survey

Who Watches the Watchmen: A Security-focused Review on Current State-of-the-art Techniques, Tools, and Methods for Systems and Binary Analysis on Modern Platforms

Authors:
Marcus Botacin

University of Campinas, SP, Brazil

University of Campinas, SP, Brazil

0000-0001-6870-1178
View Profile

,
Paulo Lício De Geus

University of Campinas, SP, Brazil

University of Campinas, SP, Brazil
View Profile

,
André grégio

Federal University of Paraná, PR, Brazil

Federal University of Paraná, PR, Brazil
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 51 Issue 4Article No.: 69pp 1–34https://doi.org/10.1145/3199673

Published:13 July 2018Publication History

ACM Computing Surveys

Abstract

Malicious software, a threat users face on a daily basis, have evolved from simple bankers based on social engineering to advanced persistent threats. Recent research and discoveries reveal that malware developers have been using a wide range of anti-analysis and evasion techniques, in-memory attacks, and system subversion, including BIOS and hypervisors. In addition, code-reuse attacks like Returned Oriented Programming emerge as highly potential remote code execution threats. To counteract the broadness of malicious codes, distinct techniques and tools have been proposed, such as transparent malware tracers, system-wide debuggers, live forensics tools, and isolated execution rings. In this work, we present a survey on state-of-the-art techniques that detect, mitigate, and analyze the aforementioned attacks. We show approaches based on Hardware Virtual Machines introspection, System Management Mode instrumentation, Hardware Performance Counters, isolated rings (e.g., Software Guard eXtensions), as well as others based on external hardware. We also discuss upcoming threats based on the very same technologies used for defense. Our main goal is to provide the reader with a broader, more comprehensive understanding of recently surfaced tools and techniques aiming at binary analysis for modern platforms.

Supplemental Material

Available for Download

zip

botacin.zip (52 KB)

Supplemental movie, appendix, image and software files for, Who Watches the Watchmen: A Security-focused Review on Current State-of-the-art Techniques, Tools, and Methods for Systems and Binary Analysis on Modern Platforms

