Abstract
Malicious applications pose as one of the most relevant issues in today’s technology scenario, being considered the root of many Internet security threats. In part, this owes the ability of malware developers to promptly respond to the emergence of new security solutions by developing artifacts to detect and avoid them. In this work, we present three countermeasures to mitigate recent mechanisms used by malware to detect analysis environments. Among these techniques, this work focuses on those that enable a malware to detect dynamic binary instrumentation frameworks, thus increasing their attack surface. To ensure the effectiveness of the proposed countermeasures, proofs of concept were developed and tested in a controlled environment with a set of anti-instrumentation techniques. Finally, we evaluated the performance impact of using such countermeasures.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Arafa, P.: Time-aware dynamic binary instrumentation. Ph.D. thesis, University of Waterloo (2017)
AV-TEST GmbH: The AV-TEST Security Report 2017/2018 (2018)
Balzarotti, D., Cova, M., Karlberger, C., Kirda, E., Kruegel, C., Vigna, G.: Efficient detection of split personalities in malware. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2010)
Bruening, D., Zhao, Q., Amarasinghe, S.: Transparent dynamic instrumentation. ACM SIGPLAN Not. 47(7), 133–144 (2012)
Carpenter, M., Liston, T., Skoudis, E.: Hiding virtualization from attackers and malware. IEEE Secur. Priv. 5(3), 62–65 (2007)
CPU2006, S.: Standard performance evaluation corporation. https://www.spec.org/cpu2006/ (2006) (Online)
Falcón, F., Riva, N.: Dynamic binary instrumentation frameworks: I know you’re there spying on me (2012)
Ferrie, P.: Attacks on virtual machine emulators. Symantec Adv. Res. Threat. Res. 1–13 (2007)
Greamo, C., Ghosh, A.: Sandboxing and virtualization: modern tools for combating malware. IEEE Secur. Priv. 9(2), 79–82 (2011)
Hron, M., Jermář, J.: SafeMachine malware needs love, too. https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/sponsorAVAST-VB2014.pdf (2014) (Online)
Kaspersky lab: Kaspersky lab detects 360,000 new malicious files daily—up 11.5% from 2016. https://www.kaspersky.com/about/press-releases/2017_kaspersky-lab-detects-360000-new-malicious-files-daily (2017) (Online)
Kirat, D., Vigna, G., Kruegel, C.: Barecloud: Bare-metal analysis-based evasive malware detection. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 287–301. USENIX Association, San Diego, CA (2014)
Kumar, A.V., Vishnani, K., Kumar, K.V.: Split personality malware detection and defeating in popular virtual machines. In: Proceedings of the 5th International Conference on Security of Information and Networks (SIN), pp. 20–26. ACM (2012)
Li, X., Li, K.: Defeating the transparency features of dynamic binary instrumentation. BlackHat US (2014)
Lueck, G., Patil, H., Pereira, C.: PinADX: An interface for customizable debugging with dynamic instrumentation. In: Proceedings of the 10th International Symposium on Code Generation and Optimization (CGO), pp. 114–123. ACM, New York, NY, USA (2012)
Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN conference on Programming Language Design and Implementation, PLDI ’05, pp. 190–200. ACM, New York, NY, USA (2005)
Microsoft: Thread Local Storage. https://msdn.microsoft.com/en-us/library/windows/desktop/ms686749(v=vs.85).aspx (2018) (Online)
Pan, H., Asanović, K., Cohn, R., Luk, C.K.: Controlling program execution through binary instrumentation. SIGARCH Comput. Archit. News 33(5), 45–50 (2005)
Polino, M., Continella, A., Mariani, S., D’Alessio, S., Fontata, L., Gritti, F., Zanero, S.: Measuring and Defeating Anti-Instrumentation-Equipped Malware. Detection of Intrusions and Malware and Vulnerability Assessment, pp. 73–96. Springer International Publishing, Cham (2017)
Rodríguez, R.J., Artal, J.A., Merseguer, J.: Performance evaluation of dynamic binary instrumentation frameworks. IEEE Lat. Am. Trans. (Rev. IEEE Am. Lat.) 12(8), 1572–1580 (2014)
Rodríguez, R.J., Gaston, I.R., Alonso, J.: Towards the detection of isolation-aware malware. IEEE Lat. Am. Trans. 14(2), 1024–1036 (2016)
Sun, K., Li, X., Ou, Y.: Break Out of The Truman Show: Active Detection and Escape of Dynamic Binary Instrumentation. Black Hat Asia (2016)
Vishnani, K., Pais, A.R., Mohandas, R.: Detecting & defeating split personality malware. In: Proocedings of the 5th International Conference on Emerging Security Information, Systems and Technologies (SECURWARE), pp. 7–13 (2011)
Zhechev, Z.: Security evaluation of dynamic binary instrumentation engines. Master’s thesis, Department of Informatics Technical University of Munich (2018)
Acknowledgements
The research of A. Santos Filho and E. L. Feitosa supported in part by the FAPEAM Proc. No. 009/2017 and by the Federal University of Amazonas (UFAM). The research of R. J. Rodríguez was supported in part by the University, Industry and Innovation Department of the Aragonese Government under Programa de Proyectos Estratégicos de Grupos de Investigación (project references T21-17R).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Filho, A.S., Rodríguez, R.J., Feitosa, E.L. (2020). Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks. In: Rocha, Á., Pereira, R. (eds) Developments and Advances in Defense and Security. Smart Innovation, Systems and Technologies, vol 152. Springer, Singapore. https://doi.org/10.1007/978-981-13-9155-2_1
Download citation
DOI: https://doi.org/10.1007/978-981-13-9155-2_1
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-9154-5
Online ISBN: 978-981-13-9155-2
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)