Proceedings Article10.1109/SP.2015.11
Using Hardware Features for Increased Debugging Transparency
Fengwei Zhang,Kevin Leach,Angelos Stavrou,Haining Wang,Kun Sun +4 more
- 17 May 2015
- pp 55-69
TL;DR: MALT, a debugging framework that employs System Management Mode, a CPU mode in the x86 architecture, to transparently study armored malware, which reduces the attack surface at the software level, and advances state-of-the-art debugging transparency.
read more
Abstract: With the rapid proliferation of malware attacks on the Internet, understanding these malicious behaviors plays a critical role in crafting effective defense. Advanced malware analysis relies on virtualization or emulation technology to run samples in a confined environment, and to analyze malicious activities by instrumenting code execution. However, virtual machines and emulators inevitably create artifacts in the execution environment, making these approaches vulnerable to detection or subversion. In this paper, we present MALT, a debugging framework that employs System Management Mode, a CPU mode in the x86 architecture, to transparently study armored malware. MALT does not depend on virtualization or emulation and thus is immune to threats targeting such environments. Our approach reduces the attack surface at the software level, and advances state-of-the-art debugging transparency. MALT embodies various debugging functions, including register/memory accesses, breakpoints, and four stepping modes. We implemented a prototype of MALT on two physical machines, and we conducted experiments by testing an array of existing anti-virtualization, anti-emulation, and packing techniques against MALT. The experimental results show that our prototype remains transparent and undetected against the samples. Furthermore, our prototype of MALT introduces moderate but manageable overheads on both Windows and Linux platforms.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Malware Dynamic Analysis Evasion Techniques: A Survey
TL;DR: It is proposed that the current defensive strategies, beginning with reactive methods to endeavors for more transparent analysis systems, are readily foiled by zero-day fingerprinting techniques or other evasion tactics such as stalling, and would recommend the pursuit of more generic defensive strategies with an emphasis on path exploration techniques that has the potential to thwart all the evasive tactics.
145
MalGene: Automatic Extraction of Malware Analysis Evasion Signature
Kirat Dhilung Hang,Giovanni Vigna +1 more
- 12 Oct 2015
TL;DR: MalGene is presented, an automated technique for extracting analysis evasion signatures that leverages algorithms borrowed from bioinformatics to automatically locate evasive behavior in system call sequences and constructs a succinct evasion signature, which can be used by an analyst to quickly understand evasions.
134
PrivateZone: Providing a Private Execution Environment Using ARM TrustZone
Jinsoo Jang,Changho Choi,Jaehyuk Lee,Nohyun Kwak,Seongman Lee,Yeseul Choi,Brent Byunghoon Kang +6 more
TL;DR: The design and implementation of PrivateZone was described, an Android application based on PrivateZone framework was developed, and the performance overhead imposed on the OS in the REE and SCLs in the PrEE.
59
•Proceedings Article
Ninja: Towards Transparent Tracing and Debugging on {ARM}
Zhenyu Ning,Fengwei Zhang +1 more
- 01 Jan 2017
TL;DR: NINJA is proposed, a transparent malware analysis framework on ARM platform with low artifacts that leverages a hardware-assisted isolated execution environment TrustZone to transparently trace and debug a target application with the help of Performance Monitor Unit and Embedded Trace Macrocell.
53
Graph Convolutional Networks for Android Malware Detection with System Call Graphs
Teenu S. John,Tony Thomas,Sabu Emmanuel +2 more
- 01 Feb 2020
TL;DR: A novel Android malware detection mechanism using GCN which uses centrality measures of the graph as input features and a four dimensional feature representation for Android applications and a detection accuracy of 92.30 % on datasets with obfuscated malwares is proposed.
52
References
•Proceedings Article
A Virtual Machine Introspection Based Architecture for Intrusion Detection.
Tal Garfinkel,Mendel Rosenblum +1 more
- 01 Jan 2003
TL;DR: This paper presents an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance, achieved through the use of a virtual machine monitor.
BitBlaze: A New Approach to Computer Security via Binary Analysis
Dawn Song,David Brumley,Heng Yin,Juan Caballero,Ivan Jager,Min Gyung Kang,Zhenkai Liang,James Newsome,Pongsin Poosankam,Prateek Saxena +9 more
- 16 Dec 2008
TL;DR: An overview of the BitBlaze project, a new approach to computer security via binary analysis that focuses on building a unified binary analysis platform and using it to provide novel solutions to a broad spectrum of different security problems.
Ether: malware analysis via hardware virtualization extensions
Artem Dinaburg,Paul Royal,Monirul I. Sharif,Wenke Lee +3 more
- 27 Oct 2008
TL;DR: Ether, a transparent and external approach to malware analysis, is proposed, which is motivated by the intuition that for a malware analyzer to be transparent, it must not induce any side-effects that are unconditionally detectable by malware.
Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware
Xu Chen,Jon Andersen,Zhuoqing Morley Mao,Michael Bailey,Jose Nazario +4 more
- 24 Jun 2008
TL;DR: This work has undertaken a robust analysis of current malware and developed a detailed taxonomy of malware defender fingerprinting methods, which is used to characterize the prevalence of these avoidance methods, to generate a novel fingerprinting method that can assist malware propagation, and to create an effective new technique to protect production systems.
Detecting system emulators
Thomas Raffetseder,Christopher Kruegel,Engin Kirda +2 more
- 09 Oct 2007
TL;DR: A number of possibilities to detect system emulators are analyzed and it is shown that emulation can be successfully detected, mainly because the task of perfectly emulating real hardware is complex.