References

Malak Alshawabkeh, Byunghyun Jang, and David Kaeli. 2010. Accelerating the local outlier factor algorithm on a GPU for intrusion detection system. In Proceedings of the 3rd Workshop on GP-GPUs. ACM. Google ScholarDigital Library
AMD. 2013. AMD64 Architecture Programmers Manual Volume 2. AMD.Google Scholar
AMD. 2016. AMD Secure Processor (Built-in technology). Retrieved from https://tinyurl.com/yaq2rhmv.Google Scholar
ARM. 2009. ARM Sec. Technology - Building a Secure System using TrustZone Technology. ARM.Google Scholar
Joy Arulraj, Guoliang Jin, and Shan Lu. 2014. Leveraging the short-term memory of hardware to diagnose production-run software failures. SIGARCH Comput. Archit. News 42, 1 (Feb. 2014). Google ScholarDigital Library
Warwick Ashford. 2010. Malware growth reaches record rate. Retrieved from https://tinyurl.com/y8mxxo3e.Google Scholar
J. P. Aumasson and Luis Merino. 2016. SGX Secure Enclaves in Practice: Security and Crypto Review. BlackHat Conference.Google Scholar
Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang, Xiaolan Zhang, and Nathan C. Skalsky. 2010. HyperSentry: Enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS’10). ACM. Google ScholarDigital Library
Michael Backes, Oliver Schranz, and Philipp von Styp-Rekowsky. 2015. POSTER: Towards compiler-assisted taint tracking on the android runtime (ART). In Proceedings of the of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15). ACM. Google ScholarDigital Library
M. B. Bahador, M. Abadi, and A. Tajoddin. 2014. HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition. In 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE’14).Google Scholar
Davide Balzarotti, Marco Cova, Christoph Karlberger, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2010. Efficient detection of split personalities in malware. In Proceedings of the17th Annual Network and Distributed System Security Symposium (NDSS’10).Google Scholar
U. Bayer, C. Kruegel, and E. Kirda. 2006. TTAnalyze: A tool for analyzing malware. In Proceedingd of the15th European Institute for Computer Antivirus Research (EICAR’06).Google Scholar
Fabrice Bellard. 2005. QEMU, A fast and portable dynamic translator. In Proceedings of the USENIX Annual Technical Conference (ATC’05). USENIX Association. Google ScholarDigital Library
Xavier J. A. Bellekens, Christos Tachtatzis, Robert C. Atkinson, Craig Renfrew, and Tony Kirkham. 2014. GLoP: Enabling massively parallel incident response through GPU log processing. In Proceedings of the 7th International Conference on Security of Information and Net (SIN’14). ACM. Google ScholarDigital Library
Arnar Birgisson, Mohan Dhawan, Úlfar Erlingsson, Vinod Ganapathy, and Liviu Iftode. 2008. Enforcing authorization policies using transactional memory introspection. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM. Google ScholarDigital Library
Marcus Botacin, Paulo Lício De Geus, and André Grégio. 2018. Enhancing branch monitoring for security purposes: From control flow integrity to malware analysis and debugging. ACM Trans. Priv. Secur. 21, 1, Article 4 (Jan. 2018), 30 pages. Google ScholarDigital Library
Michael Brengel, Michael Backes, and Christian Rossow. 2016. Detecting hardware-assisted virtualization. In Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Vol. 9721 (DIMVA’16). Springer-Verlag, New York. Google ScholarDigital Library
BSDaemon, coideloco, and D0nad0n. 2008. System Management Mode Hack - Using SMM for “Other Purposes.” Retrieved from https://tinyurl.com/jxeao4u.Google Scholar
Xu Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario. 2008a. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In 2008 IEEE International Conference on Dependable Systems and Networks with FTCS and DCC (DSN’08). 177--186.Google Scholar
Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis, Pratap Subrahmanyam, Carl A. Waldspurger, Dan Boneh, Jeffrey Dwoskin, and Dan R.K. Ports. 2008b. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating syst. SIGPLAN Not. 43, 3 (March 2008). Google ScholarDigital Library
Yueqiang Cheng, Zongwei Zhou, Yu Miao, Xuhua Ding, and Huijie Robert Deng. 2014. Ropecker: A generic and practical approach for defending against ROP attacks. In Symposium on Networks and Distributed System Security (NDSS’14). Internet Society.Google ScholarCross Ref
CHIPSEC. 2014. CHIPSEC Platform Sec. Assessment Framework. Retrieved from https://tinyurl.com/nwxzudm.Google Scholar
CHIPSEC. 2016. CHIPSEC. Retrieved from https://github.com/chipsec/chipsec.Google Scholar
CoreBoot. 2015. CoreBoot. Retrieved from http://www.coreboot.org/.Google Scholar
Paul Crowley. 2016. Pixel Sec.: Better, Faster, Stronger. Retrieved from https://tinyurl.com/y88book8.Google Scholar
Shaun Davenport and Richard Ford. 2014. SGX: the good, the bad and the downright ugly. Retrieved from https://tinyurl.com/z8jlk3s.Google Scholar
John Demme, Matthew Maycock, Jared Schmitz, Adrian Tang, Adam Waksman, Simha Sethumadhavan, and Salvatore Stolfo. 2013. On the feasibility of online malware detection with performance counters. SIGARCH Comput. Archit. News 41, 3 (June 2013). Google ScholarDigital Library
