SlideShare a Scribd company logo

Hardware-Assisted Malware Analysis

Marcus Botacin
Marcus Botacin

Short Presentation on SBSEG'18 Trabalho premiado como melhor dissertação de mestrado durante o SBSEG2018.

Science
1 of 42
Download to read offline
Introduction Hardware-Assisted Solutions My Proposal Conclusions Hardware-Assisted Malware Analysis Marcus Botacin1, Andr´e Gr´egio3, Paulo L´ıcio de Geus2 1Msc. Computer Science Institute of Computing - UNICAMP marcus@lasca.ic.unicamp.br 2Advisor Institute of Computing - UNICAMP paulo@lasca.ic.unicamp.br 3Co-Advisor Federal University of Paran´a (UFPR) gregio@inf.ufpr.br CTD - SBSEG Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Problem Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Problem Malware Threats. Figure: Washington Post: https://tinyurl.com/ljo7ekm Figure: BBC: https://tinyurl.com/mfogjhe Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Solution Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Solution Malware Analysis. Figure: Imperva: https://tinyurl.com/zkbsnl2 Figure: Enigma: https://tinyurl.com/kydgwve Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges The Challenges. Figure: Themerkle: https://tinyurl.com/kasuxcr Figure: Forbes: https://tinyurl.com/l7ecrex Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges How to stop analysis? Table: Anti-Analysis: Tricks summary. Malware samples may employ multiple techniques to evade distinct analysis procedures. Technique Description Reason Implementation Anti Check if running Blocks reverse Fingerprinting Debug inside a debugger engineering attempts Anti Check if running Analysts use VMs Execution VM inside a VM for scalability Side-effect Anti Fool disassemblers AV signatures may Undecidable Disassembly to generate wrong opcodes be based on opcodes Constructions Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges And then... Figure: Commercial solution armored with anti-debug technique. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges And then... Figure: Real malware impersonating a secure solution which cannot run under an hypervisor. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Benefits Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions The Benefits Transparency 1 Higher privileged. 2 No non-privileged side-effects. 3 Identical Basic Instruction Semantics. 4 Transparent Exception Handling. 5 Identical Measurement of Time. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions A Summary Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions A Summary A Survey Table: Hardware features. Technique PROS CONS Gaps HVM Ring -1 Hypervisor High development overhead SMM Ring -2 BIOS High development implementation cost AMT Ring -3 Chipset No malware code change analysis solution HPCs Lightweight Context-limited No malware information analysis solution GPU Easy to program No register No introspection data procedures TSX Commit-based Store only Overcome the few KB KB barrier SGX Isolates goodware Also isolates No enclave malware inspection SOCs Tamper-proof Passive Raise alarms components Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Background Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Background Branch Monitors Figure: Branch Stack. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Proposed Framework Figure: Proposed framework architecture. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Data Storage (DS) AREA. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: ASLR - Library placement after two consecutive reboots. Library NTDLL KERNEL32 KERNELBASE Address 1 0xBAF80000 0xB9610000 0xB8190000 Address 2 0x987B0000 0x98670000 0x958C0000 Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: Function Offsets from ntdll.dll library. Function Offset NtCreateProcess 0x3691 NtCreateProcessEx 0x30B0 NtCreateProfile 0x36A1 NtCreateResourceManager 0x36C1 NtCreateSemaphore 0x36D1 NtCreateSymbolicLinkObject 0x36E1 NtCreateThread 0x30C0 NtCreateThreadEx 0x36F1 Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Figure: Introspection Mechanism. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? _lock_file+0x90printf+0xe3__iob_funcprintf+0xcaprintfNewToy Figure: Step Into. scanf+0x3f NewToy printf Figure: Step Over. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I retrieve all executed functions ? Is CFG reconstruction possible? Figure: Code block identification. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I retrieve all executed functions ? Is CFG reconstruction possible? Figure: it is possible to reconstruct the whole execution flow. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Is the final solution transparent? Deviating Behavior Figure: Deviating behavior identification. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Is the final solution transparent? Deviating Behavior Figure: Divergence: True Positive. Figure: Divergence: False Positive. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a Debugger? Inverted I/O Figure: Debugger’s working mechanism. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a Debugger? Integration Figure: GDB integration. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? ROP Attacks Figure: ROP chain example. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? CALL-RET Policy Figure: CALL-RET CFI policy. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? Exploit Analysis Table: Excerpt of the branch window of the ROP payload. FROM TO —- 0x7c346c0a 0x7c346c0b 0x7c37a140 0x7c37a141 —- Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? Exploit Analysis Listing 1: Static disassembly of the MSVCR71.dll library. 1 7 c346c08 : f2 0 f 58 c3 addsd %xmm3,%xmm0 2 7 c346c0c : 66 0 f 13 44 24 04 movlpd %xmm0,0 x4(%esp ) Listing 2: Dynamic disassembly of the MSVC71.dll executed code. 1 0x1000 ( s i z e =1) pop rax 2 0x1001 ( s i z e =1) r e t Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Remarks Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Remarks Lessons learned Transparency is essential. Hardware-assisted approaches may fulfill transparency requirements. There are open problems on hardware monitoring. Security, performance, and development efforts as trade-offs (really?). Performance monitors as lightweight alternatives. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Future Work Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Future Work And now? Multi-core monitor. Linux Monitor. Malware clustering. Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Main Papers Who watches the watchmen: A security-focused review on current state-of-the-art techniques, tools and methods for systems and binary analysis on modern platforms—ACM Computing Surveys (A1). Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging—ACM Transactions on Privacy and Security (A2). The other guys: automated analysis of marginalized malware—Journal of Computer Virology and Hacking techniques (B1). Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Solution’s Availability Figure: Solution’s Availability. Solution is public on github. https://github.com/marcusbotacin/BranchMonitoringProject Hardware-Assisted Malware Analysis IC-UNICAMP
Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Questions ? Contact marcus@lasca.ic.unicamp.br mfbotacin@inf.ufpr.br Hardware-Assisted Malware Analysis IC-UNICAMP

