Filters








65 Hits in 1e+01 sec

V2E

Lok-Kwong Yan, Manjukumar Jayachandra, Mu Zhang, Heng Yin
2012 SIGPLAN notices  
However, analysis platforms based on software emulation can be easily detected by malware and thus is poor in transparency.  ...  We implemented a prototype called V2E and demonstrated its capability and efficiency by conducting an extensive evaluation with both synthetic samples and 14 realworld emulation-resistant malware samples  ...  This work is supported in part by the US National Science Foundation NSF under Grants #1018217 and #1054605.  ... 
doi:10.1145/2365864.2151053 fatcat:prewg6rsqjcfdnopzc2yqjh7hi

V2E

Lok-Kwong Yan, Manjukumar Jayachandra, Mu Zhang, Heng Yin
2012 Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments - VEE '12  
However, analysis platforms based on software emulation can be easily detected by malware and thus is poor in transparency.  ...  We implemented a prototype called V2E and demonstrated its capability and efficiency by conducting an extensive evaluation with both synthetic samples and 14 realworld emulation-resistant malware samples  ...  This work is supported in part by the US National Science Foundation NSF under Grants #1018217 and #1054605.  ... 
doi:10.1145/2151024.2151053 dblp:conf/vee/YanJZY12 fatcat:clvisndmw5g2da2gtbyzfcadd4

Defeating Anti-Debugging Techniques for Malware Analysis Using a Debugger

Jong-Wouk Kim, Jiwon Bang, Mi-Jung Choi
2020 Advances in Science, Technology and Engineering Systems  
Anti-debugging, one way to protect malware, is a deadly poison to malware analysts because it makes the analysis more difficult by detecting a debugger or debugging environments.  ...  It applies its findings to analyze a sample program, packed files, and actual malware with anti-debugging modules and performs various experiments to verify the proposed techniques.  ...  It is analyzed 6,222 samples of malware and studied how malicious behaviors differed in an environment with virtualization and a debugger [9] .  ... 
doi:10.25046/aj0506142 fatcat:zh6evvbeijaptga7n5d2uodhla

Ether

Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee
2008 Proceedings of the 15th ACM conference on Computer and communications security - CCS '08  
Our experiments are based on our study of obfuscation techniques used to create 25,000 recent malware samples.  ...  The focal point in the malware analysis battle is how to detect versus how to hide a malware analyzer from malware during runtime.  ...  Additional thanks go to Robert Edmonds for his assistance in performing the malware survey and CERT-LEXSI for providing us with the in-the-wild malware sample that checks for the presence of emulated hardware  ... 
doi:10.1145/1455770.1455779 dblp:conf/ccs/DinaburgRSL08 fatcat:rhhdc34d3zfbvpkutd6wajooyy

Malware Guard Extension: Using SGX to Conceal Cache Attacks [article]

Michael Schwarz, Clémentine Maurice
2019 arXiv   pre-print
We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive.  ...  In modern computer systems, user processes are isolated from each other by the operating system and the hardware.  ...  Executing arithmetic operations directly on the memory location is thus not an option anymore, and it is necessary to perform any operation with data dependency on a CPU register.  ... 
arXiv:1702.08719v3 fatcat:hg3li6yqrfemphsdb4jngbg6cm

Emulating emulation-resistant malware

Min Gyung Kang, Heng Yin, Steve Hanna, Stephen McCamant, Dawn Song
2009 Proceedings of the 1st ACM workshop on Virtual machine security - VMSec '09  
The authors of malware attempt to frustrate reverse engineering and analysis by creating programs that crash or otherwise behave differently when executed on an emulated platform than when executed on  ...  We evaluate our technique by building an implementation into an emulator used for in-depth malware analysis.  ...  First, the malware measures the amount of time some operation requires by asking for the time before and after performing the operation.  ... 
doi:10.1145/1655148.1655151 fatcat:u5bv4nxgvbcoxhg2zv7tarutzq

HyperDbg: Reinventing Hardware-Assisted Debugging [article]

Mohammad Sina Karvandi, MohammadHossein Gholamrezaei, Saleh Khalaj Monfared, Suorush Medi, Behrooz Abbassi, Ali Amini, Reza Mortazavi, Saeid Gorgin, Dara Rahmati, Michael Schwarz
2022 arXiv   pre-print
To accomplish this, HyperDbg relies on state-of-the-art hardware features available in today's CPUs, such as VT-x and extended page tables.  ...  In contrast to other widely used existing debuggers, we design HyperDbg using a custom hypervisor, making it independent of OS functionality or API.  ...  kernel modules, disk devices, BIOS memory, and measurement of CPU ticks using RDTSC.  ... 
arXiv:2207.05676v1 fatcat:2u2ufrmfmveg7dscvf7q3zvjae

Using Hardware Features for Increased Debugging Transparency

Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, Kun Sun
2015 2015 IEEE Symposium on Security and Privacy  
In this paper, we present MALT, a debugging framework that employs System Management Mode, a CPU mode in the x86 architecture, to transparently study armored malware.  ...  Advanced malware analysis relies on virtualization or emulation technology to run samples in a confined environment, and to analyze malicious activities by instrumenting code execution.  ...  This work is supported by the National Science Foundation Grant No.  ... 
doi:10.1109/sp.2015.11 dblp:conf/sp/ZhangLSWS15 fatcat:lv7hxrffiffn7bcdsy6oxuicq4