Zhui Deng, Xiangyu Zhang, and Dongyan Xu. 2013. SPIDER: Stealthy binary program instrumentation and debugging via hardware virtualization. In Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC’13). ACM. Google ScholarDigital Library
Steve Dent. 2016. Microsoft’s Edge browser stays secure by acting as a virtual PC. Retrieved from https://tinyurl.com/z8j3krc.Google Scholar
Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008a. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM. Google ScholarDigital Library
Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008b. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM. Google ScholarDigital Library
Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. 2011. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (SP’11). IEEE Comp. Society. Google ScholarDigital Library
L. Duflot, D. Etiemble, and O. Grumelard. 2007. Using CPU System Management Mode to Circumvent Operating System Sec. Functions. Retrieved from https://tinyurl.com/y7mlduy9.Google Scholar
DynamoRIO. 2001. Dynamic Instrumentation Tool Platform. Retrieved from https://tinyurl.com/ybenfvw9.Google Scholar
Manuel Egele, Theodoor Scholte, Engin Kirda, and Christopher Kruegel. 2008. A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44, 2 (March 2008). Google ScholarDigital Library
Shawn Embleton, Sherri Sparks, and Cliff Zou. 2008. SMM rootkits: A new breed of OS independent malware. In Proceedings of the 4th International Conference on Security and Privacy in Communication Netowrks (SecureComm’08). ACM. Google ScholarDigital Library
Aristide Fattori, Roberto Paleari, Lorenzo Martignoni, and Mattia Monga. 2010. Dynamic and transparent analysis of commodity production syst. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE’10). ACM. Google ScholarDigital Library
Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, and Alexander Pretschner. 2016. Sec. Testing: A Survey. (2016).Google Scholar
David Fitzpatrick and Drew Griffin. 2016. Cyber-extortion losses skyrocket, says FBI. Retrieved from https://tinyurl.com/y8ym4q46.Google Scholar
Yangchun Fu and Zhiqiang Lin. 2013. Bridging the semantic gap in virtual machine introspection via online kernel data redirection. ACM Trans. Inf. Syst. Secur. 16, 2 (Sept. 2013). Google ScholarDigital Library
Yuxin Gao, Zexin Lu, and Yuqing Luo. 2014. Survey on malware anti-analysis. In Proceedings of the 2014 5th International Conference on Intelligent Control and Information Processing (ICICIP’14).Google ScholarCross Ref
Tal Garfinkel, Keith Adams, Andrew Warfield, and Jason Franklin. 2007. Compatibility is not transparency: VMM detection myths and realities. In Proceedings of the 11th USENIX Workshop on Hot Topics in Operating Systems (HOTOS’07). USENIX Association. Google ScholarDigital Library
Grsecurity. 2013. Grsecurity. Retrieved from https://grsecurity.net/.Google Scholar
Neha Gupta, Smita Naval, Vijay Laxmi, M. S. Gaur, and Muttukrishnan Rajarajan. 2014. P-SPADE: GPU accelerated malware packer detection. In Proceedings of the 2014 Annual International Conference on Privacy, Security and Trust (PST’14). IEEE.Google ScholarCross Ref
Alex Ho, Michael Fetterman, Christopher Clark, Andrew Warfield, and Steven Hand. 2006. Practical taint-based protection using demand emulation. In Proceedings of the of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006 (EuroSys’06). ACM. Google ScholarDigital Library
Matthew Hoekstra, Reshma Lal, Pradeep Pappachan, Vinay Phegade, and Juan Del Cuvillo. 2013. Using innovative instructions to create trustworthy software solutions. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP’13). ACM. Google ScholarDigital Library
Owen S. Hofmann, Alan M. Dunn, Sangman Kim, Indrajit Roy, and Emmett Witchel. 2011. Ensuring operating system kernel integrity with OSck. In Proceedings of the 16th International Conference on Architectural Support for Programming Languages and Operating System (ASPLOS XVI). ACM. Google ScholarDigital Library
Joel Hruska. 2016. Report claims Intel CPUs contain enormous security flaw. Retrieved from https://tinyurl.com/zdlbbvq.Google Scholar
Intel. 2013. Intel® 64 and IA-32 Architectures Software Developers Manual. Intel.Google Scholar
Intel. 2015. Pin—A Dynamic Binary Instrumentation Tool. Retrieved from https://tinyurl.com/m685m25.Google Scholar
Alex Ionescu. 2015. Battle of the SKM and IUM: How Windows 10 Rewrites OS Architecture. Retrieved from https://tinyurl.com/na375ur.Google Scholar
ISECLAB. 2010. Anubis—Malware Analysis for Unknown Binaries. Retrieved from https://anubis.iseclab.org/.Google Scholar
P. Jain, S. Desai, S. Kim, M.-W. Shih, J. Lee, C. Choi, Y. Shin, T. Kim, B. B. Kang, and D. Han. 2016. OpenSGX: An open platform for SGX research. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium. Internet Society.Google Scholar
Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant, and Dawn Song. 2009. Emulating emulation-resistant malware. In Proceedings of the 1st ACM Workshop on Virtual Machine Security (VMSec’09). ACM. Google ScholarDigital Library
