Bochs: A Portable PC Emulator for Unix/X
Linux Journal
Control Speculation in Multithreaded Processors through Dynamic Loop Detection
HPCA '98 Proceedings of the 4th International Symposium on High-Performance Computer Architecture
Obfuscation of executable code to improve resistance to static disassembly
Proceedings of the 10th ACM conference on Computer and communications security
On the effectiveness of address-space randomization
Proceedings of the 11th ACM conference on Computer and communications security
Detecting Kernel-Level Rootkits Through Binary Analysis
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Violating Assumptions with Fuzzing
IEEE Security and Privacy
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Cobra: Fine-grained Malware Analysis using Stealth Localized-executions
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
QEMU, a fast and portable dynamic translator
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Address obfuscation: an efficient approach to combat a board range of memory error exploits
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Toward Automated Dynamic Malware Analysis Using CWSandbox
IEEE Security and Privacy
Exploring Multiple Execution Paths for Malware Analysis
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
Proceedings of the 14th ACM conference on Computer and communications security
Compatibility is not transparency: VMM detection myths and realities
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Binary obfuscation using signals
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Grammar-based whitebox fuzzing
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Ether: malware analysis via hardware virtualization extensions
Proceedings of the 15th ACM conference on Computer and communications security
BitBlaze: A New Approach to Computer Security via Binary Analysis
ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
Proceedings of the eighteenth international symposium on Software testing and analysis
Emulating emulation-resistant malware
Proceedings of the 1st ACM workshop on Virtual machine security
Detection and analysis of drive-by-download attacks and malicious JavaScript code
Proceedings of the 19th international conference on World wide web
Testing system virtual machines
Proceedings of the 19th international symposium on Software testing and analysis
Identifying Dormant Functionality in Malware Programs
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
XTRec: Secure Real-Time Execution Trace Recording on Commodity Platforms
HICSS '11 Proceedings of the 2011 44th Hawaii International Conference on System Sciences
ROPdefender: a detection tool to defend against return-oriented programming attacks
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Detecting environment-sensitive malware
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
ISC'07 Proceedings of the 10th international conference on Information Security
SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization
Proceedings of the 29th Annual Computer Security Applications Conference
Leveraging the short-term memory of hardware to diagnose production-run software failures
Proceedings of the 19th international conference on Architectural support for programming languages and operating systems
Hi-index | 0.00 |
A detailed understanding of the behavior of exploits and malicious software is necessary to obtain a comprehensive overview of vulnerabilities in operating systems or client applications, and to develop protection techniques and tools. To this end, a lot of research has been done in the last few years on binary analysis techniques to efficiently and precisely analyze code. Most of the common analysis frameworks are based on software emulators since such tools offer a fine-grained control over the execution of a given program. Naturally, this leads to an arms race where the attackers are constantly searching for new methods to detect such analysis frameworks in order to successfully evade analysis. In this paper, we focus on two aspects. As a first contribution, we introduce several novel mechanisms by which an attacker can delude an emulator. In contrast to existing detection approaches that perform a dedicated test on the environment and combine the test with an explicit conditional branch, our detection mechanisms introduce code sequences that have an implicitly different behavior on a native machine when compared to an emulator. Such differences in behavior are caused by the side-effects of the particular operations and imperfections in the emulation process that cannot be mitigated easily. Motivated by these findings, we introduce a novel approach to generate execution traces. We propose to utilize the processor itself to generate such traces. Mores precisely, we propose to use a hardware feature called branch tracing available on commodity x86 processors in which the log of all branches taken during code execution is generated directly by the processor. Effectively, the logging is thus performed at the lowest level possible. We evaluate the practical viability of this approach.