臺灣博碩士論文加值系統

虛擬機器技術被廣泛運用在現在的惡意程式分析系統中。為了躲避這些分析系統的偵測與分析，新一類的惡意程式能夠感知虛擬機器的存在，進而隱藏自身的惡意行為來欺騙惡意程式分析系統。在這篇論文中，一個新的利用比較程式在不同環境下的行為，來偵測分析虛擬機器感知造成的程式分歧點的方法被提出來。不同於過去傳統的作法以指令做為分析的基本單位，此方法以程式基本區塊為分析的基本單位。比起傳統分析指令的作法，我們的方法能夠大幅降低紀錄與比較程式行為所花費的時間，同時也降低了記錄程式行為所需的空間。在我們的實驗中，紀錄程式行為所花費的時間為傳統作法的23.87-39.49倍快；在測試樣本中，分析基本單位的總數是傳統作法的11.95%-16.00%。因此，我們的作法能夠更有效率的去找出因虛擬機器感知而造成的程式分歧點。同時，我們找尋分歧點的演算法的正確性也將在論文中證明。

To evade VM-based malware analysis systems, VM-aware malware equipped with the ability to detect the present of virtual machine is proposed. To detect VM-aware malware and locate VM-sensitive divergence points of VM-aware malware, we propose a new block-based behavior comparison scheme (BBC), in contrast to the conventional instruction-based schemes. The BBC scheme divides the malware program into basic blocks, instead of binary instructions, and uses them as the analysis unit. In contrast to the conventional schemes, the BBC scheme significantly decrease the cost of behavior logging and trace comparison, as well as the size of behavior traces. In our evaluation, behavior logging is 23.87-39.49 times faster than the conventional schemes. The total number of analysis unit, which is highly related to the cost of trace comparisons is 11.95%-16.00% of the conventional schemes. Consequently, VM-sensitive divergence points can be discovered in a more efficient way. The correctness of our divergence point discovery algorithm will be also proved in this paper.

摘要 I
Abstract II
誌 謝 III
Table of Content IV
List of Figures VI
List of Tables VII
1. Introduction 1
1.1. VM-Aware Malware 2
1.1.1 VM-Checks 2
1.1.2 VM-Sensitive Divergence Points 3
1.1.3 An Example of VM-Aware Malware 3
1.2. Transparent Malware Behavior Analysis Systems 4
1.3. Detection of VM-Aware Malware 4
1.4. Overview of the BBC Scheme 6
1.5. Contribution 6
1.6. Synopsis 7
2. Related Work 8
2.1. Transparent Malware Analysis System 8
2.2. Detection of VM-Aware Malware 9
3. Proposed Scheme 10
3.1. Formalization of Program Behaviors 10
3.2. Definition of Code Coverage Divergence Points 11
3.3. Construction of Code Coverage Trace 11
3.4. Divergence Point Locator 13
3.5. Correctness of Divergence Point Locator 15
4. Implementation 18
4.1. Selection of Execution Environments 18
4.2. Basic Block Recorder 19
5. Evaluation 21
5.1. Correctness 21
5.2. Performance 25
5.3. Discussion 27
6. Conclusion 31
7. Reference 33

