Abstract image of a woman sitting on books and studying on a laptop

Hardware-Assisted Malware Analysis

Marcus Botacin, profile picture
Marcus Botacin

The document presents a proposal for hardware-assisted malware analysis, highlighting the challenges malware poses in evading analysis and the benefits of hardware-assisted solutions for improving transparency and effectiveness in detection. It outlines developments in the proposed framework, discusses future work, and emphasizes the importance of addressing security, performance, and development trade-offs. Additionally, it lists relevant publications and concludes with contact information for further inquiries.

Science
1 of 42
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Introduction Hardware-Assisted Solutions My Proposal Conclusions Hardware-Assisted Malware Analysis Marcus Botacin1, Andr´e Gr´egio3, Paulo L´ıcio de Geus2 1Msc. Computer Science Institute of Computing - UNICAMP marcus@lasca.ic.unicamp.br 2Advisor Institute of Computing - UNICAMP paulo@lasca.ic.unicamp.br 3Co-Advisor Federal University of Paran´a (UFPR) gregio@inf.ufpr.br CTD - SBSEG Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Problem Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Problem Malware Threats. Figure: Washington Post: https://tinyurl.com/ljo7ekm Figure: BBC: https://tinyurl.com/mfogjhe Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Solution Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Solution Malware Analysis. Figure: Imperva: https://tinyurl.com/zkbsnl2 Figure: Enigma: https://tinyurl.com/kydgwve Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges The Challenges. Figure: Themerkle: https://tinyurl.com/kasuxcr Figure: Forbes: https://tinyurl.com/l7ecrex Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges How to stop analysis? Table: Anti-Analysis: Tricks summary. Malware samples may employ multiple techniques to evade distinct analysis procedures. Technique Description Reason Implementation Anti Check if running Blocks reverse Fingerprinting Debug inside a debugger engineering attempts Anti Check if running Analysts use VMs Execution VM inside a VM for scalability Side-effect Anti Fool disassemblers AV signatures may Undecidable Disassembly to generate wrong opcodes be based on opcodes Constructions Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges And then... Figure: Commercial solution armored with anti-debug technique. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges And then... Figure: Real malware impersonating a secure solution which cannot run under an hypervisor. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Benefits Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Benefits Transparency 1 Higher privileged. 2 No non-privileged side-effects. 3 Identical Basic Instruction Semantics. 4 Transparent Exception Handling. 5 Identical Measurement of Time. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions A Summary Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions A Summary A Survey Table: Hardware features. Technique PROS CONS Gaps HVM Ring -1 Hypervisor High development overhead SMM Ring -2 BIOS High development implementation cost AMT Ring -3 Chipset No malware code change analysis solution HPCs Lightweight Context-limited No malware information analysis solution GPU Easy to program No register No introspection data procedures TSX Commit-based Store only Overcome the few KB KB barrier SGX Isolates goodware Also isolates No enclave malware inspection SOCs Tamper-proof Passive Raise alarms components Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Background Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Background Branch Monitors Figure: Branch Stack. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Proposed Framework Figure: Proposed framework architecture. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Data Storage (DS) AREA. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: ASLR - Library placement after two consecutive reboots. Library NTDLL KERNEL32 KERNELBASE Address 1 0xBAF80000 0xB9610000 0xB8190000 Address 2 0x987B0000 0x98670000 0x958C0000 Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: Function Offsets from ntdll.dll library. Function Offset NtCreateProcess 0x3691 NtCreateProcessEx 0x30B0 NtCreateProfile 0x36A1 NtCreateResourceManager 0x36C1 NtCreateSemaphore 0x36D1 NtCreateSymbolicLinkObject 0x36E1 NtCreateThread 0x30C0 NtCreateThreadEx 0x36F1 Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Figure: Introspection Mechanism. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? _lock_file+0x90printf+0xe3__iob_funcprintf+0xcaprintfNewToy Figure: Step Into. scanf+0x3f NewToy printf Figure: Step Over. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I retrieve all executed functions ? Is CFG reconstruction possible? Figure: Code block identification. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I retrieve all executed functions ? Is CFG reconstruction possible? Figure: it is possible to reconstruct the whole execution flow. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Is the final solution transparent? Deviating Behavior Figure: Deviating behavior identification. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Is the final solution transparent? Deviating Behavior Figure: Divergence: True Positive. Figure: Divergence: False Positive. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a Debugger? Inverted I/O Figure: Debugger’s working mechanism. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a Debugger? Integration Figure: GDB integration. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? ROP Attacks Figure: ROP chain example. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? CALL-RET Policy Figure: CALL-RET CFI policy. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? Exploit Analysis Table: Excerpt of the branch window of the ROP payload. FROM TO —- 0x7c346c0a 0x7c346c0b 0x7c37a140 0x7c37a141 —- Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? Exploit Analysis Listing 1: Static disassembly of the MSVCR71.dll library. 1 7 c346c08 : f2 0 f 58 c3 addsd %xmm3,%xmm0 2 7 c346c0c : 66 0 f 13 44 24 04 movlpd %xmm0,0 x4(%esp ) Listing 2: Dynamic disassembly of the MSVC71.dll executed code. 1 0x1000 ( s i z e =1) pop rax 2 0x1001 ( s i z e =1) r e t Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Remarks Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Remarks Lessons learned Transparency is essential. Hardware-assisted approaches may fulfill transparency requirements. There are open problems on hardware monitoring. Security, performance, and development efforts as trade-offs (really?). Performance monitors as lightweight alternatives. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Future Work Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Future Work And now? Multi-core monitor. Linux Monitor. Malware clustering. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Main Papers Who watches the watchmen: A security-focused review on current state-of-the-art techniques, tools and methods for systems and binary analysis on modern platforms—ACM Computing Surveys (A1). Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging—ACM Transactions on Privacy and Security (A2). The other guys: automated analysis of marginalized malware—Journal of Computer Virology and Hacking techniques (B1). Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Solution’s Availability Figure: Solution’s Availability. Solution is public on github. https://github.com/marcusbotacin/BranchMonitoringProject Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Questions ? Contact marcus@lasca.ic.unicamp.br mfbotacin@inf.ufpr.br Hardware-Assisted Malware Analysis IC-UNICAMP

