Abstract
Malicious software, a threat users face on a daily basis, have evolved from simple bankers based on social engineering to advanced persistent threats. Recent research and discoveries reveal that malware developers have been using a wide range of anti-analysis and evasion techniques, in-memory attacks, and system subversion, including BIOS and hypervisors. In addition, code-reuse attacks like Returned Oriented Programming emerge as highly potential remote code execution threats. To counteract the broadness of malicious codes, distinct techniques and tools have been proposed, such as transparent malware tracers, system-wide debuggers, live forensics tools, and isolated execution rings. In this work, we present a survey on state-of-the-art techniques that detect, mitigate, and analyze the aforementioned attacks. We show approaches based on Hardware Virtual Machines introspection, System Management Mode instrumentation, Hardware Performance Counters, isolated rings (e.g., Software Guard eXtensions), as well as others based on external hardware. We also discuss upcoming threats based on the very same technologies used for defense. Our main goal is to provide the reader with a broader, more comprehensive understanding of recently surfaced tools and techniques aiming at binary analysis for modern platforms.
Supplemental Material
Available for Download
Supplemental movie, appendix, image and software files for, Who Watches the Watchmen: A Security-focused Review on Current State-of-the-art Techniques, Tools, and Methods for Systems and Binary Analysis on Modern Platforms
- Malak Alshawabkeh, Byunghyun Jang, and David Kaeli. 2010. Accelerating the local outlier factor algorithm on a GPU for intrusion detection system. In Proceedings of the 3rd Workshop on GP-GPUs. ACM. Google ScholarDigital Library
- AMD. 2013. AMD64 Architecture Programmers Manual Volume 2. AMD.Google Scholar
- AMD. 2016. AMD Secure Processor (Built-in technology). Retrieved from https://tinyurl.com/yaq2rhmv.Google Scholar
- ARM. 2009. ARM Sec. Technology - Building a Secure System using TrustZone Technology. ARM.Google Scholar
- Joy Arulraj, Guoliang Jin, and Shan Lu. 2014. Leveraging the short-term memory of hardware to diagnose production-run software failures. SIGARCH Comput. Archit. News 42, 1 (Feb. 2014). Google ScholarDigital Library
- Warwick Ashford. 2010. Malware growth reaches record rate. Retrieved from https://tinyurl.com/y8mxxo3e.Google Scholar
- J. P. Aumasson and Luis Merino. 2016. SGX Secure Enclaves in Practice: Security and Crypto Review. BlackHat Conference.Google Scholar
- Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang, Xiaolan Zhang, and Nathan C. Skalsky. 2010. HyperSentry: Enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS’10). ACM. Google ScholarDigital Library
- Michael Backes, Oliver Schranz, and Philipp von Styp-Rekowsky. 2015. POSTER: Towards compiler-assisted taint tracking on the android runtime (ART). In Proceedings of the of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15). ACM. Google ScholarDigital Library
- M. B. Bahador, M. Abadi, and A. Tajoddin. 2014. HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition. In 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE’14).Google Scholar
- Davide Balzarotti, Marco Cova, Christoph Karlberger, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2010. Efficient detection of split personalities in malware. In Proceedings of the17th Annual Network and Distributed System Security Symposium (NDSS’10).Google Scholar
- U. Bayer, C. Kruegel, and E. Kirda. 2006. TTAnalyze: A tool for analyzing malware. In Proceedingd of the15th European Institute for Computer Antivirus Research (EICAR’06).Google Scholar
- Fabrice Bellard. 2005. QEMU, A fast and portable dynamic translator. In Proceedings of the USENIX Annual Technical Conference (ATC’05). USENIX Association. Google ScholarDigital Library
- Xavier J. A. Bellekens, Christos Tachtatzis, Robert C. Atkinson, Craig Renfrew, and Tony Kirkham. 2014. GLoP: Enabling massively parallel incident response through GPU log processing. In Proceedings of the 7th International Conference on Security of Information and Net (SIN’14). ACM. Google ScholarDigital Library