Recommended

Icsoc12 tooldemo.ppt
Icsoc12 tooldemo.pptIcsoc12 tooldemo.ppt
Icsoc12 tooldemo.ppt
Ptidej Team
 
Ssbse12b.ppt
Ssbse12b.pptSsbse12b.ppt
Ssbse12b.ppt
Ptidej Team
 
The Impact of Mislabelling on the Performance and Interpretation of Defect Pr...
The Impact of Mislabelling on the Performance and Interpretation of Defect Pr...The Impact of Mislabelling on the Performance and Interpretation of Defect Pr...
The Impact of Mislabelling on the Performance and Interpretation of Defect Pr...
Chakkrit (Kla) Tantithamthavorn
 
Tlc
TlcTlc
Tlc
Dhanasekaran Nagarajan
 
Análise de malware com suporte de hardware
Análise de malware com suporte de hardwareAnálise de malware com suporte de hardware
Análise de malware com suporte de hardware
Marcus Botacin
 
Monitoring Systems & Binaries
Monitoring Systems & BinariesMonitoring Systems & Binaries
Monitoring Systems & Binaries
Marcus Botacin
 
On the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel ApproachesOn the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel Approaches
Marcus Botacin
 
The Good the Bad and the Ugly of Dealing with Smelly Code (ITAKE Unconference)
The Good the Bad and the Ugly of Dealing with Smelly Code (ITAKE Unconference)The Good the Bad and the Ugly of Dealing with Smelly Code (ITAKE Unconference)
The Good the Bad and the Ugly of Dealing with Smelly Code (ITAKE Unconference)
Radu Marinescu
 

Recommended

Icsoc12 tooldemo.ppt
Icsoc12 tooldemo.pptIcsoc12 tooldemo.ppt
Icsoc12 tooldemo.ppt
Ptidej Team
 