More Related Content

PDF
Icsoc12 tooldemo.ppt
Ptidej Team
 
PDF
Ssbse12b.ppt
Ptidej Team
 
PDF
The Impact of Mislabelling on the Performance and Interpretation of Defect Pr...
Chakkrit (Kla) Tantithamthavorn
 
PPT
Tlc
Dhanasekaran Nagarajan
 
PDF
Análise de malware com suporte de hardware
Marcus Botacin
 
PDF
Monitoring Systems & Binaries
Marcus Botacin
 
PDF
Malware Collection and Analysis via Hardware Virtualization
Tamas K Lengyel
 
PDF
Hardware-Assisted Application Misbehavior Detection
Marcus Botacin
 
Icsoc12 tooldemo.ppt
Ptidej Team
 
Ssbse12b.ppt
Ptidej Team
 
The Impact of Mislabelling on the Performance and Interpretation of Defect Pr...
Chakkrit (Kla) Tantithamthavorn
 
Tlc
Dhanasekaran Nagarajan
 
Análise de malware com suporte de hardware
Marcus Botacin
 
Monitoring Systems & Binaries
Marcus Botacin
 
Malware Collection and Analysis via Hardware Virtualization
Tamas K Lengyel
 
Hardware-Assisted Application Misbehavior Detection
Marcus Botacin
 

Similar to Hardware-Assisted Malware Analysis (20)

PPTX
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat Security Conference
 
PDF
A method for detecting abnormal program behavior on embedded devices
Raja Ram
 
PDF
DEF CON 27- ITZIK KOTLER and AMIT KLEIN - gotta catch them all
Felipe Prado
 
PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
DaveEdwards12
 
PDF
Tdffffffffffffffffffffffffffffffffffffffehranipoor.pdf
RamithaDevi
 
PDF
Hardware-accelerated security monitoring
Marcus Botacin
 
PPTX
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
PDF
Faults inside System Software
National Cheng Kung University
 
