Browse > Article

Development and Analyses of Xen based Dynamic Binary Instrumentation using Intel VT  

Kim, Tae-Hyoung (성균관대학교 전자전기컴퓨터공학과)
Kim, In-Hyuk (성균관대학교 전자전기컴퓨터공학과)
Eom, Young-Ik (성균관대학교 컴퓨터공학과)
Kim, Won-Ho (한국전자통신연구원 부설연구소 사이버기술개발본부 연구원)
Publication Information
Journal of KIISE:Computer Systems and Theory / v.37, no.5, 2010 , pp. 304-313 More about this Journal
Abstract
There are several methods for malware analyses. However, it is difficult to detect malware exactly with existing detection methods. Especially, malware with strong anti-debugging facilities can detect analyzer and disturb their analyses. Furthermore, it takes too much time to analyze malware. In order to resolve these problems of current analyzers, more improved analysis scheme is required. This paper suggests a dynamic binary instrumentation which supports the instruction analysis and the memory access tracing. Additionally, by supporting the API call tracing with the DLL loading analysis, our system establishes the foundation for analyzing various executable codes. Based on Xen, full-virtualization environment is built using Intel's VT technology. Windows XP can be used as a guest. We analyze representative malware using several functions of our system, and show the accuracy and efficiency enhancements in binary analyses capability of our system.
Keywords
Hardware-assisted virtualization; Malware analysis; Dynamic binary instrumentation; Anti-debugging;
Citations & Related Records
연도 인용수 순위
  • Reference
1 P. Ferrie, "Attacks on Virtual Machines," AVAR Conf., pp.128-143, 2006.
2 T. Listion, and E. Skoudis, "On the Cutting Edge: Thwarting Virtual Machine Detection," SANS Internet Storm Center, 2006.
3 X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario, "Towards an Understanding of Antivirtualization and Anti-debugging Behavior in Morden Malware," DSN2008, pp.117-186, 2008.
4 M. Xu, V. Malyugin, J. Sheldon, G. Venkitachalam, and B. Weissman, "ReTrace: Collecting Execution Trace with Virtual Machine Deterministic Replay," Proc. of 2007 Workshop on Modeling, Benchmarking and Simulation, 2007.
5 VMware, Inc. "Understanding Full Virtualization, Paravirtualization, and Hardware Assist," http://www.vmare.com, 2007.
6 P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield, "Xen and the Art of Virtualization," Proc. of the 19th ACM Symposium on SOSP, 2003.
7 G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig, "Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization," Intel Technology Journal, pp.167-177, 2006.
8 BitBlaze Binary Analysis Platform. http://bitblaze.cs.berkeley.edu.
9 M. G. Kang, P. Poosankam, and H. Yin, "Renovo: A Hidden Code Extractor for Packed Executables," Proc. of WORM, 2007.
10 X. Jiang, X. Wang, and D. Xu, "Stealthy Malware Detection Through VMM-Based "Out-of-the-Box" Semantic View Reconstruction," Proc. of CCS, pp. 128-138, 2007.
11 U. Bayer, C. Kruegel, and E. Kirda, "TTanalyze: A Tool for Analyzing Malware," Proc. of EICAR, pp.180-192, 2006.
12 Instrumentation Framework for building dynamic analysis tools, http://valgrind.org.
13 A Dynamic Binary Instrumentation Tool, http://pintool.org.
14 A. Vasudevan, R. Yerraballi, "SPiKE: engineering malware analysis tools using unobtrusive binaryinstrumentation," Proc. of the 29th ACM International Conference, vol.171, 2006.
15 A. Dinaburg, P. Royal, M. Sharif, and W. Lee, "Ether: Malware Analysis via Hardware Virtualization Extensions," Proc. of ACM CCS, 2008.
16 N. Idika, and A. P. Mathur, "A Survey of Malware Detection Techniques," Research, Dept. of Computer Science, Purdue Univ., 2007.
17 H. Carvey, "Malware analysis for windows administrators," Digital Investigation, vol.2, pp.19-22, 2005.   DOI   ScienceOn
18 C. P. Pfleeger, and S. L. Pfleeger, security in Computing, Prentice hall, 2003.
19 T. Garfinkel, K. Adams, A. Warfield, J. Franklin, "Compatibility is Not Transparency: VMM Detection Myths and Realities," Proc. 11th Workshop on Hot Topics in Operating Systems, 2007.
20 P. Ferrie, "Anti-unpacker tricks," CARO Workshop, 2008.