Ssbse12b.ppt
Ssbse12b.pptSsbse12b.ppt
Ssbse12b.ppt
Ptidej Team
 
The Impact of Mislabelling on the Performance and Interpretation of Defect Pr...
The Impact of Mislabelling on the Performance and Interpretation of Defect Pr...The Impact of Mislabelling on the Performance and Interpretation of Defect Pr...
The Impact of Mislabelling on the Performance and Interpretation of Defect Pr...
Chakkrit (Kla) Tantithamthavorn
 
Tlc
TlcTlc
Tlc
Dhanasekaran Nagarajan
 
Análise de malware com suporte de hardware
Análise de malware com suporte de hardwareAnálise de malware com suporte de hardware
Análise de malware com suporte de hardware
Marcus Botacin
 
Monitoring Systems & Binaries
Monitoring Systems & BinariesMonitoring Systems & Binaries
Monitoring Systems & Binaries
Marcus Botacin
 
On the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel ApproachesOn the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel Approaches
Marcus Botacin
 
The Good the Bad and the Ugly of Dealing with Smelly Code (ITAKE Unconference)
The Good the Bad and the Ugly of Dealing with Smelly Code (ITAKE Unconference)The Good the Bad and the Ugly of Dealing with Smelly Code (ITAKE Unconference)
The Good the Bad and the Ugly of Dealing with Smelly Code (ITAKE Unconference)
Radu Marinescu
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
Machine programming
Machine programmingMachine programming
Machine programming
DESMOND YUEN
 
LC Chen Presentation at Icinga Camp 2015 Kuala Lumpur
LC Chen Presentation at Icinga Camp 2015 Kuala LumpurLC Chen Presentation at Icinga Camp 2015 Kuala Lumpur
LC Chen Presentation at Icinga Camp 2015 Kuala Lumpur
Icinga
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Phil Agcaoili
 
stackconf 2023 | Continuous Deployment Workflows by Marco Otto-Witte.pdf
stackconf 2023 | Continuous Deployment Workflows by Marco Otto-Witte.pdfstackconf 2023 | Continuous Deployment Workflows by Marco Otto-Witte.pdf
stackconf 2023 | Continuous Deployment Workflows by Marco Otto-Witte.pdf
NETWAYS
 
Biomedcompcenter. Main Projects
Biomedcompcenter. Main ProjectsBiomedcompcenter. Main Projects
Biomedcompcenter. Main Projects
Turlapov
 
Would Static Analysis Tools Help Developers with Code Reviews?
Would Static Analysis Tools Help Developers with Code Reviews?Would Static Analysis Tools Help Developers with Code Reviews?
Would Static Analysis Tools Help Developers with Code Reviews?
Sebastiano Panichella
 
se01.ppt
se01.pptse01.ppt
se01.ppt
xiso
 
Spm unit1
Spm unit1Spm unit1
Spm unit1
Naga Dinesh
 
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
Andrey Karpov
 
IRJET - Automatic Methods for Classi?cation of Plant Diseases using Back...
IRJET - Automatic Methods for Classi?cation of Plant Diseases using Back...IRJET - Automatic Methods for Classi?cation of Plant Diseases using Back...
IRJET - Automatic Methods for Classi?cation of Plant Diseases using Back...
IRJET Journal
 
Big Data Science - hype?
Big Data Science - hype?Big Data Science - hype?
Big Data Science - hype?
BalaBit
 
SE-Lecture1.ppt
SE-Lecture1.pptSE-Lecture1.ppt
SE-Lecture1.ppt
vishal choudhary
 
MAJOR PROJECT
MAJOR PROJECT MAJOR PROJECT
MAJOR PROJECT
sandeep amaravadi
 
Opencv
OpencvOpencv
Opencv
Ethishkumar
 
LinkedIn CyberSecurity Presentation
LinkedIn CyberSecurity PresentationLinkedIn CyberSecurity Presentation
LinkedIn CyberSecurity Presentation
Ben Berg
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
Tao Xie
 