Swati Khandelwal. 2017. First-Ever Data Stealing Malware Found Using Intel AMT Tool to Bypass Firewall. Retrieved from https://tinyurl.com/y7e7kg8v.Google Scholar
Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2011. BareBox: Efficient malware analysis on bare-metal. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC’11). ACM. Google ScholarDigital Library
Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. Barecloud: Bare-metal analysis-based evasive malware detection. In Proceedings of the 23rd USENIX Conference on Security Symposium (SEC’14). USENIX Association. Google ScholarDigital Library
Kompalli and Sarat. 2014. Using existing hardware services for malware detection. In Proceedings of the 2014 IEEE Security and Privacy Workshops (SPW’14). IEEE Comp. Society. Google ScholarDigital Library
Lazaros Koromilas, Giorgos Vasiliadis, Elias Athanasopoulos, and Sotiris Ioannidis. 2016. GRIM: Leveraging GPUs for Kernel Integrity Monitoring. Springer International Publishing.Google Scholar
Evangelos Ladakis, Lazaros Koromilas, Giorgos Vasiliadis, Michalis Polychronakis, and Sotiris Ioannidis. 2013. You Can Type, but You Cant Hide: A Stealthy GPU-based Keylogger. Retrieved from https://tinyurl.com/cbzp42n.Google Scholar
Hojoon Lee, HyunGon Moon, DaeHee Jang, Kihwan Kim, Jihoon Lee, Yunheung Paek, and Brent ByungHoon Kang. 2013. KI-Mon: A hardware-assisted event-triggered monitoring platform for mutable kernel object. In Proceedings of the 22nd USENIX Security Symposium. USENIX. Google ScholarDigital Library
Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013. High accuracy attack provenance via binary-based execution partition. In Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS’13). Internet Society.Google Scholar
Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, Hyesoon Kim, and Marcus Peinado. 2017. Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In Proceedings of the 26th USENIX Security Symposium (USENIX Security’17). USENIX Association. Google ScholarDigital Library
Tamas Lengyel, Thomas Kittel, George Webster, and Jacob Torrey. 2014. Pitfalls of virtual machine introspection on modern hardware. In Proceedings of the 1st Workshop on Malware Memory Forensics (MMF). ACM.Google Scholar
Yuekang Li, Bihuan Chen, Mahinthan Chandramohan, Shang-Wei Lin, Yang Liu, and Alwen Tiu. 2017. Steelix: Program-state based binary fuzzing. In Proceedings of the of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017). ACM. Google ScholarDigital Library
LibVMI. 2015. Introduction to libVMI. https://tinyurl.com/y8d4xbq9. (2015).Google Scholar
Corey Malone, Mohamed Zahran, and Ramesh Karri. 2011. Are hardware performance counters a cost effective way for integrity checking of programs. In Proceedings of the 6th ACM Workshop on Scalable Trusted Computing (STC’11). ACM. Google ScholarDigital Library
Tarjei Mandt, Mathew Solnik, and David Wang. 2016. Demystifying The Secure Enclave Processor. (2016).Google Scholar
J.A.P. Marpaung, M. Sain, and Hoon-Jae Lee. 2012. Survey on malware evasion techniques: State of the art and challenges. In Proceedings of the Advanced Communication Technology (ICACT), 2012 14th Inter. Conference on.Google Scholar
Lorenzo Martignoni, Aristide Fattori, Roberto Paleari, and Lorenzo Cavallaro. 2010. Live and trustworthy forensic analysis of commodity production syst. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID’10). Springer-Verlag. Google ScholarDigital Library
Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. Testing CPU emulators. In Proceedings of the 18th Intl Symposium on Software Testing and Analysis (ISSTA’09). ACM. Google ScholarDigital Library
Hyungon Moon, Hojoon Lee, Jihoon Lee, Kihwan Kim, Yunheung Paek, and Brent Byunghoon Kang. 2012. Vigilare: Toward snoop-based kernel integrity monitor. In Proceedings of the 2012 ACM Conference on Comp. and Comm. Sec. (CCS’12). ACM. Google ScholarDigital Library
Hyungon Moon, Jinyong Lee, Dongil Hwang, Seonhwa Jung, Jiwon Seo, and Yunheung Paek. 2016. Architectural supports to protect OS kernels from code-injection attacks. In Proceedings of the Hardware and Architectural Support for Sec. and Priv. 2016 (HASP 2016). ACM. Google ScholarDigital Library
Asit More and Shashikala Tapaswi. 2014. Virtual machine introspection: Towards bridging the semantic gap. Journal of Cloud Computing 3, 1 (2014).Google Scholar
Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Limits of static analysis for malware detection. In Proceedings of the Annual Comp. Sec. Applications Conference. ACM.Google ScholarCross Ref
Marius Muench, Fabio Pagani, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna, and Davide Balzarotti. 2016. Taming Trans.: Towards Hardware-Assisted Control Flow Integrity Using Transactional Memory. Springer Inter. Publishing.Google Scholar
Igor Muttik, Alex Nayshtut, and Roman Dementlev. 2014. Creating a spider goat: using transactional memory support for security. (2014).Google Scholar
Michael Myers and Stephen Youndt. 2007. An Introduction to Hardware-Assisted Virtual Machine (HVM) Rootkits. https://tinyurl.com/y8wfsye5. (2007).Google Scholar
