[我研究]Anubis/TEMU/Layered Architecutre for Detecting Malicous Behavior中对Qemu扩展的比较
总结
主要都做了两项扩展:OS-awareness和taint analysis
A Layered Architecture for Detecting Malicious Behaviors
在Qemu上做了两项扩展:
1、Guest-OS awareness (不同的操作系统上的系统调用是不同的,需要知道是什么system call,什么进程调用的,对应的参数的buffer结构是怎么样的)
2、Taint Analysis (感觉是这个实验室以前的开发工作)
[25]Garfinkel, T., Rosenblum, M.:A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS 2003
Anubis - 主要的扩展应该都在Worker(VM) Image里面,可是没有说清楚 - TODO
Anubis相关的项目:
SGNET,WOMBAT(malware analysis这一块用了Anubis)
Ulrich Bayer - 与Ikarus Software合作的TTAnalyze(硕士论文),Anubis的前身,硕士论文
2006至今在TU Vienna读PhD
Ikarus公司发布了一个Anubis的商业版本,有trial version
9个人在开发
Architecture - 一共有五个主要部分
1、Web/DB Server
2、Malware Sample Storage
3、Report Storage
4、Vitim Server
5、Worker(VM) Images(做所有的分析工作)
TEMU
与Qemu同级别的emulator有:Valgrime、DynamicRIO和PIN,不过它们只能提供一个user-mode process,可是很多attack是由多个线程来实现的。
Architecture:
1. OS-awareness semantic extractor (Qemu只提供hardware-level的view,软件级别的view,特别是OS-level的语义需要被extract出来)
2. dynamic taint analysis (推理特定的数据如何依赖于数据源,以及数据如何在系统中传递)
3. 提供一些API - programming interface
API functions:
1. Query and set the value of a memory cell or a CPU register.
2. Query and set the taint information of memory or registers.
3. Register a hook to a function at its entry and exit, and remove a hook. TEMU
plugins can use this interface to monitor both user and kernel functions.
4. Query OS-level semantics information, such as the current process, module, and
thread.
5. Save and load the emulated system state. This interface helps to switch between different
machine states for more efficient analysis. For example, this interface makes
multiple path exploration more efficient, because we can save a state for a specific
branch point and explore one path, and then load this state to explore the other path
without restarting the program execution.
plugins related to trigger-based behavior:
– MineSweeper [10]: a plugin that identifies and uncovers trigger-based behaviors in
malware by performing online symbolic execution.
– BitScope: a more generic plugin that make use of symbolic execution to perform
in-depth analysis of malware.
Code amount:
The TEMU core consists of about 37,000 lines of code. TEMU plugins consist of about
134,000 lines of code.