PDF
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
Pietro De Nicolao
 
PDF
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
PDF
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
PDF
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
NCC Group
 
PPT
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Priyanka Aash
 
PDF
Course: "Introductory course to HLS FPGA programming"
Mirko Mariotti
 
PDF
Exploring Hardware Security
Speck&Tech
 
PDF
Designing and implementing malicious processors
NebyueAwoke
 
PPTX
DATE 2020: Design, Automation and Test in Europe Conference
LEGATO project
 
PDF
asap2013-khoa-presentation
Abhishek Jain
 
PDF
[USENIX-WOOT] Introduction to Procedural Debugging through Binary Libification
Moabi.com
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat Security Conference
 
A method for detecting abnormal program behavior on embedded devices
Raja Ram
 
DEF CON 27- ITZIK KOTLER and AMIT KLEIN - gotta catch them all
Felipe Prado
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
DaveEdwards12
 
Tdffffffffffffffffffffffffffffffffffffffehranipoor.pdf
RamithaDevi
 
Hardware-accelerated security monitoring
Marcus Botacin
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
Faults inside System Software
National Cheng Kung University
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
Pietro De Nicolao
 
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
NCC Group
 
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Priyanka Aash
 
Course: "Introductory course to HLS FPGA programming"
Mirko Mariotti
 
Exploring Hardware Security
Speck&Tech
 
Designing and implementing malicious processors
NebyueAwoke
 
DATE 2020: Design, Automation and Test in Europe Conference
LEGATO project
 
asap2013-khoa-presentation
Abhishek Jain
 
[USENIX-WOOT] Introduction to Procedural Debugging through Binary Libification
Moabi.com
 
Ad

More from Marcus Botacin (20)

PDF
Cross-Regional Malware Detection via Model Distilling and Federated Learning
Marcus Botacin
 
PDF
What do malware analysts want from academia? A survey on the state-of-the-pra...
Marcus Botacin
 
PDF
GPThreats: Fully-automated AI-generated malware and its security risks
Marcus Botacin
 
PDF
[Texas A&M University] Research @ Botacin's Lab
Marcus Botacin
 
PDF
Pilares da Segurança e Chaves criptográficas
Marcus Botacin
 
PDF
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Marcus Botacin
 
PDF
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
PDF
GPThreats-3: Is Automated Malware Generation a Threat?
Marcus Botacin
 
PDF
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
Marcus Botacin
 
PDF
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
Marcus Botacin
 
PDF
How do we detect malware? A step-by-step guide
Marcus Botacin
 
PDF
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Marcus Botacin
 
PDF
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Marcus Botacin
 
PDF
On the Malware Detection Problem: Challenges & Novel Approaches
Marcus Botacin
 
PDF
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
Marcus Botacin
 
PDF
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
PDF
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Marcus Botacin
 
PDF
Integridade, confidencialidade, disponibilidade, ransomware
Marcus Botacin
 
PDF
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
Marcus Botacin
 
PDF
On the Security of Application Installers & Online Software Repositories
Marcus Botacin
 
Cross-Regional Malware Detection via Model Distilling and Federated Learning
Marcus Botacin
 
What do malware analysts want from academia? A survey on the state-of-the-pra...
Marcus Botacin
 
GPThreats: Fully-automated AI-generated malware and its security risks
Marcus Botacin
 
[Texas A&M University] Research @ Botacin's Lab
Marcus Botacin
 
Pilares da Segurança e Chaves criptográficas
Marcus Botacin
 
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
GPThreats-3: Is Automated Malware Generation a Threat?
Marcus Botacin
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
Marcus Botacin
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
Marcus Botacin
 
How do we detect malware? A step-by-step guide
Marcus Botacin
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Marcus Botacin
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Marcus Botacin
 
On the Malware Detection Problem: Challenges & Novel Approaches
Marcus Botacin
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Marcus Botacin
 