Matthias Neugschwandtner, Christian Platzer, PaoloMilani Comparetti, and Ulrich Bayer. 2010. dAnubis dynamic device driver analysis based on virtual machine introspection. In Detection of Intrusions and Malware, and Vulnerability Assessment, Christian Kreibich and Marko Jahnke (Eds.). Lecture Notes in Comp. Science, Vol. 6201. Springer Berlin Heidelberg. Google ScholarDigital Library
Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T. King, and Hai D. Nguyen. 2009. MAVMM: Lightweight and purpose built VMM for malware analysis. In Proceedings of the 2009 Annual Comp. Sec. Applications Conference (ACSAC’09). IEEE Comp. Society. Google ScholarDigital Library
Zhenyu Ning and Fengwei Zhang. 2017. Ninja: Towards transparent tracing and debugging on ARM. In 26th USENIX Sec. Symposium (USENIX Sec. 17). USENIX Association. Google ScholarDigital Library
Nist.gov. 2017. National Vulnerability Database. https://tinyurl.com/yc9lbse8. (2017).Google Scholar
Jan Magnus Granberg Opsahl. 2013. Open-source virtualization : Functionality and performance of Qemu/KVM, Xen, Libvirt and VirtualBox. Ph.D. Dissertation.Google Scholar
Roberto Paleari. 2015. Fast coverage analysis for binary applications. https://tinyurl.com/y7obk3y5. (2015).Google Scholar
Roberto Paleari, Lorenzo Martignoni, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In Proceedings of the 3rd USENIX Conference on Offensive Technologies (WOOT’09). USENIX Association. Google ScholarDigital Library
Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2013. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of the 22nd USENIX Conference on Sec. (SEC’13). USENIX Association. Google ScholarDigital Library
Bryan D. Payne, Martim Carbone, Monirul Sharif, and Wenke Lee. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the 2008 IEEE Symposium on Sec. and Priv. (SP’08). IEEE Comp. Society. Google ScholarDigital Library
Michael Pearce, Sherali Zeadally, and Ray Hunt. 2013. Virtualization: Issues, sec. threats, and solutions. ACM Comput. Surv. 45, 2 (March 2013). Google ScholarDigital Library
Gábor Pék, Boldizsár Bencsáth, and Levente Buttyán. 2011. nEther: In-guest detection of out-of-the-guest malware analyzers. In Proceedings of the 4th Eur. Wksp on System Sec. (EUROSEC’11). ACM. Google ScholarDigital Library
Gábor Pék, Levente Buttyán, and Boldizsár Bencsáth. 2013. A survey of sec. issues in hardware virtualization. ACM Comput. Surv. 45, 3 (July 2013). Google ScholarDigital Library
Nick L. Petroni, Jr., Timothy Fraser, Jesus Molina, and William A. Arbaugh. 2004. Copilot - A coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th Conference on USENIX Sec. Symposium - Volume 13 (SSYM’04). USENIX Association. Google ScholarDigital Library
Cody Pierce, Matthew Spisak, and Kenneth Fitch. 2016. Capturing 0day Exploits with PERFectly Placed Hardware Traps. https://tinyurl.com/ycrsez3y. (2016).Google Scholar
Mario Polino, Andrea Continella, Sebastiano Mariani, Stefano D’Alessio, Lorenzo Fontana, Fabio Gritti, and Stefano Zanero. 2017. Measuring and Defeating Anti-Instrumentation-Equipped Malware. Springer.Google Scholar
Xen Project. 2017. Xen ARM with virtualization extensions. https://tinyurl.com/k3o6h63. (2017).Google Scholar
Daniel Quist, Lorie Liebrock, and Joshua Neil. 2011. Improving antivirus accuracy with hypervisor assisted analysis. J. Comput. Virol. 7, 2 (2011). Google ScholarDigital Library
Nguyen Anh Quynh and Kuniyasu Suzaki. 2010. Virt-ICE: Next-generation Debugger for Malware Analysis. https://tinyurl.com/ybszcbxn. (2010).Google Scholar
Alessandro Reina, Aristide Fattori, Fabio Pagani, Lorenzo Cavallaro, and Danilo Bruschi. 2012. When hardware meets software: A bulletproof solution to forensic memory acquisition. In Proceedings of the 28th Annual Comp. Sec. Applications Conference (ACSAC’12). ACM. Google ScholarDigital Library
Junghwan Rhee, Ryan Riley, Dongyan Xu, and Xuxian Jiang. 2009. Defeating dynamic data kernel rootkit attacks via VMM-based guest-transparent monitoring. 2012 7th International Conference on Availability, Reliability and Sec. 0 (2009).Google ScholarCross Ref
Ryan Riley, Xuxian Jiang, and Dongyan Xu. 2008. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID’08). Springer-Verlag. Google ScholarDigital Library
Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. 2012. Return-oriented programming: Syst., languages, and applications. ACM Trans. Inf. Syst. Secur. 15, 1 (March 2012). Google ScholarDigital Library
Christian Rossow, Christian J. Dietrich, Christian Kreibich, Chris Grier, Vern Paxson, Norbert Pohlmann, Herbert Bos, and Maarten van Steen. 2012. Prudent practices for designing malware experiments: Status quo and outlook. In Proceedings of the 33rd IEEE Symposium on Sec. and Priv. (S&P). IEEE. Google ScholarDigital Library
Giovanni Russello, Arturo Blas Jimenez, Habib Naderi, and Wannes van der Mark. 2013. FireDroid: Hardening sec. in almost-stock android. In Proceedings of the of the 29th Ann. Comp. Sec. App; Conference (ACSAC’13). ACM. Google ScholarDigital Library
