SPiKE: engineering malware analysis tools using unobtrusive binary-instrumentation
ACSC '06 Proceedings of the 29th Australasian Computer Science Conference - Volume 48
Ether: malware analysis via hardware virtualization extensions
Proceedings of the 15th ACM conference on Computer and communications security
Dynamic and transparent analysis of commodity production systems
Proceedings of the IEEE/ACM international conference on Automated software engineering
nEther: in-guest detection of out-of-the-guest malware analyzers
Proceedings of the Fourth European Workshop on System Security
SHELLOS: enabling fast detection and forensic analysis of code injection attacks
SEC'11 Proceedings of the 20th USENIX conference on Security
A survey on automated dynamic malware-analysis techniques and tools
ACM Computing Surveys (CSUR)
Challenges for dynamic analysis of iOS applications
iNetSec'11 Proceedings of the 2011 IFIP WG 11.4 international conference on Open Problems in Network Security
Shifting GEARS to enable guest-context virtual services
Proceedings of the 9th international conference on Autonomic computing
SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization
Proceedings of the 29th Annual Computer Security Applications Conference
| Hi-index | 0.00 |
Microscopic analysis of malicious code (malware) requires the aid of a variety of powerful tools. Chief among them is a debugger that enables runtime binary analysis at an instruction level. One of the important services provided by a debugger is the ability to stop execution of code at an arbitrary point during runtime, using breakpoints. Software breakpoints support an unlimited number of breakpoint locations by changing the code being debugged so that it can be interrupted during runtime. Most, if not all, malware are very sensitive to code modification with self-modifying and/or self-checking (SM-SC) capabilities, rendering the use of software breakpoints limited in their scope. Hardware breakpoints supported by the underlying processor, on the other hand, use a subset of the processor register set and exception mechanisms to provide breakpoints that do not entail code modification. This makes hardware breakpoints the most powerful breakpoint mechanism for malware analysis. However, current processors provide a very limited number of hardware breakpoints (typically 2-4 locations). Thus, a serious restriction is imposed on the debugger to set a desired number of breakpoints without resorting to the limited alternative of software breakpoints. Also, with the ever evolving nature of malware, there are techniques being employed that prevent the use of hardware breakpoints. This calls for a new breakpoint mechanism that retains the features of hardware breakpoints while providing an unlimited number of breakpoints, which cannot be detected or countered. In this paper, we present the concept of stealth breakpoints and discuss the design and implementation of VAMPiRE 1, a realization of this concept. VAMPiRE cannot be detected or countered and provides unlimited number of breakpoints to be set on code, data, and I/O with the same precision as that of hardware breakpoints. It does so by employing a subtle combination of simple stealth techniques using virtual memory and hardware single-stepping mechanisms that are available on all processors, old and new. This technique makes VAMPiRE portable to any architecture, providing powerful breakpoint ability similar to hardware breakpoints for microscopic malware analysis.