research-article

V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis

Authors:

Manjukumar Jayachandra,

Heng YinAuthors Info & Claims

VEE '12: Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments

Pages 227 - 238

https://doi.org/10.1145/2151024.2151053

Published: 03 March 2012 Publication History

Abstract

A transparent and extensible malware analysis platform is essential for defeating malware. This platform should be transparent so malware cannot easily detect and bypass it. It should also be extensible to provide strong support for heavyweight instrumentation and analysis efficiency. However, no existing platform can meet both requirements. Leveraging hardware virtualization technology, analysis platforms like Ether can achieve good transparency, but its instrumentation support and analysis efficiency is poor. In contrast, software emulation provides strong support for code instrumentation and good analysis efficiency by using dynamic binary translation. However, analysis platforms based on software emulation can be easily detected by malware and thus is poor in transparency. To achieve both transparency and extensibility, we propose a new analysis platform that combines hardware virtualization and software emulation. The essence is precise heterogeneous replay: the malware execution is recorded via hardware virtualization and then replayed in software. Our design ensures the execution replay is precise. Moreover, with page-level recording granularity, the platform can easily adjust to analyze various forms of malware (a process, a kernel module, or a shared library). We implemented a prototype called V2E and demonstrated its capability and efficiency by conducting an extensive evaluation with both synthetic samples and 14 realworld emulation-resistant malware samples.

References

[1]

adore-ng. adore-ng rootkit. http://stealth.openwall.net/rootkits/.

[2]

anubis. Anubis: Analyzing Unknown Binaries. http://anubis.iseclab.org/.

[3]

D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna. Efficient Detection of Split Personalities in Malware. In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2010.

[4]

U. Bayer, P. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009), 2009.

[5]

F. Bellard. Qemu, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track, April 2005.

Digital Library

[6]

D. Bruening, T. Garnett, and S. Amarasinghe. An infrastructure for adaptive dynamic optimization. In International Symposium on Code Generation and Optimization (CGO'03), March 2003.

Digital Library

[7]

J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In Proceedings of the 14th ACM Conference on Computer and Communication Security (CCS'07), October 2007.

Digital Library

[8]

J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In Proceedings of the 16th ACM Conference on Computer and Communication Security (CCS'09), Chicago, IL, Nov. 2009.

Digital Library

[9]

J. Caballero, N. M. Johnson, S. McCamant, and D. Song. Binary code extraction and interface identification for security applications. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS'10), San Diego, CA, Feb. 2010.

[10]

J. Chow, T. Garfinkel, and P. Chen. Decoupling dynamic program analysis from execution in virtual environments. In Proceedings of 2008 Usenix Annual Technical Conference (ATC'08), June 2008.

Digital Library

[11]

cwsandbox. CWSandbox::Behavior-based Malware Analysis. http://mwanalysis.org/.

[12]

C. da Wang and S. Ju. The dilemma of covert channels searching. In Information Security and Cryptology (ICISC'05), pages 169--174, 2005.

[13]

A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 51--62, 2008.

Digital Library

[14]

G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th symposium on Operating Systems Design and Implementation (OSDI'02), December 2002.

Digital Library

[15]

M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. Song. Dynamic Spyware Analysis. In Proceedings of the 2007 Usenix Annual Technical Conference (ATC'07), June 2007.

Digital Library

[16]

P. Ferrie. Attacks on virtual machine emulators. Symantec Security Response, December 2006.

[17]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of Network and Distributed Systems Security Symposium (NDSS'03), February 2003.

[18]

D. Geels, G. Altekar, S. Shenker, and I. Stoica. Replay debugging for distributed applications. In Proceedings of the 2006 USENIX Annual Technical Conference (ATC'06), pages 27--27, 2006.

Digital Library

[19]

Z. Guo, X. Wang, J. Tang, X. Liu, Z. Xu, M. Wu, M. F. Kaashoek, and Z. Zhang. R2: An application-level kernel for record and replay. In Proceedings of the 9th Symposium on Operating Systems Design and Implementation (OSDI'08), pages 193--208, 2008.