Rutkowska. 2006. Subverting Vista Kernel For Fun And For Profit. https://tinyurl.com/y86ltylh. (2006).Google Scholar
Rutkowska. 2010. Qubes OS Project. https://www.qubes-os.org/. (2010).Google Scholar
Joanna Rutkowska. 2015. Intel x86 considered harmful. https://tinyurl.com/hnbulmv. (2015).Google Scholar
Joanna Rutkowska and Rafał Wojtczuk. 2008. Preventing and Detecting Xen Hypervisor Subversions. https://tinyurl.com/44denv2. (2008).Google Scholar
Alireza Saberi, Yangchun Fu, and Zhiqiang Lin. 2014. Hybrid-bridge: Efficiently bridging the semantic gap in virtual machine introspection via decoupled execution and training memoization. In Proceedings of the 21st Annual Network and Distributed System Sec. Symposium (NDSS14). Internet Society.Google ScholarCross Ref
Samsung. 2017. Samsung KNOX. https://www.samsungknox.com/en. (2017).Google Scholar
J. Schiffman and D. Kaplan. 2014. The SMM rootkit revisited: Fun with USB. In Proceedings of the Availability, Reliability and Sec. (ARES), 2014 9th International Conference on. IEEE. Google ScholarDigital Library
Christian Schneider, Jonas Pfoh, and Claudia Eckert. 2011. A universal semantic bridge for virtual machine introspection. In Proceedings of the 7th International Conference on Information Syst. Sec. (ICISS’11). Springer-Verlag. Google ScholarDigital Library
Michael Schwarz, Samuel Weiser, Daniel Gruss, Clementine Maurice, and Stefan Mangard. 2017. Malware Guard Extension: Using SGX to Conceal Cache Attacks. https://arxiv.org/abs/1702.08719. (2017).Google Scholar
SeaBIOS. 2015. SeaBIOS. http://www.seabios.org/SeaBIOS. (2015).Google Scholar
Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of the 21st ACM SIGOPS Symposium on Operating Syst. Principles (SOSP’07). ACM. Google ScholarDigital Library
Joseph Sharkey. 2016. Breaking Hardware-Enforced Sec. with Hypervisors. https://tinyurl.com/y8fuc3jg. (2016).Google Scholar
Hao Shi, Abdulla Alwabel, and Jelena Mirkovic. 2014. Cardinal pill testing of system virtual machines. In Proceedings of the 23rd USENIX Sec. Symposium (USENIX Sec. 14). USENIX Association. Google ScholarDigital Library
Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, Kenji Kono, Shigeru Chiba, Yasushi Shinjo, and Kazuhiko Kato. 2009. BitVisor: A thin hypervisor for enforcing I/O device sec. In Proceedings of the ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’09). Google ScholarDigital Library
Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. 2008. BitBlaze: A new approach to comp. sec. via binary analysis. In Proceedings of the 4th International Conference on Information Syst. Sec. (ICISS’08). Springer-Verlag. Google ScholarDigital Library
Sherri Sparks and Jamie Butler. 2005. Shadow Walker - Raising The Bar For Windows Rootkit Detection. https://tinyurl.com/yag77m8y. (2005).Google Scholar
Patrick Stewin, Jean-Pierre Seifert, and Collin Mulliner. 2011. Poster: Towards detecting DMA malware. In Proceedings of the 18th ACM Conference on Comp. and Comm. Sec. (CCS’11). Google ScholarDigital Library
Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo. 2014. Unsupervised Anomaly-Based Malware Detection Using Hardware Features. Springer Inter. Publishing.Google Scholar
Alexander Tereshkin and Rafal Wojtczuk. 2009. Introducing Ring -3 Rootkits. https://tinyurl.com/l7qnjpv. (2009).Google Scholar
Kevin Townsend. 2016. Mobile Malware Shows Rapid Growth in Volume and Sophistication. https://tinyurl.com/ya7ctfcz. (2016).Google Scholar
Petar Tsankov, Mohammad Torabi Dashti, and David Basin. 2013. Semi-valid input coverage for fuzz testing. In Proceedings of the of the 2013 Inter. Symposium on Software Testing and Analysis (ISSTA 2013). ACM. Google ScholarDigital Library
Jeroen van Prooijen. 2016. The Design of Malware on Modern Hardware. https://tinyurl.com/y8rwfj5t. (2016).Google Scholar
Giorgos Vasiliadis, Elias Athanasopoulos, Michalis Polychronakis, and Sotiris Ioannidis. 2014. PixelVault: Using GPUs for securing cryptographic operations. In Proceedings of the 2014 ACM SIGSAC Conference on Comp. and Comm. Sec. (CCS’14). Google ScholarDigital Library
Giorgos Vasiliadis and Sotiris Ioannidis. 2010. GrAVity: A massively parallel antivirus engine. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID’10). Springer-Verlag. Google ScholarDigital Library
Giorgos Vasiliadis, Michalis Polychronakis, and Sotiris Ioannidis. 2011. MIDeA: A multi-parallel intrusion detection architecture. In Proceedings of the 18th ACM Conference on Comp. and Comm. Sec. (CCS’11). ACM. Google ScholarDigital Library
Giorgos Vasiliadis, Michalis Polychronakis, and Sotiris Ioannidis. 2015. GPU-assisted malware. Int. J. Inf. Secur. 14, 3, Article - (June 2015). Google ScholarDigital Library
Amit Vasudevan and Ramesh Yerraballi. 2005. Stealth breakpoints. In Proceedings of the 21st Annual Comp. Sec. Applications Conference (ACSAC’05). IEEE Comp. Society. Google ScholarDigital Library
Amit Vasudevan and Ramesh Yerraballi. 2006a. Cobra: Fine-grained malware analysis using stealth localized-executions. In Proceedings of the 2006 IEEE Symposium on Sec. and Priv. (SP’06). IEEE Comp. Society. Google ScholarDigital Library
