摘要: |
各种高级恶意代码在网络空间中不断出现, 具有分析对抗能力强、恶意行为更隐蔽等新特点, 对各类信息系统的安全性产生严重威胁。为深度了解恶意代码及相关攻击活动, 需研究更实用和高效的分析方法, 以提高对威胁的分析能力和响应速度。针对二进制程序分析, 尽管已有较多的研究成果, 但随着软硬件技术的发展, 仍面临实用性和灵活性较低、性能和资源开销较高、难以适应新的应用场景等问题。因此在已有工作的基础上, 本文以动态细粒度程序分析为目标, 将操作系统和虚拟机监视器进行深度融合, 提出一种新的二进制程序动态分析方法。该方法充分利用硬件虚拟化新特性对目标程序的执行进行动态拦截,能够更便捷地对用户模式应用程序进行自动化分析, 并采用新的动态分析相关内存管理方案, 以提高细粒度分析的效率和分析代码构建的灵活性; 同时综合程序执行和指令分析进行分离的策略, 进一步降低分析过程对目标程序运行时的性能影响。本文在 Windows 平台上设计了该方法的原型并实现相应的分析框架, 采用基准程序和实际应用程序进行大量实验, 验证了该方法的可行性和高效性, 并通过数据流分析案例进一步展示了框架在实际分析中具有较高的应用价值。 |
关键词: 程序分析 动态分析 恶意代码 系统内核 硬件虚拟化 |
DOI:10.19363/J.cnki.cn10-1380/tn.2024.07.04 |
投稿时间:2022-08-17修订日期:2023-01-05 |
基金项目:本课题得到国家自然科学基金(No. 62072253)和南京邮电大学科研基金(No. NY221036)资助。 |
|
Practical Dynamic Binary Analysis Framework via Integrating Hypervisor with the Operating System |
PAN Jiaye,SHA Letian |
School of Modern Posts, Nanjing University of Posts and Telecommunications, Nanjing 210003, China;School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210042, China |
Abstract: |
All kinds of advanced malicious codes are constantly appearing in cyberspace. They have new characteristics such as strong ability of anti-analysis and more concealed malicious behaviors, which pose a serious threat to the security of various information systems. In order to deeply understand the malicious code and the related attack activities, it is necessary to develop more practical and efficient analysis methods to improve the analysis ability and response speed of malicious code. For binary program analysis, although there have been many research achievements, but with the development of hardware and software technology, it still faces many problems such as low practicability and flexibility, high performance and resource overhead, and difficulty in adapting to new application scenarios. Therefore, on the basis of existing research, this paper aims at the dynamic fine-grained program analysis, deeply integrates the operating system with the virtual machine monitor, and proposes a new dynamic analysis method for binary programs. This method makes full use of the new features of hardware virtualization to intercept the execution of the target program dynamically, which can be more convenient to analyze the target program in user mode automatically, and designs a new memory management scheme required for dynamic analysis to improve the efficiency of fine-grained analysis and the flexibility of analysis code construction; at the same time the method combines the strategy of decoupling the native program execution and the instruction analysis to further reduce the performance impact of analysis process on the target program at runtime. In this paper, a prototype of the method is designed on the Windows platform and the corresponding analysis framework is also implemented. The feasibility and efficiency of this method are verified by a large number of experiments with the benchmark programs and practical application programs, and the high application value of this framework in practical analysis is further demonstrated by the real data flow analysis cases. |
Key words: program analysis dynamic analysis malicious code system kernel hardware virtualization |