Digital Library

[20]

X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and Communications Security (CCS'07), October 2007.

Digital Library

[21]

M. G. Kang, P. Poosankam, and H. Yin. Renovo: A hidden code extractor for packed executables. In Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM'07), Oct. 2007.

Digital Library

[22]

M. G. Kang, H. Yin, S. Hanna, S. McCamant, and D. Song. Emulating emulation-resistant malware. In Proceedings of the 2nd Workshop on Virtual Machine Security (VMSec'09), November 2009.

Digital Library

[23]

kvm. Kernel Based Virtual Machine. http://www.linux-kvm.org/.

[24]

A. Lanzi, M. Sharif, and W. Lee. K-Tracer: A system for extracting kernel malware behavior. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS'09), February 2009.

[25]

C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN conference on Programming Language Design and Implementation (PLDI'05), june 2005.

Digital Library

[26]

L. Martignoni, R. Paleari, G. F. Roglia, and D. Bruschi. Testing cpu emulators. In Proceedings of the 18th International Symposium on Software Testing and Analysis (ISSTA'09), pages 261--272, 2009.

Digital Library

[27]

A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Proceedings of the 2007 IEEE Symposium on Security and Privacy(Oakland'07), May 2007.

Digital Library

[28]

N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In Proceedings of the 2007 ACM SIGPLAN conference on Programming Language Design and Implementation (PLDI'07), pages 89--100, 2007.

Digital Library

[29]

M. Olszewski, J. Ansel, and S. Amarasinghe. Kendo: efficient deterministic multithreading in software. Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'09), Mar. 2009.

Digital Library

[30]

qemulink. Qemu. http://fabrice.bellard.free.fr/qemu/.

[31]

T. Raffetseder, C. Krügel, and E. Kirda. Detecting system emulators. In the 10th Information Security Conference (ISC'07), pages 1--18, October 2007.

Digital Library

[32]

R. Riley, X. Jiang, and D. Xu. Multi-aspect profiling of kernel rootkit behavior. In Proceedings of the fourth ACM european conference on Computer systems (EuroSys'09), 2009.

Digital Library

[33]

Y. Saito. Jockey: a user-space library for record-replay debugging. In Proceedings of the sixth International Symposium on Automated Analysis-driven Debugging (AADEBUG'05), pages 69--76, 2005.

Digital Library

[34]

M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Automatic reverse engineering of malware emulators. In Proceedings of the 30th IEEE Symposium on Security and Privacy (Oakland'09), pages 94--109, 2009.

Digital Library

[35]

M. Siper. Introduction to the Theory of Computation. International Thomson Publishing, 1996.

[36]

S. M. Srinivasan, S. Kandula, C. R. Andrews, and Y. Zhou. Flashback: a lightweight extension for rollback and deterministic replay for software debugging. In Proceedings of the 2004 USENIX Annual Technical Conference (ATC'04), June 2004.

Digital Library

[37]

temu. TEMU: The BitBlaze dynamic analysis component. http://bitblaze.cs.berkeley.edu/temu.html.

[38]

A. Vasudevan and R. Yerraballi. Cobra: Fine-grained malware analysis using stealth localized-executions. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (Oakland'06), pages 264--279, 2006.

Digital Library

[39]

vmware. Vmware. http://www.vmware.com/.

[40]

H. Yin, D. Song, E. Manuel, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communication Security (CCS'07), October 2007.

Digital Library

[41]

H. Yin, Z. Liang, and D. Song. HookFinder: Identifying and understanding malware hooking behaviors. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008.