Amit Vasudevan and Ramesh Yerraballi. 2006b. SPiKE: Engineering malware analysis tools using unobtrusive binary-instrumentation. In Proceedings of the 29th Australasian Comp. Science Conference - Volume 48 (ACSC’06). Australian Comp. Society, Inc. Google ScholarDigital Library
Vassilios Ververis. 2010. Sec. Evaluation of Intel’s Active Management Technology. Ph.D. Dissertation. KTH Information and Communication Technology.Google Scholar
Jack Wallen. 2016. Is the Intel Management Engine a backdoor? https://tinyurl.com/j8s2uaa. (2016).Google Scholar
Gary Wang, Zachary J. Estrada, Cuong Pham, Zbigniew Kalbarczyk, and Ravishankar K. Iyer. 2015a. Hypervisor introspection: A technique for evading passive virtual machine monitoring. In Proceedings of the 9th USENIX Wksp on Offensive Technologies (WOOT 15). USENIX Association. Google ScholarDigital Library
Jiang Wang, Angelos Stavrou, and Anup Ghosh. 2010. HyperCheck: A hardware-assisted integrity monitor. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID’10). Springer-Verlag. Google ScholarDigital Library
Jiang Wang, Fengwei Zhang, Kun Sun, and Angelos Stavrou. 2011. Firmware-assisted memory acquisition and analysis tools for digital forensics. In Proceedings of the 2011 6th IEEE International Wksp on Systematic Approaches to Digital Forensic Engineering (SADFE’11). IEEE Comp. Society. Google ScholarDigital Library
Xueyan Wang and Xiaofei Guo. 2016. NumChecker: A System Approach for Kernel Rootkit Detection and Identification. https://tinyurl.com/yc5svs9m. (2016).Google Scholar
Xueyang Wang, Charalambos Konstantinou, Michail Maniatakos, and Ramesh Karri. 2015b. ConFirm: Detecting firmware modifications in embedded syst. using hardware performance counters. In Proceedings of the IEEE/ACM International Conference on Comp.-Aided Design (ICCAD’15). IEEE Press. Google ScholarDigital Library
Filip Wecherowski. 2009. A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers. https://tinyurl.com/knoms4t. (2009).Google Scholar
Carsten Willems, Ralf Hund, Andreas Fobian, Dennis Felsch, Thorsten Holz, and Amit Vasudevan. 2012b. Down to the bare metal: Using processor features for binary analysis. In Proceedings of the of the 28th Annual Comp. Sec. Applications Conference (ACSAC’12). ACM. Google ScholarDigital Library
Carsten Willems, Ralf Hund, and Thorsten Holz. 2012a. CXPInspector: Hypervisor-Based, Hardware-Assisted System Monitoring. Technical Report. Horst Gortz Institute for IT Sec.Google Scholar
Yubin Xia, Yutao Liu, Haibo Chen, and Binyu Zang. 2012. CFIMon: Detecting violation of control flow integrity using performance counters. In Proceedings of the 2012 42nd Annual IEEE/IFIP International Conference on Depend. Syst. and Net. (DSN) (DSN’12). IEEE Comp. Society. Google ScholarDigital Library
Xiaowen Xin. 2017. Lock it up&excl; New hardware protections for your lock screen with the Google Pixel 2. https://tinyurl.com/yb5pejys. (2017).Google Scholar
Jun Xu, Dongliang Mu, Xinyu Xing, Peng Liu, Ping Chen, and Bing Mao. 2017. Postmortem program analysis with hardware-enhanced post-crash artifacts. In Proceedings of the 26th USENIX Sec. Symposium. USENIX. Google ScholarDigital Library
S. D. Yalew, G. Q. Maguire, S. Haridi, and M. Correia. 2017. T2Droid: A trustzone-based dynamic analyser for android applications. In Proceedings of the 2017 IEEE Trustcom/BigDataSE/ICESS.Google Scholar
Lok-Kwong Yan, Manjukumar Jayachandra, Mu Zhang, and Heng Yin. 2012. V2E: Combining hardware virtualization and softwareemulation for transparent and extensible malware analysis. In Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (VEE’12). Google ScholarDigital Library
Liwei Yuan, Weichao Xing, Haibo Chen, and Binyu Zang. 2011. Sec. breaches as PMU deviation: Detecting and identifying sec. attacks using performance counters. In Proceedings of the 2nd Asia-Pacific Workshop on Syst. (APSys’11). ACM. Google ScholarDigital Library
Fengwei Zhang. 2013. IOCheck: A framework to enhance the security of I/O devices at runtime. In Proceedings of the 2013 43rd Annual IEEE/IFIP Conference on Depend. Syst. and Net. Wksp (DSN-W).Google ScholarCross Ref
F. Zhang, K. Leach, A. Stavrou, H. Wang, and K. Sun. 2015. Using hardware features for increased debugging transparency. In Proceedings of the 2015 IEEE Symposium on Sec. and Priv. IEEE. Google ScholarDigital Library
Fengwei Zhang, Kevin Leach, Kun Sun, and Angelos Stavrou. 2013. SPECTRE: A depend. introspection framework via system management mode. In Proceedings of the 43rd Annual IEEE/IFIP International Conference on Depend. Syst. and Net. (DSN) (DSN’13). IEEE Comp. Society. Google ScholarDigital Library
Fengwei Zhang and Hongwei Zhang. 2016. SoK: A study of using hardware-assisted isolated execution environments for sec.. In Proceedings of the Hardware and Architectural Support for Sec. and Priv. (HASP). ACM. Google ScholarDigital Library
Yury Zhauniarovich, Olga Gadyatskaya, and Bruno Crispo. 2013. DEMO: Enabling trusted stores for android. In Proceedings of the of the 2013 ACM SIGSAC Conference on Comp. 8 Comm. Sec. (CCS’13). ACM. Google ScholarDigital Library

