Repositorio Institucional de Documentos

Resumen: Dynamic Binary Instrumentation (DBI) is a dynamic analysis technique that allows arbitrary code to be executed when a program is running. DBI frameworks have started to be used to analyze malicious applications. As a result, different approaches have merged to detect and avoid them. Commonly referred to as split personality malware or evasive malware are pieces of malicious software that incorporate snippets of code to detect when they are under DBI framework analysis and thus mimic benign behavior. Recent studies have questioned the use of DBI in malware analysis, arguing that it increases the attack surface. In this article, we examine the anti-instrumentation techniques that abuse desktop-based DBI frameworks and existing countermeasures to determine if it is possible to reduce the exploitable attack surface introduced by these DBI frameworks. In particular, we review the related literature to identify (i) the existing set of DBI framework evasion techniques and (ii) the existing set of countermeasures to avoid them. We also analyze and compare the taxonomies introduced in the literature, and propose a new taxonomy that expands and completes the previous taxonomies. Our findings demonstrate that despite advances in DBI framework protections that make them quite suitable for system security purposes, more efforts are needed to reduce the attack surface that they add during application analysis. Only 12 of the 26 evasion techniques covered in this document have countermeasures, threatening the transparency of DBI frameworks. Furthermore, the impact in terms of performance overhead and effectiveness of these countermeasures in real-world situations is unknown. Finally, there are only proofs of concept for 9 of these 26 techniques, which makes it difficult to validate and study how they evade the analysis in order to counter them. We also point out some relevant issues in this context and outline ways of future research directions in the use of DBI frameworks for system security purposes. © 2022 Copyright held by the owner/author(s).
Idioma: Inglés
DOI: 10.1145/3480463
Año: 2022
Publicado en: Digital Threats: Research and Practice 3, 2 (2022), 11 [28 pp]
ISSN: 2576-5337
Factor impacto CITESCORE: 2.8 - Computer Science (Q3) - Social Sciences (Q2)

Factor impacto SCIMAGO: 0.543 - Computer Networks and Communications (Q2) - Computer Science Applications (Q2) - Hardware and Architecture (Q2) - Information Systems (Q2) - Safety Research (Q2) - Software (Q3)

Financiación: info:eu-repo/grantAgreement/ES/DGA-UZ/T21-20R
Financiación: info:eu-repo/grantAgreement/ES/MICIU/Medrese-RTI2018-098543-B-I00
Financiación: info:eu-repo/grantAgreement/ES/UZ-IBERCAJA/JIUZ-2020-TIC-08
Tipo y forma: Artículo (Versión definitiva)
Área (Departamento): Área Lenguajes y Sistemas Inf. (Dpto. Informát.Ingenie.Sistms.)

Debe reconocer adecuadamente la autoría, proporcionar un enlace a la licencia e indicar si se han realizado cambios. Puede hacerlo de cualquier manera razonable, pero no de una manera que sugiera que tiene el apoyo del licenciador o lo recibe por el uso que hace. No puede utilizar el material para una finalidad comercial. Si remezcla, transforma o crea a partir del material, no puede difundir el material modificado.

Exportado de SIDERAL (2023-09-13-13:21:57)


Visitas y descargas

Este artículo se encuentra en las siguientes colecciones:
Artículos > Artículos por área > Lenguajes y Sistemas Informáticos