TY - GEN
T1 - V2E
T2 - 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments, VEE'12
AU - Yan, Lok Kwong
AU - Jayachandra, Manjukumar
AU - Zhang, Mu
AU - Yin, Heng
PY - 2012
Y1 - 2012
N2 - A transparent and extensible malware analysis platform is essential for defeating malware. This platform should be transparent so malware cannot easily detect and bypass it. It should also be extensible to provide strong support for heavyweight instrumentation and analysis efficiency. However, no existing platform can meet both requirements. Leveraging hardware virtualization technology, analysis platforms like Ether can achieve good transparency, but its instrumentation support and analysis efficiency is poor. In contrast, software emulation provides strong support for code instrumentation and good analysis efficiency by using dynamic binary translation. However, analysis platforms based on software emulation can be easily detected by malware and thus is poor in transparency. To achieve both transparency and extensibility, we propose a new analysis platform that combines hardware virtualization and software emulation. The essence is precise heterogeneous replay: the malware execution is recorded via hardware virtualization and then replayed in software. Our design ensures the execution replay is precise. Moreover, with page-level recording granularity, the platform can easily adjust to analyze various forms of malware (a process, a kernel module, or a shared library). We implemented a prototype called V2E and demonstrated its capability and efficiency by conducting an extensive evaluation with both synthetic samples and 14 realworld emulation-resistant malware samples.
AB - A transparent and extensible malware analysis platform is essential for defeating malware. This platform should be transparent so malware cannot easily detect and bypass it. It should also be extensible to provide strong support for heavyweight instrumentation and analysis efficiency. However, no existing platform can meet both requirements. Leveraging hardware virtualization technology, analysis platforms like Ether can achieve good transparency, but its instrumentation support and analysis efficiency is poor. In contrast, software emulation provides strong support for code instrumentation and good analysis efficiency by using dynamic binary translation. However, analysis platforms based on software emulation can be easily detected by malware and thus is poor in transparency. To achieve both transparency and extensibility, we propose a new analysis platform that combines hardware virtualization and software emulation. The essence is precise heterogeneous replay: the malware execution is recorded via hardware virtualization and then replayed in software. Our design ensures the execution replay is precise. Moreover, with page-level recording granularity, the platform can easily adjust to analyze various forms of malware (a process, a kernel module, or a shared library). We implemented a prototype called V2E and demonstrated its capability and efficiency by conducting an extensive evaluation with both synthetic samples and 14 realworld emulation-resistant malware samples.
KW - emulation
KW - emulation resistant
KW - hardware virtualization
KW - malware
KW - qemu
KW - record and replay
UR - http://www.scopus.com/inward/record.url?scp=84863351787&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84863351787&partnerID=8YFLogxK
U2 - 10.1145/2151024.2151053
DO - 10.1145/2151024.2151053
M3 - Conference contribution
AN - SCOPUS:84863351787
SN - 9781450311755
T3 - VEE'12 - Proceedings of the ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
SP - 227
EP - 237
BT - VEE'12 - Proceedings of the ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
Y2 - 3 March 2012 through 4 March 2012
ER -