Unit 1.ppt
Unit 1.pptUnit 1.ppt
Unit 1.ppt
MsRAMYACSE
 
Iwsm2014 defining technical risk in software development (vard antinyan)
Iwsm2014 defining technical risk in software development (vard antinyan)Iwsm2014 defining technical risk in software development (vard antinyan)
Iwsm2014 defining technical risk in software development (vard antinyan)
Nesma
 
Zap Scanning
Zap ScanningZap Scanning
Zap Scanning
Suresh Kumar
 
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 

More Related Content

Similar to Hardware-Assisted Malware Analysis

Machine programming
Machine programmingMachine programming
Machine programming
DESMOND YUEN
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Phil Agcaoili
 
Biomedcompcenter. Main Projects
Biomedcompcenter. Main ProjectsBiomedcompcenter. Main Projects
Biomedcompcenter. Main Projects
Turlapov
 
Would Static Analysis Tools Help Developers with Code Reviews?
Would Static Analysis Tools Help Developers with Code Reviews?Would Static Analysis Tools Help Developers with Code Reviews?
Would Static Analysis Tools Help Developers with Code Reviews?
Sebastiano Panichella
 
LinkedIn CyberSecurity Presentation
LinkedIn CyberSecurity PresentationLinkedIn CyberSecurity Presentation
LinkedIn CyberSecurity Presentation
Ben Berg
 
Iwsm2014 defining technical risk in software development (vard antinyan)
Iwsm2014 defining technical risk in software development (vard antinyan)Iwsm2014 defining technical risk in software development (vard antinyan)
Iwsm2014 defining technical risk in software development (vard antinyan)
Nesma
 

Similar to Hardware-Assisted Malware Analysis (20)

Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
Machine programming
Machine programmingMachine programming
Machine programming
 
LC Chen Presentation at Icinga Camp 2015 Kuala Lumpur
LC Chen Presentation at Icinga Camp 2015 Kuala LumpurLC Chen Presentation at Icinga Camp 2015 Kuala Lumpur
LC Chen Presentation at Icinga Camp 2015 Kuala Lumpur
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
 
stackconf 2023 | Continuous Deployment Workflows by Marco Otto-Witte.pdf
stackconf 2023 | Continuous Deployment Workflows by Marco Otto-Witte.pdfstackconf 2023 | Continuous Deployment Workflows by Marco Otto-Witte.pdf
stackconf 2023 | Continuous Deployment Workflows by Marco Otto-Witte.pdf
 
Biomedcompcenter. Main Projects
Biomedcompcenter. Main ProjectsBiomedcompcenter. Main Projects
Biomedcompcenter. Main Projects
 
Would Static Analysis Tools Help Developers with Code Reviews?
Would Static Analysis Tools Help Developers with Code Reviews?Would Static Analysis Tools Help Developers with Code Reviews?
Would Static Analysis Tools Help Developers with Code Reviews?
 
se01.ppt
se01.pptse01.ppt
se01.ppt
 
Spm unit1
Spm unit1Spm unit1
Spm unit1
 
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
 
IRJET - Automatic Methods for Classi?cation of Plant Diseases using Back...
IRJET - Automatic Methods for Classi?cation of Plant Diseases using Back...IRJET - Automatic Methods for Classi?cation of Plant Diseases using Back...
IRJET - Automatic Methods for Classi?cation of Plant Diseases using Back...
 
Big Data Science - hype?
Big Data Science - hype?Big Data Science - hype?
Big Data Science - hype?
 