- Arnar Birgisson, Mohan Dhawan, Úlfar Erlingsson, Vinod Ganapathy, and Liviu Iftode. 2008. Enforcing authorization policies using transactional memory introspection. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM. Google ScholarDigital Library
- Marcus Botacin, Paulo Lício De Geus, and André Grégio. 2018. Enhancing branch monitoring for security purposes: From control flow integrity to malware analysis and debugging. ACM Trans. Priv. Secur. 21, 1, Article 4 (Jan. 2018), 30 pages. Google ScholarDigital Library
- Michael Brengel, Michael Backes, and Christian Rossow. 2016. Detecting hardware-assisted virtualization. In Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Vol. 9721 (DIMVA’16). Springer-Verlag, New York. Google ScholarDigital Library
- BSDaemon, coideloco, and D0nad0n. 2008. System Management Mode Hack - Using SMM for “Other Purposes.” Retrieved from https://tinyurl.com/jxeao4u.Google Scholar
- Xu Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario. 2008a. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In 2008 IEEE International Conference on Dependable Systems and Networks with FTCS and DCC (DSN’08). 177--186.Google Scholar
- Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis, Pratap Subrahmanyam, Carl A. Waldspurger, Dan Boneh, Jeffrey Dwoskin, and Dan R.K. Ports. 2008b. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating syst. SIGPLAN Not. 43, 3 (March 2008). Google ScholarDigital Library
- Yueqiang Cheng, Zongwei Zhou, Yu Miao, Xuhua Ding, and Huijie Robert Deng. 2014. Ropecker: A generic and practical approach for defending against ROP attacks. In Symposium on Networks and Distributed System Security (NDSS’14). Internet Society.Google ScholarCross Ref
- CHIPSEC. 2014. CHIPSEC Platform Sec. Assessment Framework. Retrieved from https://tinyurl.com/nwxzudm.Google Scholar
- CHIPSEC. 2016. CHIPSEC. Retrieved from https://github.com/chipsec/chipsec.Google Scholar
- CoreBoot. 2015. CoreBoot. Retrieved from http://www.coreboot.org/.Google Scholar
- Paul Crowley. 2016. Pixel Sec.: Better, Faster, Stronger. Retrieved from https://tinyurl.com/y88book8.Google Scholar
- Shaun Davenport and Richard Ford. 2014. SGX: the good, the bad and the downright ugly. Retrieved from https://tinyurl.com/z8jlk3s.Google Scholar
- John Demme, Matthew Maycock, Jared Schmitz, Adrian Tang, Adam Waksman, Simha Sethumadhavan, and Salvatore Stolfo. 2013. On the feasibility of online malware detection with performance counters. SIGARCH Comput. Archit. News 41, 3 (June 2013). Google ScholarDigital Library
- Zhui Deng, Xiangyu Zhang, and Dongyan Xu. 2013. SPIDER: Stealthy binary program instrumentation and debugging via hardware virtualization. In Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC’13). ACM. Google ScholarDigital Library
- Steve Dent. 2016. Microsoft’s Edge browser stays secure by acting as a virtual PC. Retrieved from https://tinyurl.com/z8j3krc.Google Scholar
- Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008a. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM. Google ScholarDigital Library
- Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008b. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM. Google ScholarDigital Library
- Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. 2011. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (SP’11). IEEE Comp. Society. Google ScholarDigital Library
- L. Duflot, D. Etiemble, and O. Grumelard. 2007. Using CPU System Management Mode to Circumvent Operating System Sec. Functions. Retrieved from https://tinyurl.com/y7mlduy9.Google Scholar
- DynamoRIO. 2001. Dynamic Instrumentation Tool Platform. Retrieved from https://tinyurl.com/ybenfvw9.Google Scholar
- Manuel Egele, Theodoor Scholte, Engin Kirda, and Christopher Kruegel. 2008. A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44, 2 (March 2008). Google ScholarDigital Library
- Shawn Embleton, Sherri Sparks, and Cliff Zou. 2008. SMM rootkits: A new breed of OS independent malware. In Proceedings of the 4th International Conference on Security and Privacy in Communication Netowrks (SecureComm’08). ACM. Google ScholarDigital Library