Index Terms

Who Watches the Watchmen: A Security-focused Review on Current State-of-the-art Techniques, Tools, and Methods for Systems and Binary Analysis on Modern Platforms
1. Security and privacy

Recommendations

SPECTRE: A dependable introspection framework via System Management Mode
DSN '13: Proceedings of the 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

Virtual Machine Introspection (VMI) systems have been widely adopted for malware detection and analysis. VMI systems use hypervisor technology for system introspection and to expose malicious activity. However, recent malware can detect the presence of ...
Read More
Antivirus security: naked during updates

The security of modern computer systems heavily depends on security tools, especially on antivirus software solutions. In the anti-malware research community, development of techniques for evading detection by antivirus software is an active research ...
Read More
The Next Malware Battleground: Recovery After Unknown Infection

Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 51, Issue 4
July 2019
765 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3236632
Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering / University of Florida / Gainesville, FL 32611
Issue’s Table of Contents
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 13 July 2018
- Accepted: 1 March 2018
- Revised: 1 February 2018
- Received: 1 May 2017
Published in csur Volume 51, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Binary analysis
HVM
SMM
introspection
malware
security
Qualifiers
- survey
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 12
  Total Citations
  View Citations
- 766
  Total Downloads
- Downloads (Last 12 months)61
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Who Watches the Watchmen: A Security-focused Review on Current State-of-the-art Techniques, Tools, and Methods for Systems and Binary Analysis on Modern Platforms

ACM Computing Surveys

Abstract

Supplemental Material

Available for Download

References

Cited By

Index Terms

Recommendations

SPECTRE: A dependable introspection framework via System Management Mode

Antivirus security: naked during updates

The Next Malware Battleground: Recovery After Unknown Infection