Mitigando a Evasão de Instrumentadores Binários Dinâmicos
Resumo
Este artigo apresenta contramedidas contra as mais recentes técnicas de evasão (analysis-aware) em Instrumentação Binária Dinâmica (DBI). Elas utilizam recursos do instrumentador Intel Pin para garantir a transparência das análises. Uma avaliação das contramedidas propostas em comparação as tecnicas tidas como estado da arte foi realizada. As limitações existentes e o futuro desse trabalho também são apresentados.Referências
Ferreira, M. T., Santos Filho, A., and Feitosa, E. (2014). Controlando a Frequência de Desvios Indiretos para Bloquear Ataques ROP. In Anais do XIV Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais - SBSeg 2014. SBC.
Giacobazzi, R., Simon, A., and Zennou, S. (2014). Challenges in analysing executables: Scalability, self-modifying code and synergy (dagstuhl seminar 14241). In Dagstuhl Reports, volume 4.
Intel (2016). Pin 2.14 user guide. https://software.intel.com/sites/landingpage/pintool/docs/71313/Pin/html/.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN, pages 190–200, New York, NY, USA. ACM.
Microsoft (2017). Thread local storage. http://goo.gl/U0etlH.
Mohaisen, A., Alrawi, O., and Mohaisen, M. (2015). Amal: High-fidelity, behavior-based automated malware analysis and classification. Computers & Security, 52:251–266.
Polino, M., Continella, A., Mariani, S., D’Alessio, S., Fontana, L., Gritti, F., and Zanero, S. (2017). Measuring and defeating anti-instrumentation-equipped malware. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 73–96.
Rodriguez, R. J., Gaston, I. R., and Alonso, J. (2016). Towards the detection of isolation-aware malware. IEEE Latin America Transactions, 14(2):1024–1036.
Stamatogiannakis, M., Groth, P., and Bos, H. (2014). Looking inside the black-box: capturing data provenance using dynamic instrumentation. In International Provenance and Annotation Workshop, pages 155–167. Springer.
Sun, K., Li, X., and Ou, Y. (2016). Break out of the truman show. In BlackHat. https://goo.gl/vo63g8.
Zeng, J. (2015). Bunary code reuse: A dynamic analysis based approac. Master’s thesis, University of Texas, Texas.
Giacobazzi, R., Simon, A., and Zennou, S. (2014). Challenges in analysing executables: Scalability, self-modifying code and synergy (dagstuhl seminar 14241). In Dagstuhl Reports, volume 4.
Intel (2016). Pin 2.14 user guide. https://software.intel.com/sites/landingpage/pintool/docs/71313/Pin/html/.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN, pages 190–200, New York, NY, USA. ACM.
Microsoft (2017). Thread local storage. http://goo.gl/U0etlH.
Mohaisen, A., Alrawi, O., and Mohaisen, M. (2015). Amal: High-fidelity, behavior-based automated malware analysis and classification. Computers & Security, 52:251–266.
Polino, M., Continella, A., Mariani, S., D’Alessio, S., Fontana, L., Gritti, F., and Zanero, S. (2017). Measuring and defeating anti-instrumentation-equipped malware. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 73–96.
Rodriguez, R. J., Gaston, I. R., and Alonso, J. (2016). Towards the detection of isolation-aware malware. IEEE Latin America Transactions, 14(2):1024–1036.
Stamatogiannakis, M., Groth, P., and Bos, H. (2014). Looking inside the black-box: capturing data provenance using dynamic instrumentation. In International Provenance and Annotation Workshop, pages 155–167. Springer.
Sun, K., Li, X., and Ou, Y. (2016). Break out of the truman show. In BlackHat. https://goo.gl/vo63g8.
Zeng, J. (2015). Bunary code reuse: A dynamic analysis based approac. Master’s thesis, University of Texas, Texas.
Publicado
06/11/2017
Como Citar
SANTOS FILHO, Ailton; ALVES, Arthur Binda; VIEIRA, Isaque; FEITOSA, Eduardo L..
Mitigando a Evasão de Instrumentadores Binários Dinâmicos. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 17. , 2017, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2017
.
p. 479-486.
DOI: https://doi.org/10.5753/sbseg.2017.19521.