[1] M. Christodorescu and S. Jha, “Static analysis of executables to detect malicious patterns,” in Proceedings of the 12th USENIX Security Symposium (Security '03), pages 169–186, Aug. 2003.
[2] C. Kruegel, W. Robertson, F. Valeur, and G. Vigna, “Static disassembly of obfuscated binaries,” in Proceedings of the 13th USENIX Security Symposium (Security '04), Aug. 2004.
[3] C. Kruegel,W. Robertson, and G. Vigna, “Detecting kernel-level rootkits through binary analysis,” in Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC '04), 2004.
[4] U. Bayer, C. Kruegel, and E. Kirda, “TTAnalyze: A tool for analyzing malware,” in the 15th EICAR Conference, pages 180–192, Hamburg, Germany, May. 2006.
[5] H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda, “Panorama: Capturing system-wide information flow for malware detection and analysis,” in the 14th ACM conference on Computer and communications security (CCS '07), pages 116-127, Oct. 2007.
[6] A. Moser, C. Kruegel, and E. Kirda, “Exploring multiple execution paths for malware analysis," in Proceedings of the IEEE Symposium on Security and Privacy, Washington, DC, USA, 2007.
[7] A. Lanzi, M. I. Sharif, and W. Lee, “K-Tracer: A system for extracting kernel malware behavior,” in Proceedings of the Network and Distributed System Security Symposium (NDSS), 2009.
[8] J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum, “Understanding data lifetime via whole system simulation,” in the 13th USENIX Security Symposium, San Diego, CA, USA, Aug. 2004.
[9] F. Bellard, “QEMU, a fast and portable dynamic translator,” in Proceedings of the 2005 USENIX Annual Technical Conference, Anaheim, CA, USA, 2005.
[10] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield, “Xen and the art of virtualization,” in Proceedings of the 19th ACM symposium on Operating Systems Principles (SOSP19), pages 164–177, 2003.
[11] VMware Virtualization Software, http://www.vmware.com/
[12] K. P. Lawton, “Bochs: A portable PC emulator for Unix/X,” in Linux Journal, Sep. 1996.
[13] J. Rutkowska, “Red pill... or how to detect VMM using (almost) one CPU instruction,” http://invisiblethings.org/papers/redpill.html, 2004.
[14] R. Paleari, L. Martignoni, G. F. Roglia, and D. Bruschi, “A fistful of red-pills: How to automatically generate procedures to detect CPU emulators,” in Proceedings of the USENIX Workshop on Offensive Technologies (WOOT), 2009.
[15] T. Raffetseder, C. Kruegel, and E. Kirda, “Detecting system emulators,” in Proceedings of the 10th Information Security Conference (ISC), pages 1–18, Valpara?瀏o, Chile, Oct. 2007.
[16] M. G. Kang, H. Yin, S. Hanna, S. McCamant, and D. Song, “Emulating emulation-resistant malware,” in Proceedings of the Workshop on Virtual Machine Security (VMSec), 2009.
[17] A. Dinaburg, P. Royal, M. Sharif, and W. Lee, “Ether: malware analysis via hardware virtualization extensions.” in Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS), pages 51–62, Alexandria, VA, USA, Oct. 2008.
[18] A. Nguyen, N. Schear, H. Jung, A. Godiyal, S. King, and H. Nguyen, “MAVMM: Lightweight and purpose built VMM for malware analysis,” in Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2009.
[19] Intel Virtualization Technology. http://www.intel.com/technology/virtualization/technology.htm
[20] AMD Virtualization. http://www.amd.com/tw/products/technologies/virtualization/Pages/virtualization.aspx
[21] X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario, “Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware,” in the 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 177–186, Anchorage, AK, USA, 2008.
[22] D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna, “Efficient detection of split personalities in malware,” in Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS), 2010.
[23] M. Lindorfer, C. Kolbitsch, and P. M. Comparetti, “Detecting environment-sensitive malware,” in Proceedings of the International Symposium on Recent Advances In Intrusion Detection (RAID), 2011.
[24] Dhilung Kirat, Giovanni Vigna, Christopher Kruegel, “BareBox: Efficient malware analysis on bare-metal,” in Proceedings of the 27th Annual Computer Security Applications (ACSAC), 2011.
[25] A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori, ”KVM: The linux virtual machine monitor,” in Proceedings of the Linux Symposium, pages 225–230, 2007.
[26] T. Garfinkel, K. Adams, A. Warfield, and J. Franklin, “Compatibility is not transparency: VMM detection myths and realities,” in Proceddings of the 11th Usenix Workshop on Hot Topics in Operating Systems (HotOS-XI), May. 2007.
[27] G?駭or P?翳, Boldizs?黔 Bencs?龜h, and Levente Butty?鴨, “nEther: In-guest detection of out-of-the-guest malware analyzers,” in Proceedings of the 4th ACM European Workshop on System Security (EUROSEC), 2011.
[28] Intel, “IA-32 intel architecture software developer’s manual volume 3B: System programming guide, part 1,” January 2006. Order Number: 253668-018.
[29] Kaspersky Anti-Virus. http://www.kaspersky.com
[30] OllyDbg. http://www.ollydbg.de/