SE-Lecture1.ppt
SE-Lecture1.pptSE-Lecture1.ppt
SE-Lecture1.ppt
 
MAJOR PROJECT
MAJOR PROJECT MAJOR PROJECT
MAJOR PROJECT
 
Opencv
OpencvOpencv
Opencv
 
LinkedIn CyberSecurity Presentation
LinkedIn CyberSecurity PresentationLinkedIn CyberSecurity Presentation
LinkedIn CyberSecurity Presentation
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
Unit 1.ppt
Unit 1.pptUnit 1.ppt
Unit 1.ppt
 
Iwsm2014 defining technical risk in software development (vard antinyan)
Iwsm2014 defining technical risk in software development (vard antinyan)Iwsm2014 defining technical risk in software development (vard antinyan)
Iwsm2014 defining technical risk in software development (vard antinyan)
 
Zap Scanning
Zap ScanningZap Scanning
Zap Scanning
 

More from Marcus Botacin

More from Marcus Botacin (20)

Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change![Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoring
 
How do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideHow do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guide
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisExtraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
 
Integridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareIntegridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomware
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
 
UMLsec
UMLsecUMLsec
UMLsec
 
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
 
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and Reassembly
 
Reverse Engineering Course
Reverse Engineering CourseReverse Engineering Course
Reverse Engineering Course
 
Malware Variants Identification in Practice
Malware Variants Identification in PracticeMalware Variants Identification in Practice
Malware Variants Identification in Practice
 

Recently uploaded

Module for Grade 9 for Asynchronous/Distance learning
Module for Grade 9 for Asynchronous/Distance learningModule for Grade 9 for Asynchronous/Distance learning
Module for Grade 9 for Asynchronous/Distance learning
levieagacer
 
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptxSCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
RizalinePalanog2
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
PirithiRaju
 
9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service
nishacall1
 
Seismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptxSeismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptx
AlMamun560346
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
PirithiRaju
 
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune WaterworldsBiogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Sérgio Sacani
 
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bAsymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Sérgio Sacani
 
Conjugation, transduction and transformation
Conjugation, transduction and transformationConjugation, transduction and transformation
Conjugation, transduction and transformation
Areesha Ahmad
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
Sapana Sha
 

Recently uploaded (20)

Module for Grade 9 for Asynchronous/Distance learning
Module for Grade 9 for Asynchronous/Distance learningModule for Grade 9 for Asynchronous/Distance learning
Module for Grade 9 for Asynchronous/Distance learning
 
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptxSCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
 
9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 22 (Delhi) Call Girl Service
 
Seismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptxSeismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptx
 
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceuticsPulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
 
pumpkin fruit fly, water melon fruit fly, cucumber fruit fly
pumpkin fruit fly, water melon fruit fly, cucumber fruit flypumpkin fruit fly, water melon fruit fly, cucumber fruit fly
pumpkin fruit fly, water melon fruit fly, cucumber fruit fly
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
 
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune WaterworldsBiogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
 
module for grade 9 for distance learning
module for grade 9 for distance learningmodule for grade 9 for distance learning
module for grade 9 for distance learning
 
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bAsymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
 
Dopamine neurotransmitter determination using graphite sheet- graphene nano-s...
Dopamine neurotransmitter determination using graphite sheet- graphene nano-s...Dopamine neurotransmitter determination using graphite sheet- graphene nano-s...
Dopamine neurotransmitter determination using graphite sheet- graphene nano-s...
 
Forensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdfForensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdf
 
Conjugation, transduction and transformation
Conjugation, transduction and transformationConjugation, transduction and transformation
Conjugation, transduction and transformation
 
Unit5-Cloud.pptx for lpu course cse121 o
Unit5-Cloud.pptx for lpu course cse121 oUnit5-Cloud.pptx for lpu course cse121 o
Unit5-Cloud.pptx for lpu course cse121 o
 
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptxCOST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
 
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICESAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
 
Factory Acceptance Test( FAT).pptx .
Factory Acceptance Test( FAT).pptx .Factory Acceptance Test( FAT).pptx .
Factory Acceptance Test( FAT).pptx .
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
 
Site Acceptance Test .
Site Acceptance Test .Site Acceptance Test .
Site Acceptance Test .
 