- Aristide Fattori, Roberto Paleari, Lorenzo Martignoni, and Mattia Monga. 2010. Dynamic and transparent analysis of commodity production syst. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE’10). ACM. Google ScholarDigital Library
- Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, and Alexander Pretschner. 2016. Sec. Testing: A Survey. (2016).Google Scholar
- David Fitzpatrick and Drew Griffin. 2016. Cyber-extortion losses skyrocket, says FBI. Retrieved from https://tinyurl.com/y8ym4q46.Google Scholar
- Yangchun Fu and Zhiqiang Lin. 2013. Bridging the semantic gap in virtual machine introspection via online kernel data redirection. ACM Trans. Inf. Syst. Secur. 16, 2 (Sept. 2013). Google ScholarDigital Library
- Yuxin Gao, Zexin Lu, and Yuqing Luo. 2014. Survey on malware anti-analysis. In Proceedings of the 2014 5th International Conference on Intelligent Control and Information Processing (ICICIP’14).Google ScholarCross Ref
- Tal Garfinkel, Keith Adams, Andrew Warfield, and Jason Franklin. 2007. Compatibility is not transparency: VMM detection myths and realities. In Proceedings of the 11th USENIX Workshop on Hot Topics in Operating Systems (HOTOS’07). USENIX Association. Google ScholarDigital Library
- Grsecurity. 2013. Grsecurity. Retrieved from https://grsecurity.net/.Google Scholar
- Neha Gupta, Smita Naval, Vijay Laxmi, M. S. Gaur, and Muttukrishnan Rajarajan. 2014. P-SPADE: GPU accelerated malware packer detection. In Proceedings of the 2014 Annual International Conference on Privacy, Security and Trust (PST’14). IEEE.Google ScholarCross Ref
- Alex Ho, Michael Fetterman, Christopher Clark, Andrew Warfield, and Steven Hand. 2006. Practical taint-based protection using demand emulation. In Proceedings of the of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006 (EuroSys’06). ACM. Google ScholarDigital Library
- Matthew Hoekstra, Reshma Lal, Pradeep Pappachan, Vinay Phegade, and Juan Del Cuvillo. 2013. Using innovative instructions to create trustworthy software solutions. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP’13). ACM. Google ScholarDigital Library
- Owen S. Hofmann, Alan M. Dunn, Sangman Kim, Indrajit Roy, and Emmett Witchel. 2011. Ensuring operating system kernel integrity with OSck. In Proceedings of the 16th International Conference on Architectural Support for Programming Languages and Operating System (ASPLOS XVI). ACM. Google ScholarDigital Library
- Joel Hruska. 2016. Report claims Intel CPUs contain enormous security flaw. Retrieved from https://tinyurl.com/zdlbbvq.Google Scholar
- Intel. 2013. Intel® 64 and IA-32 Architectures Software Developers Manual. Intel.Google Scholar
- Intel. 2015. Pin—A Dynamic Binary Instrumentation Tool. Retrieved from https://tinyurl.com/m685m25.Google Scholar
- Alex Ionescu. 2015. Battle of the SKM and IUM: How Windows 10 Rewrites OS Architecture. Retrieved from https://tinyurl.com/na375ur.Google Scholar
- ISECLAB. 2010. Anubis—Malware Analysis for Unknown Binaries. Retrieved from https://anubis.iseclab.org/.Google Scholar
- P. Jain, S. Desai, S. Kim, M.-W. Shih, J. Lee, C. Choi, Y. Shin, T. Kim, B. B. Kang, and D. Han. 2016. OpenSGX: An open platform for SGX research. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium. Internet Society.Google Scholar
- Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant, and Dawn Song. 2009. Emulating emulation-resistant malware. In Proceedings of the 1st ACM Workshop on Virtual Machine Security (VMSec’09). ACM. Google ScholarDigital Library
- Swati Khandelwal. 2017. First-Ever Data Stealing Malware Found Using Intel AMT Tool to Bypass Firewall. Retrieved from https://tinyurl.com/y7e7kg8v.Google Scholar
- Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2011. BareBox: Efficient malware analysis on bare-metal. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC’11). ACM. Google ScholarDigital Library
- Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. Barecloud: Bare-metal analysis-based evasive malware detection. In Proceedings of the 23rd USENIX Conference on Security Symposium (SEC’14). USENIX Association. Google ScholarDigital Library
- Kompalli and Sarat. 2014. Using existing hardware services for malware detection. In Proceedings of the 2014 IEEE Security and Privacy Workshops (SPW’14). IEEE Comp. Society. Google ScholarDigital Library
- Lazaros Koromilas, Giorgos Vasiliadis, Elias Athanasopoulos, and Sotiris Ioannidis. 2016. GRIM: Leveraging GPUs for Kernel Integrity Monitoring. Springer International Publishing.Google Scholar
- Evangelos Ladakis, Lazaros Koromilas, Giorgos Vasiliadis, Michalis Polychronakis, and Sotiris Ioannidis. 2013. You Can Type, but You Cant Hide: A Stealthy GPU-based Keylogger. Retrieved from https://tinyurl.com/cbzp42n.Google Scholar
- Hojoon Lee, HyunGon Moon, DaeHee Jang, Kihwan Kim, Jihoon Lee, Yunheung Paek, and Brent ByungHoon Kang. 2013. KI-Mon: A hardware-assisted event-triggered monitoring platform for mutable kernel object. In Proceedings of the 22nd USENIX Security Symposium. USENIX. Google ScholarDigital Library
- Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013. High accuracy attack provenance via binary-based execution partition. In Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS’13). Internet Society.Google Scholar
- Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, Hyesoon Kim, and Marcus Peinado. 2017. Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In Proceedings of the 26th USENIX Security Symposium (USENIX Security’17). USENIX Association. Google ScholarDigital Library
- Tamas Lengyel, Thomas Kittel, George Webster, and Jacob Torrey. 2014. Pitfalls of virtual machine introspection on modern hardware. In Proceedings of the 1st Workshop on Malware Memory Forensics (MMF). ACM.Google Scholar
- Yuekang Li, Bihuan Chen, Mahinthan Chandramohan, Shang-Wei Lin, Yang Liu, and Alwen Tiu. 2017. Steelix: Program-state based binary fuzzing. In Proceedings of the of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017). ACM. Google ScholarDigital Library
- LibVMI. 2015. Introduction to libVMI. https://tinyurl.com/y8d4xbq9. (2015).Google Scholar
- Corey Malone, Mohamed Zahran, and Ramesh Karri. 2011. Are hardware performance counters a cost effective way for integrity checking of programs. In Proceedings of the 6th ACM Workshop on Scalable Trusted Computing (STC’11). ACM. Google ScholarDigital Library
- Tarjei Mandt, Mathew Solnik, and David Wang. 2016. Demystifying The Secure Enclave Processor. (2016).Google Scholar
- J.A.P. Marpaung, M. Sain, and Hoon-Jae Lee. 2012. Survey on malware evasion techniques: State of the art and challenges. In Proceedings of the Advanced Communication Technology (ICACT), 2012 14th Inter. Conference on.Google Scholar
- Lorenzo Martignoni, Aristide Fattori, Roberto Paleari, and Lorenzo Cavallaro. 2010. Live and trustworthy forensic analysis of commodity production syst. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID’10). Springer-Verlag. Google ScholarDigital Library
- Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. Testing CPU emulators. In Proceedings of the 18th Intl Symposium on Software Testing and Analysis (ISSTA’09). ACM. Google ScholarDigital Library
- Hyungon Moon, Hojoon Lee, Jihoon Lee, Kihwan Kim, Yunheung Paek, and Brent Byunghoon Kang. 2012. Vigilare: Toward snoop-based kernel integrity monitor. In Proceedings of the 2012 ACM Conference on Comp. and Comm. Sec. (CCS’12). ACM. Google ScholarDigital Library
- Hyungon Moon, Jinyong Lee, Dongil Hwang, Seonhwa Jung, Jiwon Seo, and Yunheung Paek. 2016. Architectural supports to protect OS kernels from code-injection attacks. In Proceedings of the Hardware and Architectural Support for Sec. and Priv. 2016 (HASP 2016). ACM. Google ScholarDigital Library
- Asit More and Shashikala Tapaswi. 2014. Virtual machine introspection: Towards bridging the semantic gap. Journal of Cloud Computing 3, 1 (2014).Google Scholar
- Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Limits of static analysis for malware detection. In Proceedings of the Annual Comp. Sec. Applications Conference. ACM.Google ScholarCross Ref
- Marius Muench, Fabio Pagani, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna, and Davide Balzarotti. 2016. Taming Trans.: Towards Hardware-Assisted Control Flow Integrity Using Transactional Memory. Springer Inter. Publishing.Google Scholar
