A novel dynamic analysis infrastructure to instrument untrusted execution flow across user-kernel spaces
Code instrumentation and hardware based event trapping are two primary approaches used in dynamic malware analysis systems. In this paper, we propose a new approach called Execution Flow Instrumentation (EFI) where the analyzer execution flow is interleaved with the target flow in user- and kernel-m...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2021
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/5610 https://ink.library.smu.edu.sg/context/sis_research/article/6613/viewcontent/PID6498953.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-6613 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-66132021-01-07T13:50:31Z A novel dynamic analysis infrastructure to instrument untrusted execution flow across user-kernel spaces HONG, Jiaqi DING, Xuhua Code instrumentation and hardware based event trapping are two primary approaches used in dynamic malware analysis systems. In this paper, we propose a new approach called Execution Flow Instrumentation (EFI) where the analyzer execution flow is interleaved with the target flow in user- and kernel-mode, at junctures flexibly chosen by the analyzer at runtime. We also propose OASIS as the system infrastructure to realize EFI with virtues of the current two approaches, however without their drawbacks. Despite being securely and transparently isolated from the target, the analyzer introspects and controls it in the same native way as instrumentation code. We have implemented a prototype of OASIS and rigorously evaluated it with various experiments including performance and anti-analysis benchmark tests. We have also conducted two EFI case studies. The first is a cross-space control flow tracer and the second includes two EFI tools working in tandem with Google Syzkaller. One tool makes a dynamic postmortem analysis according to a kernel crash report; and the other explores the behavior of a malicious kernel space device driver which evades Syzkaller logging. The studies show that EFI analyzers are well-suited for fine-grained on-demand dynamic analysis upon a malicious thread in user or kernel mode. It is easy to develop agile EFI tools as they are user-space programs. 2021-05-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/5610 info:doi/10.1109/SP40001.2021.00024 https://ink.library.smu.edu.sg/context/sis_research/article/6613/viewcontent/PID6498953.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Information Security |
| spellingShingle |
Information Security HONG, Jiaqi DING, Xuhua A novel dynamic analysis infrastructure to instrument untrusted execution flow across user-kernel spaces |
| description |
Code instrumentation and hardware based event trapping are two primary approaches used in dynamic malware analysis systems. In this paper, we propose a new approach called Execution Flow Instrumentation (EFI) where the analyzer execution flow is interleaved with the target flow in user- and kernel-mode, at junctures flexibly chosen by the analyzer at runtime. We also propose OASIS as the system infrastructure to realize EFI with virtues of the current two approaches, however without their drawbacks. Despite being securely and transparently isolated from the target, the analyzer introspects and controls it in the same native way as instrumentation code. We have implemented a prototype of OASIS and rigorously evaluated it with various experiments including performance and anti-analysis benchmark tests. We have also conducted two EFI case studies. The first is a cross-space control flow tracer and the second includes two EFI tools working in tandem with Google Syzkaller. One tool makes a dynamic postmortem analysis according to a kernel crash report; and the other explores the behavior of a malicious kernel space device driver which evades Syzkaller logging. The studies show that EFI analyzers are well-suited for fine-grained on-demand dynamic analysis upon a malicious thread in user or kernel mode. It is easy to develop agile EFI tools as they are user-space programs. |
| format |
text |
| author |
HONG, Jiaqi DING, Xuhua |
| author_facet |
HONG, Jiaqi DING, Xuhua |
| author_sort |
HONG, Jiaqi |
| title |
A novel dynamic analysis infrastructure to instrument untrusted execution flow across user-kernel spaces |
| title_short |
A novel dynamic analysis infrastructure to instrument untrusted execution flow across user-kernel spaces |
| title_full |
A novel dynamic analysis infrastructure to instrument untrusted execution flow across user-kernel spaces |
| title_fullStr |
A novel dynamic analysis infrastructure to instrument untrusted execution flow across user-kernel spaces |
| title_full_unstemmed |
A novel dynamic analysis infrastructure to instrument untrusted execution flow across user-kernel spaces |
| title_sort |
novel dynamic analysis infrastructure to instrument untrusted execution flow across user-kernel spaces |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2021 |
| url |
https://ink.library.smu.edu.sg/sis_research/5610 https://ink.library.smu.edu.sg/context/sis_research/article/6613/viewcontent/PID6498953.pdf |
| _version_ |
1770575529622110208 |