Hardware-Assisted Malware Analysis

  • 1. Introduction Hardware-Assisted Solutions My Proposal Conclusions Hardware-Assisted Malware Analysis Marcus Botacin1, Andr´e Gr´egio3, Paulo L´ıcio de Geus2 1Msc. Computer Science Institute of Computing - UNICAMP marcus@lasca.ic.unicamp.br 2Advisor Institute of Computing - UNICAMP paulo@lasca.ic.unicamp.br 3Co-Advisor Federal University of Paran´a (UFPR) gregio@inf.ufpr.br CTD - SBSEG Hardware-Assisted Malware Analysis IC-UNICAMP
  • 2. Introduction Hardware-Assisted Solutions My Proposal Conclusions Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 3. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Problem Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 4. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Problem Malware Threats. Figure: Washington Post: https://tinyurl.com/ljo7ekm Figure: BBC: https://tinyurl.com/mfogjhe Hardware-Assisted Malware Analysis IC-UNICAMP
  • 5. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Solution Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 6. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Solution Malware Analysis. Figure: Imperva: https://tinyurl.com/zkbsnl2 Figure: Enigma: https://tinyurl.com/kydgwve Hardware-Assisted Malware Analysis IC-UNICAMP
  • 7. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 8. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges The Challenges. Figure: Themerkle: https://tinyurl.com/kasuxcr Figure: Forbes: https://tinyurl.com/l7ecrex Hardware-Assisted Malware Analysis IC-UNICAMP
  • 9. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges How to stop analysis? Table: Anti-Analysis: Tricks summary. Malware samples may employ multiple techniques to evade distinct analysis procedures. Technique Description Reason Implementation Anti Check if running Blocks reverse Fingerprinting Debug inside a debugger engineering attempts Anti Check if running Analysts use VMs Execution VM inside a VM for scalability Side-effect Anti Fool disassemblers AV signatures may Undecidable Disassembly to generate wrong opcodes be based on opcodes Constructions Hardware-Assisted Malware Analysis IC-UNICAMP
  • 10. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges And then... Figure: Commercial solution armored with anti-debug technique. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 11. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Challenges And then... Figure: Real malware impersonating a secure solution which cannot run under an hypervisor. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 12. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Benefits Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 13. Introduction Hardware-Assisted Solutions My Proposal Conclusions The Benefits Transparency 1 Higher privileged. 2 No non-privileged side-effects. 3 Identical Basic Instruction Semantics. 4 Transparent Exception Handling. 5 Identical Measurement of Time. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 14. Introduction Hardware-Assisted Solutions My Proposal Conclusions A Summary Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 15. Introduction Hardware-Assisted Solutions My Proposal Conclusions A Summary A Survey Table: Hardware features. Technique PROS CONS Gaps HVM Ring -1 Hypervisor High development overhead SMM Ring -2 BIOS High development implementation cost AMT Ring -3 Chipset No malware code change analysis solution HPCs Lightweight Context-limited No malware information analysis solution GPU Easy to program No register No introspection data procedures TSX Commit-based Store only Overcome the few KB KB barrier SGX Isolates goodware Also isolates No enclave malware inspection SOCs Tamper-proof Passive Raise alarms components Hardware-Assisted Malware Analysis IC-UNICAMP
  • 16. Introduction Hardware-Assisted Solutions My Proposal Conclusions Background Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 17. Introduction Hardware-Assisted Solutions My Proposal Conclusions Background Branch Monitors Figure: Branch Stack. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 18. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 19. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Proposed Framework Figure: Proposed framework architecture. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 20. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Data Storage (DS) AREA. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 21. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: ASLR - Library placement after two consecutive reboots. Library NTDLL KERNEL32 KERNELBASE Address 1 0xBAF80000 0xB9610000 0xB8190000 Address 2 0x987B0000 0x98670000 0x958C0000 Hardware-Assisted Malware Analysis IC-UNICAMP
  • 22. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: Function Offsets from ntdll.dll library. Function Offset NtCreateProcess 0x3691 NtCreateProcessEx 0x30B0 NtCreateProfile 0x36A1 NtCreateResourceManager 0x36C1 NtCreateSemaphore 0x36D1 NtCreateSymbolicLinkObject 0x36E1 NtCreateThread 0x30C0 NtCreateThreadEx 0x36F1 Hardware-Assisted Malware Analysis IC-UNICAMP