Cited By

Wong MLanden MLi FMonrose FAhamad MKelley PKapadia A(2024)Comparing malware evasion theory with practiceProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696903(61-80)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696903
Yong Wong MValakuzhy KAhamad MBlough DMonrose F(2024)Understanding LLMs Ability to Aid Malware Analysts in Bypassing Evasion TechniquesCompanion Proceedings of the 26th International Conference on Multimodal Interaction10.1145/3686215.3690147(36-40)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3686215.3690147
Wang MZheng FLin JJiang FMa Y(2024)ZeroShield: Transparently Mitigating Code Page Sharing Attacks With Zero-Cost Stand-ByIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.343506219(7389-7403)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3435062
Show More Cited By

Index Terms

V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Ether: malware analysis via hardware virtualization extensions
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Malware has become the centerpiece of most security threats on the Internet. Malware analysis is an essential technology that extracts the runtime behavior of malware, and supplies signatures to detection systems and provides evidence for recovery and ...
V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis
VEE '12

A transparent and extensible malware analysis platform is essential for defeating malware. This platform should be transparent so malware cannot easily detect and bypass it. It should also be extensible to provide strong support for heavyweight ...
vmOS

vmOS provides a balance of security and usability in desktop environment.Hardware virtualization and hypervisor-level MAC is combined in the architecture of vmOS.An open, extensible interface compatible with multiple GOSes is provided.Good communication ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

VEE '12: Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments

March 2012

248 pages

ISBN:9781450311762

DOI:10.1145/2151024

General Chair:
Steven Hand
University of Cambridge, UK
,
Program Chair:
Dilma da Silva
IBM T. J. Watson Research Center, USA

ACM SIGPLAN Notices Volume 47, Issue 7
VEE '12
July 2012
229 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2365864
Issue’s Table of Contents

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 March 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

VEE '12

Sponsor:

VEE '12: ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

March 3 - 4, 2012

London, England, UK

Acceptance Rates

Overall Acceptance Rate 80 of 235 submissions, 34%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

56
Total Citations
View Citations
658
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)1

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wong MLanden MLi FMonrose FAhamad MKelley PKapadia A(2024)Comparing malware evasion theory with practiceProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696903(61-80)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696903
Yong Wong MValakuzhy KAhamad MBlough DMonrose F(2024)Understanding LLMs Ability to Aid Malware Analysts in Bypassing Evasion TechniquesCompanion Proceedings of the 26th International Conference on Multimodal Interaction10.1145/3686215.3690147(36-40)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3686215.3690147
Wang MZheng FLin JJiang FMa Y(2024)ZeroShield: Transparently Mitigating Code Page Sharing Attacks With Zero-Cost Stand-ByIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.343506219(7389-7403)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3435062
Sandborn MStoebner ZWeimer WForrest SDougherty RWhite JLeach K(2024)Reducing Malware Analysis Overhead With CoveringsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.334632821:4(4133-4146)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3346328
Aurangzeb SAleem MKhan MAnwar HSiddique M(2023)Cybersecurity for autonomous vehicles against malware attacks in smart-citiesCluster Computing10.1007/s10586-023-04114-727:3(3363-3378)Online publication date: 3-Oct-2023
https://doi.org/10.1007/s10586-023-04114-7
Karvandi MGholamrezaei MKhalaj Monfared SMeghdadizanjani SAbbassi BAmini AMortazavi RGorgin SRahmati DSchwarz MYin HStavrou ACremers CShi E(2022)HyperDbg: Reinventing Hardware-Assisted DebuggingProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560649(1709-1723)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560649
Wang WHao ZCui LCriswell JWilliams DXia Y(2022)ClusterRR: a record and replay framework for virtual machine clusterProceedings of the 18th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments10.1145/3516807.3516819(31-44)Online publication date: 25-Feb-2022
https://dl.acm.org/doi/10.1145/3516807.3516819
Lu HZhang FOshana R(2022)RavenProceedings of the 59th ACM/IEEE Design Automation Conference10.1145/3489517.3530583(1039-1044)Online publication date: 10-Jul-2022
https://dl.acm.org/doi/10.1145/3489517.3530583
Yong Wong MLanden MAntonakakis MBlough DRedmiles EAhamad MKim YKim JVigna GShi E(2021)An Inside Look into the Practice of Malware AnalysisProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484759(3053-3069)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484759
Jiang MMa LZhou YLiu QZhang CWang ZLuo XWu LRen KKim YKim JVigna GShi E(2021)ECMO: Peripheral Transplantation to Rehost Embedded Linux KernelsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484753(734-748)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484753
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten