording does add overhead; I haven't done rigorous testing, but a short PCMark test I did last year showed about 2x slowdown over normal QEMU execution.

Benchmarks / profiling would always be appreciated!

Chris Foster said...

I've given a heads up on PANDA to the project, asking if it might be useful in checking apps that are destined for their upcoming distributed network.

A Docker image would be great for folks kicking the tyres and could be uploaded to:


priya sharma said...

Such A nice post... thanks For Sharing !!Great information for new guy like Happy New year 2020

anita said...

Such A nice post... thanks For Sharing !!Great information for new guy like Hanuman Chalisa Lyrics

GlobalEmployees said...

techforyou said...

cisco ise helps safeguard your business. It lets you control access throughout your network, see the user and device details, and stop/contain any threats.