Mitigando a Evasão de Instrumentadores Binários Dinâmicos
Abstract
This paper presents countermeasures against the most recent evasion techniques in Dynamic Binary Instrumentation (DBI). They use features of the Intel Pin instrumentation tool to ensure the transparency of the analyzes. An evaluation of proposed countermeasures in comparison to state-of-the-art techniques was performed. The current limitations and the future of this work are also presented.References
Ferreira, M. T., Santos Filho, A., and Feitosa, E. (2014). Controlando a Frequência de Desvios Indiretos para Bloquear Ataques ROP. In Anais do XIV Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais - SBSeg 2014. SBC.
Giacobazzi, R., Simon, A., and Zennou, S. (2014). Challenges in analysing executables: Scalability, self-modifying code and synergy (dagstuhl seminar 14241). In Dagstuhl Reports, volume 4.
Intel (2016). Pin 2.14 user guide. https://software.intel.com/sites/landingpage/pintool/docs/71313/Pin/html/.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN, pages 190–200, New York, NY, USA. ACM.
Microsoft (2017). Thread local storage. http://goo.gl/U0etlH.
Mohaisen, A., Alrawi, O., and Mohaisen, M. (2015). Amal: High-fidelity, behavior-based automated malware analysis and classification. Computers & Security, 52:251–266.
Polino, M., Continella, A., Mariani, S., D’Alessio, S., Fontana, L., Gritti, F., and Zanero, S. (2017). Measuring and defeating anti-instrumentation-equipped malware. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 73–96.
Rodriguez, R. J., Gaston, I. R., and Alonso, J. (2016). Towards the detection of isolation-aware malware. IEEE Latin America Transactions, 14(2):1024–1036.
Stamatogiannakis, M., Groth, P., and Bos, H. (2014). Looking inside the black-box: capturing data provenance using dynamic instrumentation. In International Provenance and Annotation Workshop, pages 155–167. Springer.
Sun, K., Li, X., and Ou, Y. (2016). Break out of the truman show. In BlackHat. https://goo.gl/vo63g8.
Zeng, J. (2015). Bunary code reuse: A dynamic analysis based approac. Master’s thesis, University of Texas, Texas.
Giacobazzi, R., Simon, A., and Zennou, S. (2014). Challenges in analysing executables: Scalability, self-modifying code and synergy (dagstuhl seminar 14241). In Dagstuhl Reports, volume 4.
Intel (2016). Pin 2.14 user guide. https://software.intel.com/sites/landingpage/pintool/docs/71313/Pin/html/.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN, pages 190–200, New York, NY, USA. ACM.
Microsoft (2017). Thread local storage. http://goo.gl/U0etlH.
Mohaisen, A., Alrawi, O., and Mohaisen, M. (2015). Amal: High-fidelity, behavior-based automated malware analysis and classification. Computers & Security, 52:251–266.
Polino, M., Continella, A., Mariani, S., D’Alessio, S., Fontana, L., Gritti, F., and Zanero, S. (2017). Measuring and defeating anti-instrumentation-equipped malware. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 73–96.
Rodriguez, R. J., Gaston, I. R., and Alonso, J. (2016). Towards the detection of isolation-aware malware. IEEE Latin America Transactions, 14(2):1024–1036.
Stamatogiannakis, M., Groth, P., and Bos, H. (2014). Looking inside the black-box: capturing data provenance using dynamic instrumentation. In International Provenance and Annotation Workshop, pages 155–167. Springer.
Sun, K., Li, X., and Ou, Y. (2016). Break out of the truman show. In BlackHat. https://goo.gl/vo63g8.
Zeng, J. (2015). Bunary code reuse: A dynamic analysis based approac. Master’s thesis, University of Texas, Texas.
Published
2017-11-06
How to Cite
SANTOS FILHO, Ailton; ALVES, Arthur Binda; VIEIRA, Isaque; FEITOSA, Eduardo L..
Mitigando a Evasão de Instrumentadores Binários Dinâmicos. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 17. , 2017, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2017
.
p. 479-486.
DOI: https://doi.org/10.5753/sbseg.2017.19521.