Integridade, confidencialidade, disponibilidade, ransomware
Marcus Botacin
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
Marcus Botacin
 
On the Security of Application Installers & Online Software Repositories
Marcus Botacin
 
Ad

Recently uploaded (20)

PPT
1. INTRODUCTION TO EPIDEMIOLOGY.pptx for community medicine
olawooreteslim
 
PPT
Enhancing Laboratory Quality Through ISO 15189 Compliance
mdsgift
 
PPTX
INTRODUCTION TO PAEDIATRICS AND PAEDIATRIC HISTORY TAKING-1.pptx
godfreymandela88
 
PDF
Looking into the jet cone of the neutrino-associated very high-energy blazar ...
Sérgio Sacani
 
PDF
Communicating Health Policies to Diverse Populations (www.kiu.ac.ug)
publication11
 
PDF
Worlds Next Door: A Candidate Giant Planet Imaged in the Habitable Zone of ↵ ...
Sérgio Sacani
 
PDF
CHAPTER 2 The Chemical Basis of Life Lecture Outline.pdf
DaniseNobrera
 
PPTX
perinatal infections 2-171220190027.pptx
PoojithaPotnuru1
 
PDF
Unit 5 Preparations, Reactions, Properties and Isomersim of Organic Compounds...
fliwertyfw154
 
PDF
CHAPTER 3 Cell Structures and Their Functions Lecture Outline.pdf
DaniseNobrera
 
PPTX
GREEN FIELDS SCHOOL PPT ON HOLIDAY HOMEWORK
GandharvaVerma
 
PDF
BET Eukaryotic signal Transduction BET Eukaryotic signal Transduction.pdf
enreddy1
 
PPTX
A powerpoint on colorectal cancer with brief background
lilmiceman
 
PPTX
ap-psych-ch-1-introduction-to-psychology-presentation.pptx
sz664
 
PDF
Science Form five needed shit SCIENEce so
ArielLucifer1
 
PDF
Packaging materials of fruits and vegetables
SavithaRajagopal3
 
PPTX
Introcution to Microbes Burton's Biology for the Health
fliwertyfw154
 
PDF
GROUP 2 ORIGINAL PPT. pdf Hhfiwhwifhww0ojuwoadwsfjofjwsofjw
jjsaplad10
 
PPTX
PMR- PPT.pptx for students and doctors tt
DiyaSajid2
 
PPT
THE CELL THEORY AND ITS FUNDAMENTALS AND USE
nctpcctv
 
1. INTRODUCTION TO EPIDEMIOLOGY.pptx for community medicine
olawooreteslim
 
Enhancing Laboratory Quality Through ISO 15189 Compliance
mdsgift
 
INTRODUCTION TO PAEDIATRICS AND PAEDIATRIC HISTORY TAKING-1.pptx
godfreymandela88
 
Looking into the jet cone of the neutrino-associated very high-energy blazar ...
Sérgio Sacani
 
Communicating Health Policies to Diverse Populations (www.kiu.ac.ug)
publication11
 
Worlds Next Door: A Candidate Giant Planet Imaged in the Habitable Zone of ↵ ...
Sérgio Sacani
 
CHAPTER 2 The Chemical Basis of Life Lecture Outline.pdf
DaniseNobrera
 
perinatal infections 2-171220190027.pptx
PoojithaPotnuru1
 
Unit 5 Preparations, Reactions, Properties and Isomersim of Organic Compounds...
fliwertyfw154
 
CHAPTER 3 Cell Structures and Their Functions Lecture Outline.pdf
DaniseNobrera
 
GREEN FIELDS SCHOOL PPT ON HOLIDAY HOMEWORK
GandharvaVerma
 
BET Eukaryotic signal Transduction BET Eukaryotic signal Transduction.pdf
enreddy1
 
