Transparent Malware Analysis on x86 and ARM
Abstract:With the rapid proliferation of malware attacks on the Internet, understanding these malicious behaviors plays a critical role in crafting effective defense. Existing malware analysis platforms leave detectable fingerprints like uncommon string properties in QEMU, signatures in Linux kernel profiles,and artifacts on basic instruction execution semantics. Since these fingerprints provide the malware a chance to split its behavior depending on whether the analysis system is present or not, existing analysis systems are not sufficient to analyze the sophisticated malware. In this talk, I will present the framework for transparent malware analysis, which leverages the hardware features in existing PC and mobile devices to increase the transparency of malware analysis. In particular, I will introduce MalT on the x86 architecture and Ninja on the ARM architecture. MalT uses the system management mode as the execution environment and performance monitor unit as hardware assistant to facilitate the analysis, whereas Ninja involves the TrustZone technology and embedded trace macrocell to improve the transparency. Moreover, both MalT and Ninja are OS-agnostic, and do not require modification to the operation system or the target application.