V2E: Combining hardware virtualization and software emulation for transparent and extensible malware analysis

Lok Kwong Yan, Manjukumar Jayachandra, Mu Zhang, Heng Yin

Research output: Contribution to journalArticlepeer-review

20 Scopus citations

Abstract

A transparent and extensible malware analysis platform is essential for defeating malware. This platform should be transparent so malware cannot easily detect and bypass it. It should also be extensible to provide strong support for heavyweight instrumentation and analysis efficiency. However, no existing platform can meet both requirements. Leveraging hardware virtualization technology, analysis platforms like Ether can achieve good transparency, but its instrumentation support and analysis efficiency are weak. In contrast, software emulation provides strong support for code instrumentation and good analysis efficiency by using dynamic binary translation. However, analysis platforms based on software emulation can be easily detected by malware and thus is poor in transparency. To achieve both transparency and extensibility, we propose a new analysis platform that combines hardware virtualization and software emulation. The essence is precise heterogeneous replay: the malware execution is recorded via hardware virtualization and then replayed in software. Our design ensures the execution replay to be precise. Moreover, with page-level recording granularity, the platform can easily adjust to analyze various forms of malware (a process, a kernel module, or a shared library). We implemented a prototype called V2E and demonstrated its capability and efficiency by conducting an extensive evaluation with both synthetic samples and 14 realworld emulation-resistant malware samples.

Original languageEnglish (US)
Pages (from-to)227-237
Number of pages11
JournalACM SIGPLAN Notices
Volume47
Issue number7
DOIs
StatePublished - Sep 2012

ASJC Scopus subject areas

  • General Computer Science

Fingerprint

Dive into the research topics of 'V2E: Combining hardware virtualization and software emulation for transparent and extensible malware analysis'. Together they form a unique fingerprint.

Cite this