V2E: Combining hardware virtualization and software emulation for transparent and extensible malware analysis

Lok Kwong Yan, Manjukumar Jayachandra, Mu Zhang, Heng Yin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

26 Scopus citations

Abstract

A transparent and extensible malware analysis platform is essential for defeating malware. This platform should be transparent so malware cannot easily detect and bypass it. It should also be extensible to provide strong support for heavyweight instrumentation and analysis efficiency. However, no existing platform can meet both requirements. Leveraging hardware virtualization technology, analysis platforms like Ether can achieve good transparency, but its instrumentation support and analysis efficiency is poor. In contrast, software emulation provides strong support for code instrumentation and good analysis efficiency by using dynamic binary translation. However, analysis platforms based on software emulation can be easily detected by malware and thus is poor in transparency. To achieve both transparency and extensibility, we propose a new analysis platform that combines hardware virtualization and software emulation. The essence is precise heterogeneous replay: the malware execution is recorded via hardware virtualization and then replayed in software. Our design ensures the execution replay is precise. Moreover, with page-level recording granularity, the platform can easily adjust to analyze various forms of malware (a process, a kernel module, or a shared library). We implemented a prototype called V2E and demonstrated its capability and efficiency by conducting an extensive evaluation with both synthetic samples and 14 realworld emulation-resistant malware samples.

Original languageEnglish (US)
Title of host publicationVEE'12 - Proceedings of the ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
Pages227-237
Number of pages11
DOIs
StatePublished - 2012
Event8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments, VEE'12 - London, United Kingdom
Duration: Mar 3 2012Mar 4 2012

Publication series

NameVEE'12 - Proceedings of the ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

Other

Other8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments, VEE'12
CountryUnited Kingdom
CityLondon
Period3/3/123/4/12

Keywords

  • emulation
  • emulation resistant
  • hardware virtualization
  • malware
  • qemu
  • record and replay

ASJC Scopus subject areas

  • Artificial Intelligence
  • Information Systems

Fingerprint Dive into the research topics of 'V2E: Combining hardware virtualization and software emulation for transparent and extensible malware analysis'. Together they form a unique fingerprint.

  • Cite this

    Yan, L. K., Jayachandra, M., Zhang, M., & Yin, H. (2012). V2E: Combining hardware virtualization and software emulation for transparent and extensible malware analysis. In VEE'12 - Proceedings of the ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (pp. 227-237). (VEE'12 - Proceedings of the ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments). https://doi.org/10.1145/2151024.2151053