Reduzindo a Superfície de Ataque dos Frameworks de Instrumentação Binária Dinâmica
Abstract
This proposes instrumentation techniques, especially those that exploit the increase in attack surface produced by dynamic binary instrumentation tools, allowing for attacks such as arbitrary code execution . Proofs of concept were developed and tested in common controlled environment set of anti-instrumentation techniques. As a result, it is argued that it is possible to reduce the exploitable attack surface of DBI tools by mitigating anti-instrumentation techniques. to mitigateReferences
Arafa, P. (2017). Time-Aware Dynamic Binary Instrumentation. PhD thesis, University of Waterloo.
Bruening, D., Zhao, Q. e Amarasinghe, S. (2012). Transparent dynamic instrumentation. ACM SIGPLAN Notices 47, 133–144.
Carpenter, M., Liston, T. e Skoudis, E. (2007). Hiding Virtualization from Attackers and Malware. IEEE Security & Privacy 5, 62–65.
CPU2006, S. (2006). Standard Performance Evaluation Corporation. [Online; https://www.spec.org/cpu2006/].
Deng, Z., Zhang, X. e Xu, D. (2013). SPIDER: Stealthy Binary Program Instrumentation and Debugging Via Hardware Virtualization. Annual Computer Security Applications Conference 1, 289–298.
Falcón, Francisco e Riva, N. (2012). Dynamic Binary Instrumentation Frameworks: I know you’re there spying on me.
Gilboy, M. R. (2016). Fighting Evasive MalwareWith Dvasion. Master’s thesis University of Maryland.
Hron, M. e Jermá?r, J. (2014). SafeMachine malware needs love, too.
Intel Corporation (2013). Pin: Intel’s Dynamic Binary Instrumentation Engine. In International Symposium on Code Generation and Optimization.
Kulakov, Y. (2017). MazeWalker - Enriching Static Malware Analysis. [Online; https://bit.ly/2Mzodir]. Acessado em 18.12.2018.
Ligh, M. H., Case, A., Levy, J. e Walters, A. (2014). The art of memory forensics: detecting malware and threats in Windows, Linux, and Mac memory. Wiley, Indianapolis, IN. OCLC: ocn885319205.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J. e Hazelwood, K. (2005). Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In Proceedings of the 2005 ACM SIGPLAN conference on Programming Language Design and Implementation PLDI ’05 pp. 190–200, ACM, New York, NY, USA.
Mariani, S., Fontana, L. e Gritti, F. (2016). PinDemonium: a DBI-based generic unpacker for Windows executables. [Online; https://ubm.io/30WYsvy]. Acessado em 18.12.2018.
Microsoft (2017). Virtual Address Space (Windows). [Online; https://bit.ly/2W7p890].
Microsoft (2018a). VirtualQuery function. [Online; https://msdn.microsoft.com/pt-br/library/windows/desktop/aa366902(v=vs.85).aspx].
Microsoft (2018b). Thread Local Storage. [Online; https://bit.ly/2GeBJTw].
Microsoft (2019). Uma descrição detalhada do recurso DEP (Prevenção de execução de dados) no Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005 e Windows Server 2003. [Online; https://bit.ly/2XqxRVa].
Nethercote, N. (2004). Dynamic Binary Analysis and Instrumentation or Building Tools is Easy. PhD thesis, University of Cambridge.
Polino, M., Continella, A., Mariani, S., D’Alessio, S., Fontata, L., Gritti, F. e Zanero, S. (2017). Measuring and Defeating Anti-Instrumentation-Equipped Malware. In Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA).
Rodriguez, R. J., Gaston, I. R. e Alonso, J. (2016). Towards the Detection of Isolation- Aware Malware. IEEE Latin America Transactions 14, 1024–1036.
Stamatogiannakis, M., Groth, P. e Bos, H. (2015). Looking Inside the Black-Box: Capturing Data Provenance Using Dynamic Instrumentation. In Provenance and Annotation of Data and Processes, (Ludäscher, B. e Plale, B., eds), pp. 155–167, Springer International Publishing, Cham.
Sun, K., Li, X. e Ou, Y. (2016). Break Out of The Truman Show: Active Detection and Escape of Dynamic Binary Instrumentation. Black Hat Asia.
Tanenbaum, A. S. (2008). Sistemas operacionais modernos. Pearson Prentice Hall, São Paulo. OCLC: 457537581.
Zhechev, Z. (2018). Security Evaluation of Dynamic Binary Instrumentation Engines. Master’s thesis Departmente of Informatics Technical University of Munich.