- Igor Muttik, Alex Nayshtut, and Roman Dementlev. 2014. Creating a spider goat: using transactional memory support for security. (2014).Google Scholar
- Michael Myers and Stephen Youndt. 2007. An Introduction to Hardware-Assisted Virtual Machine (HVM) Rootkits. https://tinyurl.com/y8wfsye5. (2007).Google Scholar
- Matthias Neugschwandtner, Christian Platzer, PaoloMilani Comparetti, and Ulrich Bayer. 2010. dAnubis dynamic device driver analysis based on virtual machine introspection. In Detection of Intrusions and Malware, and Vulnerability Assessment, Christian Kreibich and Marko Jahnke (Eds.). Lecture Notes in Comp. Science, Vol. 6201. Springer Berlin Heidelberg. Google ScholarDigital Library
- Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T. King, and Hai D. Nguyen. 2009. MAVMM: Lightweight and purpose built VMM for malware analysis. In Proceedings of the 2009 Annual Comp. Sec. Applications Conference (ACSAC’09). IEEE Comp. Society. Google ScholarDigital Library
- Zhenyu Ning and Fengwei Zhang. 2017. Ninja: Towards transparent tracing and debugging on ARM. In 26th USENIX Sec. Symposium (USENIX Sec. 17). USENIX Association. Google ScholarDigital Library
- Nist.gov. 2017. National Vulnerability Database. https://tinyurl.com/yc9lbse8. (2017).Google Scholar
- Jan Magnus Granberg Opsahl. 2013. Open-source virtualization : Functionality and performance of Qemu/KVM, Xen, Libvirt and VirtualBox. Ph.D. Dissertation.Google Scholar
- Roberto Paleari. 2015. Fast coverage analysis for binary applications. https://tinyurl.com/y7obk3y5. (2015).Google Scholar
- Roberto Paleari, Lorenzo Martignoni, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In Proceedings of the 3rd USENIX Conference on Offensive Technologies (WOOT’09). USENIX Association. Google ScholarDigital Library
- Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. 2013. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of the 22nd USENIX Conference on Sec. (SEC’13). USENIX Association. Google ScholarDigital Library
- Bryan D. Payne, Martim Carbone, Monirul Sharif, and Wenke Lee. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the 2008 IEEE Symposium on Sec. and Priv. (SP’08). IEEE Comp. Society. Google ScholarDigital Library
- Michael Pearce, Sherali Zeadally, and Ray Hunt. 2013. Virtualization: Issues, sec. threats, and solutions. ACM Comput. Surv. 45, 2 (March 2013). Google ScholarDigital Library
- Gábor Pék, Boldizsár Bencsáth, and Levente Buttyán. 2011. nEther: In-guest detection of out-of-the-guest malware analyzers. In Proceedings of the 4th Eur. Wksp on System Sec. (EUROSEC’11). ACM. Google ScholarDigital Library
- Gábor Pék, Levente Buttyán, and Boldizsár Bencsáth. 2013. A survey of sec. issues in hardware virtualization. ACM Comput. Surv. 45, 3 (July 2013). Google ScholarDigital Library
- Nick L. Petroni, Jr., Timothy Fraser, Jesus Molina, and William A. Arbaugh. 2004. Copilot - A coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th Conference on USENIX Sec. Symposium - Volume 13 (SSYM’04). USENIX Association. Google ScholarDigital Library
- Cody Pierce, Matthew Spisak, and Kenneth Fitch. 2016. Capturing 0day Exploits with PERFectly Placed Hardware Traps. https://tinyurl.com/ycrsez3y. (2016).Google Scholar
- Mario Polino, Andrea Continella, Sebastiano Mariani, Stefano D’Alessio, Lorenzo Fontana, Fabio Gritti, and Stefano Zanero. 2017. Measuring and Defeating Anti-Instrumentation-Equipped Malware. Springer.Google Scholar
- Xen Project. 2017. Xen ARM with virtualization extensions. https://tinyurl.com/k3o6h63. (2017).Google Scholar
- Daniel Quist, Lorie Liebrock, and Joshua Neil. 2011. Improving antivirus accuracy with hypervisor assisted analysis. J. Comput. Virol. 7, 2 (2011). Google ScholarDigital Library
- Nguyen Anh Quynh and Kuniyasu Suzaki. 2010. Virt-ICE: Next-generation Debugger for Malware Analysis. https://tinyurl.com/ybszcbxn. (2010).Google Scholar
- Alessandro Reina, Aristide Fattori, Fabio Pagani, Lorenzo Cavallaro, and Danilo Bruschi. 2012. When hardware meets software: A bulletproof solution to forensic memory acquisition. In Proceedings of the 28th Annual Comp. Sec. Applications Conference (ACSAC’12). ACM. Google ScholarDigital Library