IntroLib: Efficient and transparent library call introspection for malware forensics

Zhui Deng, Dongyan Xu, Xiangyu Zhang, Xuxiang Jiang
2012 Digital Investigation. The International Journal of Digital Forensics and Incident Response  
In this paper, we present IntroLib, a practical tool that traces user-level library calls made by malware with low overhead and high transparency.  ...  Our evaluation of an IntroLib prototype with 93 real-world malware samples shows that IntroLib is immune to emulation and API hooking detection by malware, uncovers more semantic information about malware  ...  This research was supported, in part, by  ... 
doi:10.1016/j.diin.2012.05.013 fatcat:ykyoildsc5fcdk3vng6frgziwi

Fast and Furious: Outrunning Windows Kernel Notification Routines from User-Mode [chapter]

Pierre Ciholas, Jose Miguel Such, Angelos K. Marnerides, Benjamin Green, Jiajie Zhang, Utz Roedig
2020 Lecture Notes in Computer Science  
Finally we provide recommendations on how to address the discovered vulnerability.  ...  Our study shows that this flaw can be exploited by a method to (i) disable the anti-malware suite Symantec Endpoint Protection; (ii) overtake VirtualBox protected processes; (iii) circumvent two major  ...  We have measured using 3 methods: (1) using the RDTSC (Read Timestamp Counter) CPU instruction to get a number of CPU cycles, (2) QueryPerformanceCounter, which is a Microsoft supplied high resolution  ... 
doi:10.1007/978-3-030-52683-2_4 fatcat:cdgstziufnbethzr7o3mjx5ynq

On the Dissection of Evasive Malware

Daniele Cono DElia, Emilio Coppa, Federico Palmaro, Lorenzo Cavallaro
2020 IEEE Transactions on Information Forensics and Security  
If citing, it is advised that you check and use the publisher's definitive version for pagination, volume/issue, and date of publication details.  ...  And where the final published version is provided on the Research Portal, if citing you are again advised to check the publisher's website for any subsequent corrections.  ...  This work is supported in part by a grant of the Italian Presidency of the Council of Ministers. 11 We report the code in §A from the supplementary material.  ... 
doi:10.1109/tifs.2020.2976559 fatcat:v7eaj2fskbfyndi5m4c5c2yqra

Malware Guard Extension: abusing Intel SGX to conceal cache attacks

Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, Stefan Mangard
2020 Cybersecurity  
We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive.  ...  In modern computer systems, user processes are isolated from each other by the operating system and the hardware.  ...  Executing arithmetic operations directly on the memory location is thus not an option anymore, and it is necessary to perform any operation with data dependency on a CPU register.  ... 
doi:10.1186/s42400-019-0042-y fatcat:jxhbzrlzlveqjm4h7iuwrniltm

Towards Transparent Introspection

Kevin Leach, Chad Spensky, Westley Weimer, Fengwei Zhang
2016 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER)  
Our approach uses hardware-assisted live memory snapshots of process execution on native targets (e.g., x86 processors), coupled with static reasoning about programs.  ...  Finally, we present results of a human study in which 30 participants performed debugging tasks using information provided by our approach; our tool was as useful as a gdb baseline, but applies transparently  ...  Human Study Protocol The goal of our human study is to measure how well humans can perform debugging and maintenance tasks when supported by HOPS-exploring our first use case, the maintenance analysis  ... 
doi:10.1109/saner.2016.25 dblp:conf/wcre/LeachSWZ16 fatcat:mtu3vql4dbaexoe5y476tkplyq

Measuring and Defeating Anti-Instrumentation-Equipped Malware [chapter]

Mario Polino, Andrea Continella, Sebastiano Mariani, Stefano D'Alessio, Lorenzo Fontana, Fabio Gritti, Stefano Zanero
2017 Lecture Notes in Computer Science  
We studied the common techniques used by malware to detect the presence of a DBI tool, and we proposed a set of countermeasures to address them.  ...  Armed with it, we perform the first large-scale measurement of the anti-instrumentation techniques employed by modern malware.  ...  We would also like to thank Alessandro Frossi for his insightful feedback and VirusTotal for providing us access to malware samples. This work was supported in part by the MIUR FACE Project No.  ... 
doi:10.1007/978-3-319-60876-1_4 fatcat:5f6o3xijpbeyjgolql7y5gswdm

VIPER

Yanlin Li, Jonathan M. McCune, Adrian Perrig
2011 Proceedings of the 18th ACM conference on Computer and communications security - CCS '11  
We implement our scheme using a Netgear GA620 network adapter in an x86 PC, and evaluate our system with known attacks.  ...  Recent research demonstrates that malware can infect peripherals' firmware in a typical x86 computer system, e.g., by exploiting vulnerabilities in the firmware itself or in the firmware update tools.  ...  This research was supported in part by CyLab at Carnegie Mellon under grants DAAD19-02-1-0389, MURI W 911 NF 0710287, and W911NF-09-1-0273 from the Army Research Office, and by a gift from Lockheed Martin  ... 
doi:10.1145/2046707.2046711 dblp:conf/ccs/LiMP11 fatcat:bplnrs7l2jh65emeq43vkdbrni
« Previous Showing results 1 — 15 out of 65 results