Bruening, D., Zhao, Q. e Amarasinghe, S. (2012). Transparent dynamic instrumentation. ACM SIGPLAN Notices 47, 133–144.
Carpenter, M., Liston, T. e Skoudis, E. (2007). Hiding Virtualization from Attackers and Malware. IEEE Security & Privacy 5, 62–65.
CPU2006, S. (2006). Standard Performance Evaluation Corporation. [Online; https://www.spec.org/cpu2006/].
Deng, Z., Zhang, X. e Xu, D. (2013). SPIDER: Stealthy Binary Program Instrumentation and Debugging Via Hardware Virtualization. Annual Computer Security Applications Conference 1, 289–298.
Falcón, Francisco e Riva, N. (2012). Dynamic Binary Instrumentation Frameworks: I know you’re there spying on me.
Gilboy, M. R. (2016). Fighting Evasive MalwareWith Dvasion. Master’s thesis University of Maryland.
Hron, M. e Jermá?r, J. (2014). SafeMachine malware needs love, too.
Intel Corporation (2013). Pin: Intel’s Dynamic Binary Instrumentation Engine. In International Symposium on Code Generation and Optimization.
Kulakov, Y. (2017). MazeWalker - Enriching Static Malware Analysis. [Online; https://bit.ly/2Mzodir]. Acessado em 18.12.2018.
Ligh, M. H., Case, A., Levy, J. e Walters, A. (2014). The art of memory forensics: detecting malware and threats in Windows, Linux, and Mac memory. Wiley, Indianapolis, IN. OCLC: ocn885319205.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J. e Hazelwood, K. (2005). Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In Proceedings of the 2005 ACM SIGPLAN conference on Programming Language Design and Implementation PLDI ’05 pp. 190–200, ACM, New York, NY, USA.
Mariani, S., Fontana, L. e Gritti, F. (2016). PinDemonium: a DBI-based generic unpacker for Windows executables. [Online; https://ubm.io/30WYsvy]. Acessado em 18.12.2018.
Microsoft (2017). Virtual Address Space (Windows). [Online; https://bit.ly/2W7p890].
Microsoft (2018a). VirtualQuery function. [Online; https://msdn.microsoft.com/pt-br/library/windows/desktop/aa366902(v=vs.85).aspx].
Microsoft (2018b). Thread Local Storage. [Online; https://bit.ly/2GeBJTw].
Microsoft (2019). Uma descrição detalhada do recurso DEP (Prevenção de execução de dados) no Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005 e Windows Server 2003. [Online; https://bit.ly/2XqxRVa].
Nethercote, N. (2004). Dynamic Binary Analysis and Instrumentation or Building Tools is Easy. PhD thesis, University of Cambridge.
Polino, M., Continella, A., Mariani, S., D’Alessio, S., Fontata, L., Gritti, F. e Zanero, S. (2017). Measuring and Defeating Anti-Instrumentation-Equipped Malware. In Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA).
Rodriguez, R. J., Gaston, I. R. e Alonso, J. (2016). Towards the Detection of Isolation- Aware Malware. IEEE Latin America Transactions 14, 1024–1036.
Stamatogiannakis, M., Groth, P. e Bos, H. (2015). Looking Inside the Black-Box: Capturing Data Provenance Using Dynamic Instrumentation. In Provenance and Annotation of Data and Processes, (Ludäscher, B. e Plale, B., eds), pp. 155–167, Springer International Publishing, Cham.
Sun, K., Li, X. e Ou, Y. (2016). Break Out of The Truman Show: Active Detection and Escape of Dynamic Binary Instrumentation. Black Hat Asia.
Tanenbaum, A. S. (2008). Sistemas operacionais modernos. Pearson Prentice Hall, São Paulo. OCLC: 457537581.
Zhechev, Z. (2018). Security Evaluation of Dynamic Binary Instrumentation Engines. Master’s thesis Departmente of Informatics Technical University of Munich.
Published
2019-09-02
How to Cite
DOS SANTOS FILHO, Ailton; FEITOSA, Eduardo.
Reduzindo a Superfície de Ataque dos Frameworks de Instrumentação Binária Dinâmica. In: BRAZILIAN SYMPOSIUM ON INFORMATION AND COMPUTATIONAL SYSTEMS SECURITY (SBSEG), 19. , 2019, São Paulo.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
p. 253-266.
DOI: https://doi.org/10.5753/sbseg.2019.13976.