  • 23. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Figure: Introspection Mechanism. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 24. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? _lock_file+0x90printf+0xe3__iob_funcprintf+0xcaprintfNewToy Figure: Step Into. scanf+0x3f NewToy printf Figure: Step Over. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 25. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I retrieve all executed functions ? Is CFG reconstruction possible? Figure: Code block identification. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 26. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I retrieve all executed functions ? Is CFG reconstruction possible? Figure: it is possible to reconstruct the whole execution flow. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 27. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Is the final solution transparent? Deviating Behavior Figure: Deviating behavior identification. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 28. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Is the final solution transparent? Deviating Behavior Figure: Divergence: True Positive. Figure: Divergence: False Positive. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 29. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a Debugger? Inverted I/O Figure: Debugger’s working mechanism. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 30. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Could I develop a Debugger? Integration Figure: GDB integration. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 31. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? ROP Attacks Figure: ROP chain example. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 32. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? CALL-RET Policy Figure: CALL-RET CFI policy. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 33. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? Exploit Analysis Table: Excerpt of the branch window of the ROP payload. FROM TO —- 0x7c346c0a 0x7c346c0b 0x7c37a140 0x7c37a141 —- Hardware-Assisted Malware Analysis IC-UNICAMP
  • 34. Introduction Hardware-Assisted Solutions My Proposal Conclusions Developments Does the solution handle ROP attacks? Exploit Analysis Listing 1: Static disassembly of the MSVCR71.dll library. 1 7 c346c08 : f2 0 f 58 c3 addsd %xmm3,%xmm0 2 7 c346c0c : 66 0 f 13 44 24 04 movlpd %xmm0,0 x4(%esp ) Listing 2: Dynamic disassembly of the MSVC71.dll executed code. 1 0x1000 ( s i z e =1) pop rax 2 0x1001 ( s i z e =1) r e t Hardware-Assisted Malware Analysis IC-UNICAMP
  • 35. Introduction Hardware-Assisted Solutions My Proposal Conclusions Remarks Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 36. Introduction Hardware-Assisted Solutions My Proposal Conclusions Remarks Lessons learned Transparency is essential. Hardware-assisted approaches may fulfill transparency requirements. There are open problems on hardware monitoring. Security, performance, and development efforts as trade-offs (really?). Performance monitors as lightweight alternatives. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 37. Introduction Hardware-Assisted Solutions My Proposal Conclusions Future Work Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 38. Introduction Hardware-Assisted Solutions My Proposal Conclusions Future Work And now? Multi-core monitor. Linux Monitor. Malware clustering. Hardware-Assisted Malware Analysis IC-UNICAMP
  • 39. Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Topics 1 Introduction The Problem The Solution The Challenges 2 Hardware-Assisted Solutions The Benefits A Summary 3 My Proposal Background Developments 4 Conclusions Remarks Future Work Publications Hardware-Assisted Malware Analysis IC-UNICAMP
  • 40. Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Main Papers Who watches the watchmen: A security-focused review on current state-of-the-art techniques, tools and methods for systems and binary analysis on modern platforms—ACM Computing Surveys (A1). Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging—ACM Transactions on Privacy and Security (A2). The other guys: automated analysis of marginalized malware—Journal of Computer Virology and Hacking techniques (B1). Hardware-Assisted Malware Analysis IC-UNICAMP
  • 41. Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Solution’s Availability Figure: Solution’s Availability. Solution is public on github. https://github.com/marcusbotacin/BranchMonitoringProject Hardware-Assisted Malware Analysis IC-UNICAMP
  • 42. Introduction Hardware-Assisted Solutions My Proposal Conclusions Publications Questions ? Contact marcus@lasca.ic.unicamp.br mfbotacin@inf.ufpr.br Hardware-Assisted Malware Analysis IC-UNICAMP