- Junghwan Rhee, Ryan Riley, Dongyan Xu, and Xuxian Jiang. 2009. Defeating dynamic data kernel rootkit attacks via VMM-based guest-transparent monitoring. 2012 7th International Conference on Availability, Reliability and Sec. 0 (2009).Google ScholarCross Ref
- Ryan Riley, Xuxian Jiang, and Dongyan Xu. 2008. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID’08). Springer-Verlag. Google ScholarDigital Library
- Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. 2012. Return-oriented programming: Syst., languages, and applications. ACM Trans. Inf. Syst. Secur. 15, 1 (March 2012). Google ScholarDigital Library
- Christian Rossow, Christian J. Dietrich, Christian Kreibich, Chris Grier, Vern Paxson, Norbert Pohlmann, Herbert Bos, and Maarten van Steen. 2012. Prudent practices for designing malware experiments: Status quo and outlook. In Proceedings of the 33rd IEEE Symposium on Sec. and Priv. (S&P). IEEE. Google ScholarDigital Library
- Giovanni Russello, Arturo Blas Jimenez, Habib Naderi, and Wannes van der Mark. 2013. FireDroid: Hardening sec. in almost-stock android. In Proceedings of the of the 29th Ann. Comp. Sec. App; Conference (ACSAC’13). ACM. Google ScholarDigital Library
- Rutkowska. 2006. Subverting Vista Kernel For Fun And For Profit. https://tinyurl.com/y86ltylh. (2006).Google Scholar
- Rutkowska. 2010. Qubes OS Project. https://www.qubes-os.org/. (2010).Google Scholar
- Joanna Rutkowska. 2015. Intel x86 considered harmful. https://tinyurl.com/hnbulmv. (2015).Google Scholar
- Joanna Rutkowska and Rafał Wojtczuk. 2008. Preventing and Detecting Xen Hypervisor Subversions. https://tinyurl.com/44denv2. (2008).Google Scholar
- Alireza Saberi, Yangchun Fu, and Zhiqiang Lin. 2014. Hybrid-bridge: Efficiently bridging the semantic gap in virtual machine introspection via decoupled execution and training memoization. In Proceedings of the 21st Annual Network and Distributed System Sec. Symposium (NDSS14). Internet Society.Google ScholarCross Ref
- Samsung. 2017. Samsung KNOX. https://www.samsungknox.com/en. (2017).Google Scholar
- J. Schiffman and D. Kaplan. 2014. The SMM rootkit revisited: Fun with USB. In Proceedings of the Availability, Reliability and Sec. (ARES), 2014 9th International Conference on. IEEE. Google ScholarDigital Library
- Christian Schneider, Jonas Pfoh, and Claudia Eckert. 2011. A universal semantic bridge for virtual machine introspection. In Proceedings of the 7th International Conference on Information Syst. Sec. (ICISS’11). Springer-Verlag. Google ScholarDigital Library
- Michael Schwarz, Samuel Weiser, Daniel Gruss, Clementine Maurice, and Stefan Mangard. 2017. Malware Guard Extension: Using SGX to Conceal Cache Attacks. https://arxiv.org/abs/1702.08719. (2017).Google Scholar
- SeaBIOS. 2015. SeaBIOS. http://www.seabios.org/SeaBIOS. (2015).Google Scholar
- Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of the 21st ACM SIGOPS Symposium on Operating Syst. Principles (SOSP’07). ACM. Google ScholarDigital Library
- Joseph Sharkey. 2016. Breaking Hardware-Enforced Sec. with Hypervisors. https://tinyurl.com/y8fuc3jg. (2016).Google Scholar
- Hao Shi, Abdulla Alwabel, and Jelena Mirkovic. 2014. Cardinal pill testing of system virtual machines. In Proceedings of the 23rd USENIX Sec. Symposium (USENIX Sec. 14). USENIX Association. Google ScholarDigital Library
- Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, Kenji Kono, Shigeru Chiba, Yasushi Shinjo, and Kazuhiko Kato. 2009. BitVisor: A thin hypervisor for enforcing I/O device sec. In Proceedings of the ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’09). Google ScholarDigital Library
- Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. 2008. BitBlaze: A new approach to comp. sec. via binary analysis. In Proceedings of the 4th International Conference on Information Syst. Sec. (ICISS’08). Springer-Verlag. Google ScholarDigital Library
- Sherri Sparks and Jamie Butler. 2005. Shadow Walker - Raising The Bar For Windows Rootkit Detection. https://tinyurl.com/yag77m8y. (2005).Google Scholar
- Patrick Stewin, Jean-Pierre Seifert, and Collin Mulliner. 2011. Poster: Towards detecting DMA malware. In Proceedings of the 18th ACM Conference on Comp. and Comm. Sec. (CCS’11). Google ScholarDigital Library
- Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo. 2014. Unsupervised Anomaly-Based Malware Detection Using Hardware Features. Springer Inter. Publishing.Google Scholar
- Alexander Tereshkin and Rafal Wojtczuk. 2009. Introducing Ring -3 Rootkits. https://tinyurl.com/l7qnjpv. (2009).Google Scholar
- Kevin Townsend. 2016. Mobile Malware Shows Rapid Growth in Volume and Sophistication. https://tinyurl.com/ya7ctfcz. (2016).Google Scholar
- Petar Tsankov, Mohammad Torabi Dashti, and David Basin. 2013. Semi-valid input coverage for fuzz testing. In Proceedings of the of the 2013 Inter. Symposium on Software Testing and Analysis (ISSTA 2013). ACM. Google ScholarDigital Library
- Jeroen van Prooijen. 2016. The Design of Malware on Modern Hardware. https://tinyurl.com/y8rwfj5t. (2016).Google Scholar
- Giorgos Vasiliadis, Elias Athanasopoulos, Michalis Polychronakis, and Sotiris Ioannidis. 2014. PixelVault: Using GPUs for securing cryptographic operations. In Proceedings of the 2014 ACM SIGSAC Conference on Comp. and Comm. Sec. (CCS’14). Google ScholarDigital Library
- Giorgos Vasiliadis and Sotiris Ioannidis. 2010. GrAVity: A massively parallel antivirus engine. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID’10). Springer-Verlag. Google ScholarDigital Library
- Giorgos Vasiliadis, Michalis Polychronakis, and Sotiris Ioannidis. 2011. MIDeA: A multi-parallel intrusion detection architecture. In Proceedings of the 18th ACM Conference on Comp. and Comm. Sec. (CCS’11). ACM. Google ScholarDigital Library
- Giorgos Vasiliadis, Michalis Polychronakis, and Sotiris Ioannidis. 2015. GPU-assisted malware. Int. J. Inf. Secur. 14, 3, Article - (June 2015). Google ScholarDigital Library
- Amit Vasudevan and Ramesh Yerraballi. 2005. Stealth breakpoints. In Proceedings of the 21st Annual Comp. Sec. Applications Conference (ACSAC’05). IEEE Comp. Society. Google ScholarDigital Library
- Amit Vasudevan and Ramesh Yerraballi. 2006a. Cobra: Fine-grained malware analysis using stealth localized-executions. In Proceedings of the 2006 IEEE Symposium on Sec. and Priv. (SP’06). IEEE Comp. Society. Google ScholarDigital Library
- Amit Vasudevan and Ramesh Yerraballi. 2006b. SPiKE: Engineering malware analysis tools using unobtrusive binary-instrumentation. In Proceedings of the 29th Australasian Comp. Science Conference - Volume 48 (ACSC’06). Australian Comp. Society, Inc. Google ScholarDigital Library
- Vassilios Ververis. 2010. Sec. Evaluation of Intel’s Active Management Technology. Ph.D. Dissertation. KTH Information and Communication Technology.Google Scholar
- Jack Wallen. 2016. Is the Intel Management Engine a backdoor? https://tinyurl.com/j8s2uaa. (2016).Google Scholar
- Gary Wang, Zachary J. Estrada, Cuong Pham, Zbigniew Kalbarczyk, and Ravishankar K. Iyer. 2015a. Hypervisor introspection: A technique for evading passive virtual machine monitoring. In Proceedings of the 9th USENIX Wksp on Offensive Technologies (WOOT 15). USENIX Association. Google ScholarDigital Library
- Jiang Wang, Angelos Stavrou, and Anup Ghosh. 2010. HyperCheck: A hardware-assisted integrity monitor. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID’10). Springer-Verlag. Google ScholarDigital Library
- Jiang Wang, Fengwei Zhang, Kun Sun, and Angelos Stavrou. 2011. Firmware-assisted memory acquisition and analysis tools for digital forensics. In Proceedings of the 2011 6th IEEE International Wksp on Systematic Approaches to Digital Forensic Engineering (SADFE’11). IEEE Comp. Society. Google ScholarDigital Library
- Xueyan Wang and Xiaofei Guo. 2016. NumChecker: A System Approach for Kernel Rootkit Detection and Identification. https://tinyurl.com/yc5svs9m. (2016).Google Scholar
- Xueyang Wang, Charalambos Konstantinou, Michail Maniatakos, and Ramesh Karri. 2015b. ConFirm: Detecting firmware modifications in embedded syst. using hardware performance counters. In Proceedings of the IEEE/ACM International Conference on Comp.-Aided Design (ICCAD’15). IEEE Press. Google ScholarDigital Library
- Filip Wecherowski. 2009. A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers. https://tinyurl.com/knoms4t. (2009).Google Scholar