A powerpoint on colorectal cancer with brief background
lilmiceman
 
ap-psych-ch-1-introduction-to-psychology-presentation.pptx
sz664
 
Science Form five needed shit SCIENEce so
ArielLucifer1
 
Packaging materials of fruits and vegetables
SavithaRajagopal3
 
Introcution to Microbes Burton's Biology for the Health
fliwertyfw154
 
GROUP 2 ORIGINAL PPT. pdf Hhfiwhwifhww0ojuwoadwsfjofjwsofjw
jjsaplad10
 
PMR- PPT.pptx for students and doctors tt
DiyaSajid2
 
THE CELL THEORY AND ITS FUNDAMENTALS AND USE
nctpcctv
 

Hardware-Assisted Malware Analysis

  • 1. Introduction Hardware-Assisted Solutions My Proposal Conclusions Hardware-Assisted Malware Analysis Marcus Botacin1, Andr´e Gr´egio3, Paulo L´ıcio de Geus2 1Msc. Computer Science Institute of Computing - UNICAMP marcus@lasca.ic.unicamp.br 2Advisor Institute of Computing - UNICAMP paulo@lasca.ic.unicamp.br 3Co-Advisor Federal University of Paran´a (UFPR) gregio@inf.ufpr.br CTD - SBSEG Hardware-Assisted Malware Analysis IC-UNICAMP
  • 2. Introduction Hardware-Assisted Solutions My Proposal Conclusions Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 3. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Problem Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 4. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Problem Malware Threats. Figure: Washington Post: https://tinyurl.com/ljo7ekm Figure: BBC: https://tinyurl.com/mfogjhe Hardware-Assisted Malware Analysis IC-UNICAMP
  • 5. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Solution Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 6. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Solution Malware Analysis. Figure: Imperva: https://tinyurl.com/zkbsnl2 Figure: Enigma: https://tinyurl.com/kydgwve Hardware-Assisted Malware Analysis IC-UNICAMP
  • 7. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 8. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges The Challenges. Figure: Themerkle: https://tinyurl.com/kasuxcr Figure: Forbes: https://tinyurl.com/l7ecrex Hardware-Assisted Malware Analysis IC-UNICAMP
  • 9. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges How to stop analysis? Table: Anti-Analysis: Tricks summary. Malware samples may employ multiple techniques to evade distinct analysis procedures. Technique Description Reason Implementation Anti Check if running Blocks reverse Fingerprinting Debug inside a debugger engineering attempts Anti Check if running Analysts use VMs Execution VM inside a VM for scalability Side-effect Anti Fool disassemblers AV signatures may Undecidable Disassembly to generate wrong opcodes be based on opcodes Constructions Hardware-Assisted Malware Analysis IC-UNICAMP
  • 10. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges And then... Figure: Commercial solution armored with anti-debug technique. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 11. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges And then... Figure: Real malware impersonating a secure solution which cannot run under an hypervisor. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 12. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Benefits Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 13. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Benefits Transparency 1 Higher privileged. 2 No non-privileged side-effects. 3 Identical Basic Instruction Semantics. 4 Transparent Exception Handling. 5 Identical Measurement of Time. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 14. Introduction Hardware-Assisted Solutions My Proposal Conclusions A Summary Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 15. Introduction Hardware-Assisted Solutions My Proposal Conclusions A Summary A Survey Table: Hardware features. Technique PROS CONS Gaps HVM Ring -1 Hypervisor High development overhead SMM Ring -2 BIOS High development implementation cost AMT Ring -3 Chipset No malware code change analysis solution HPCs Lightweight Context-limited No malware information analysis solution GPU Easy to program No register No introspection data procedures TSX Commit-based Store only Overcome the few KB KB barrier SGX Isolates goodware Also isolates No enclave malware inspection SOCs Tamper-proof Passive Raise alarms components Hardware-Assisted Malware Analysis IC-UNICAMP
  • 16. Introduction Hardware-Assisted Solutions My Proposal Conclusions Background Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 17. Introduction Hardware-Assisted Solutions My Proposal Conclusions Background Branch Monitors Figure: Branch Stack. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 18. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 19. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Proposed Framework Figure: Proposed framework architecture. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 20. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Data Storage (DS) AREA. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 21. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: ASLR - Library placement after two consecutive reboots. Library NTDLL KERNEL32 KERNELBASE Address 1 0xBAF80000 0xB9610000 0xB8190000 Address 2 0x987B0000 0x98670000 0x958C0000 Hardware-Assisted Malware Analysis IC-UNICAMP
