Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation Frameworks-Reference-Cited by-同舟云学术

Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation Frameworks

Published:2022-06-30 Issue:2 Volume:3 Page:1-28
ISSN:2692-1626
Container-title:Digital Threats: Research and Practice
language:en
Short-container-title:Digital Threats: Research and Practice

Author:

Filho Ailton Santos¹,Rodríguez Ricardo J.²^ORCID,Feitosa Eduardo L.¹

Affiliation:

1. Institute of Computing, Federal University of Amazonas (UFAM), Coroado I, Manaus - AM, Brazil

2. Department of Computer Science and Systems Engineering, University of Zaragoza, Calle María de Luna 1, Zaragoza, Spain

Abstract

Dynamic Binary Instrumentation (DBI) is a dynamic analysis technique that allows arbitrary code to be executed when a program is running. DBI frameworks have started to be used to analyze malicious applications. As a result, different approaches have merged to detect and avoid them. Commonly referred to as split personality malware or evasive malware are pieces of malicious software that incorporate snippets of code to detect when they are under DBI framework analysis and thus mimic benign behavior. Recent studies have questioned the use of DBI in malware analysis, arguing that it increases the attack surface. In this article, we examine the anti-instrumentation techniques that abuse desktop-based DBI frameworks and existing countermeasures to determine if it is possible to reduce the exploitable attack surface introduced by these DBI frameworks. In particular, we review the related literature to identify (i) the existing set of DBI framework evasion techniques and (ii) the existing set of countermeasures to avoid them. We also analyze and compare the taxonomies introduced in the literature, and propose a new taxonomy that expands and completes the previous taxonomies. Our findings demonstrate that despite advances in DBI framework protections that make them quite suitable for system security purposes, more efforts are needed to reduce the attack surface that they add during application analysis. Only 12 of the 26 evasion techniques covered in this document have countermeasures, threatening the transparency of DBI frameworks. Furthermore, the impact in terms of performance overhead and effectiveness of these countermeasures in real-world situations is unknown. Finally, there are only proofs of concept for 9 of these 26 techniques, which makes it difficult to validate and study how they evade the analysis in order to counter them. We also point out some relevant issues in this context and outline ways of future research directions in the use of DBI frameworks for system security purposes.

Funder

Samsung Electronics of Amazonia Ltda

Coordination for the Improvement of Higher Education Personnel - Brazil

Spanish Ministry of Science, Innovation and Universities

Industry and Innovation Department of the Aragonese Government under Programa de Proyectos Estratégicos de Grupos de Investigación

University of Zaragoza and the Fundación Ibercaja

Publisher

Association for Computing Machinery (ACM)

Subject

General Medicine

Link

https://dl.acm.org/doi/pdf/10.1145/3480463

Reference76 articles.

1. Davide Balzarotti, Marco Cova, Christoph Karlberger, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2010. Efficient detection of split personalities in malware. In Proceedings of the Network and Distributed System Security Symposium. The Internet Society, 16 pages.

2. Translate the FPU instruction pointer Issue 698 DynamoRIO/dynamorio;Bruening Derek;Retrieved November 14, 2020 from https://github.com/dynamorio/dynamorio/issues/698,2014

3. Derek Bruening, Evelyn Duesterwald, and Saman Amarasinghe. 2001. Design and implementation of a dynamic optimization framework for windows. In Proceedings of the 4th ACM Workshop on Feedback-Directed and Dynamic Optimization. ACM, 12 pages.

4. Alexei Bulazel and Bülent Yener. 2017. A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web. In Proceedings of the 1st Reversing and Offensive-Oriented Trends Symposium. ACM, New York, NY, Article 2, 21 pages.

Cited by 5 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Malware Detection with Artificial Intelligence: A Systematic Literature Review;ACM Computing Surveys;2024-01-22

2. Bypassing Heaven’s Gate Technique Using Black-Box Testing;Sensors;2023-11-26

3. A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection Frameworks;Information;2023-06-30

4. Detecting and bypassing frida dynamic function call tracing: exploitation and mitigation;Journal of Computer Virology and Hacking Techniques;2022-12-17

5. A Novel Approach towards Windows Malware Detection System Using Deep Neural Networks;Procedia Computer Science;2022