- Carsten Willems, Ralf Hund, Andreas Fobian, Dennis Felsch, Thorsten Holz, and Amit Vasudevan. 2012b. Down to the bare metal: Using processor features for binary analysis. In Proceedings of the of the 28th Annual Comp. Sec. Applications Conference (ACSAC’12). ACM. Google ScholarDigital Library
- Carsten Willems, Ralf Hund, and Thorsten Holz. 2012a. CXPInspector: Hypervisor-Based, Hardware-Assisted System Monitoring. Technical Report. Horst Gortz Institute for IT Sec.Google Scholar
- Yubin Xia, Yutao Liu, Haibo Chen, and Binyu Zang. 2012. CFIMon: Detecting violation of control flow integrity using performance counters. In Proceedings of the 2012 42nd Annual IEEE/IFIP International Conference on Depend. Syst. and Net. (DSN) (DSN’12). IEEE Comp. Society. Google ScholarDigital Library
- Xiaowen Xin. 2017. Lock it up! New hardware protections for your lock screen with the Google Pixel 2. https://tinyurl.com/yb5pejys. (2017).Google Scholar
- Jun Xu, Dongliang Mu, Xinyu Xing, Peng Liu, Ping Chen, and Bing Mao. 2017. Postmortem program analysis with hardware-enhanced post-crash artifacts. In Proceedings of the 26th USENIX Sec. Symposium. USENIX. Google ScholarDigital Library
- S. D. Yalew, G. Q. Maguire, S. Haridi, and M. Correia. 2017. T2Droid: A trustzone-based dynamic analyser for android applications. In Proceedings of the 2017 IEEE Trustcom/BigDataSE/ICESS.Google Scholar
- Lok-Kwong Yan, Manjukumar Jayachandra, Mu Zhang, and Heng Yin. 2012. V2E: Combining hardware virtualization and softwareemulation for transparent and extensible malware analysis. In Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (VEE’12). Google ScholarDigital Library
- Liwei Yuan, Weichao Xing, Haibo Chen, and Binyu Zang. 2011. Sec. breaches as PMU deviation: Detecting and identifying sec. attacks using performance counters. In Proceedings of the 2nd Asia-Pacific Workshop on Syst. (APSys’11). ACM. Google ScholarDigital Library
- Fengwei Zhang. 2013. IOCheck: A framework to enhance the security of I/O devices at runtime. In Proceedings of the 2013 43rd Annual IEEE/IFIP Conference on Depend. Syst. and Net. Wksp (DSN-W).Google ScholarCross Ref
- F. Zhang, K. Leach, A. Stavrou, H. Wang, and K. Sun. 2015. Using hardware features for increased debugging transparency. In Proceedings of the 2015 IEEE Symposium on Sec. and Priv. IEEE. Google ScholarDigital Library
- Fengwei Zhang, Kevin Leach, Kun Sun, and Angelos Stavrou. 2013. SPECTRE: A depend. introspection framework via system management mode. In Proceedings of the 43rd Annual IEEE/IFIP International Conference on Depend. Syst. and Net. (DSN) (DSN’13). IEEE Comp. Society. Google ScholarDigital Library
- Fengwei Zhang and Hongwei Zhang. 2016. SoK: A study of using hardware-assisted isolated execution environments for sec.. In Proceedings of the Hardware and Architectural Support for Sec. and Priv. (HASP). ACM. Google ScholarDigital Library
- Yury Zhauniarovich, Olga Gadyatskaya, and Bruno Crispo. 2013. DEMO: Enabling trusted stores for android. In Proceedings of the of the 2013 ACM SIGSAC Conference on Comp. 8 Comm. Sec. (CCS’13). ACM. Google ScholarDigital Library
Index Terms
- Who Watches the Watchmen: A Security-focused Review on Current State-of-the-art Techniques, Tools, and Methods for Systems and Binary Analysis on Modern Platforms
Recommendations
SPECTRE: A dependable introspection framework via System Management Mode
DSN '13: Proceedings of the 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)Virtual Machine Introspection (VMI) systems have been widely adopted for malware detection and analysis. VMI systems use hypervisor technology for system introspection and to expose malicious activity. However, recent malware can detect the presence of ...
Antivirus security: naked during updates
The security of modern computer systems heavily depends on security tools, especially on antivirus software solutions. In the anti-malware research community, development of techniques for evading detection by antivirus software is an active research ...
The Next Malware Battleground: Recovery After Unknown Infection
Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Comments