  • 22. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: Function Offsets from ntdll.dll library. Function Offset NtCreateProcess 0x3691 NtCreateProcessEx 0x30B0 NtCreateProfile 0x36A1 NtCreateResourceManager 0x36C1 NtCreateSemaphore 0x36D1 NtCreateSymbolicLinkObject 0x36E1 NtCreateThread 0x30C0 NtCreateThreadEx 0x36F1 Hardware-Assisted Malware Analysis IC-UNICAMP
  • 23. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Figure: Introspection Mechanism. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 24. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? _lock_file+0x90printf+0xe3__iob_funcprintf+0xcaprintfNewToy Figure: Step Into. scanf+0x3f NewToy printf Figure: Step Over. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 25. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I retrieve all executed functions ? Is CFG reconstruction possible? Figure: Code block identification. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 26. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I retrieve all executed functions ? Is CFG reconstruction possible? Figure: it is possible to reconstruct the whole execution flow. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 27. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Is the final solution transparent? Deviating Behavior Figure: Deviating behavior identification. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 28. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Is the final solution transparent? Deviating Behavior Figure: Divergence: True Positive. Figure: Divergence: False Positive. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 29. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a Debugger? Inverted I/O Figure: Debugger’s working mechanism. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 30. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a Debugger? Integration Figure: GDB integration. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 31. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? ROP Attacks Figure: ROP chain example. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 32. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? CALL-RET Policy Figure: CALL-RET CFI policy. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 33. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? Exploit Analysis Table: Excerpt of the branch window of the ROP payload. FROM TO —- 0x7c346c0a 0x7c346c0b 0x7c37a140 0x7c37a141 —- Hardware-Assisted Malware Analysis IC-UNICAMP
  • 34. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? Exploit Analysis Listing 1: Static disassembly of the MSVCR71.dll library. 1 7 c346c08 : f2 0 f 58 c3 addsd %xmm3,%xmm0 2 7 c346c0c : 66 0 f 13 44 24 04 movlpd %xmm0,0 x4(%esp ) Listing 2: Dynamic disassembly of the MSVC71.dll executed code. 1 0x1000 ( s i z e =1) pop rax 2 0x1001 ( s i z e =1) r e t Hardware-Assisted Malware Analysis IC-UNICAMP
  • 35. Introduction Hardware-Assisted Solutions My Proposal Conclusions Remarks Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 36. Introduction Hardware-Assisted Solutions My Proposal Conclusions Remarks Lessons learned Transparency is essential. Hardware-assisted approaches may fulfill transparency requirements. There are open problems on hardware monitoring. Security, performance, and development efforts as trade-offs (really?). Performance monitors as lightweight alternatives. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 37. Introduction Hardware-Assisted Solutions My Proposal Conclusions Future Work Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 38. Introduction Hardware-Assisted Solutions My Proposal Conclusions Future Work And now? Multi-core monitor. Linux Monitor. Malware clustering. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 39. Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 40. Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Main Papers Who watches the watchmen: A security-focused review on current state-of-the-art techniques, tools and methods for systems and binary analysis on modern platforms—ACM Computing Surveys (A1). Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging—ACM Transactions on Privacy and Security (A2). The other guys: automated analysis of marginalized malware—Journal of Computer Virology and Hacking techniques (B1). Hardware-Assisted Malware Analysis IC-UNICAMP
  • 41. Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Solution’s Availability Figure: Solution’s Availability. Solution is public on github. https://github.com/marcusbotacin/BranchMonitoringProject Hardware-Assisted Malware Analysis IC-UNICAMP
  • 42. Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Questions ? Contact marcus@lasca.ic.unicamp.br mfbotacin@inf.ufpr.br Hardware-Assisted Malware Analysis IC-UNICAMP