Annual Computer Security Applications Conference (ACSAC) 2012

Full Program »

Down to the Bare Metal: Using Processor Features for Binary Analysis

A detailed understanding of the behavior of exploits and malicious software is necessary to obtain a comprehensive overview of vulnerabilities in operating systems or client applications, and to develop protection techniques and tools. To this end, a lot of research has been done in the last few years on binary analysis techniques to efficiently and precisely analyze code. Most of the common analysis frameworks are based on software emulators since such tools offer a fine-grained control over the execution of a given program. Naturally, this leads to an arms race where the attackers are constantly searching for new methods to detect such analysis frameworks in order to successfully evade analysis.
In this paper, we focus on two aspects. As a first contribution, we introduce several novel mechanisms by which an attacker can delude an emulator. In contrast to existing detection approaches that perform a dedicated test on the environment and combine the test with an explicit conditional branch, our detection mechanisms introduce code sequences that have an implicitly different behavior on a native machine when compared to an emulator. Such differences in behavior are caused by the side-effects of the particular operations and imperfections in the emulation process that can- not be mitigated easily. Even powerful analysis techniques such as multi-path execution cannot analyze our detection mechanisms since the emulator itself is deluded. Motivated by these findings, we introduce a novel approach to generate execution traces. We propose to utilize the processor itself to generate such traces. Mores precisely, we propose to use a hardware feature called branch tracing available on commodity x86 processors in which the log of all branches taken during code execution is generated directly by the processor. Effectively, the logging is thus performed at the lowest level possible. We evaluate the practical viability and effectiveness of this approach.

Author(s):

Carsten Willems    
Ruhr-University Bochum
Germany

Ralf Hund    
Ruhr-University Bochum
Germany

Andreas Fobian    
Ruhr-University Bochum
Germany

Dennis Felsch    
Ruhr-University Bochum
Germany

Thorsten Holz    
Ruhr-University Bochum
Germany

Amit Vasudevan    
CyLab/CMU
United States

 

Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC