research-article

A Framework for Understanding Dynamic Anti-Analysis Defenses

Authors:

Babak Yadegari,

Brian Johannesmeyer,

Xiaohong SuAuthors Info & Claims

PPREW-4: Proceedings of the 4th Program Protection and Reverse Engineering Workshop

Article No.: 2, Pages 1 - 9

https://doi.org/10.1145/2689702.2689704

Published: 09 December 2014 Publication History

Abstract

Malicious code often use a variety of anti-analysis and anti-tampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.

References

[1]

D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna. Efficient detection of split personalities in malware. In Network and Distributed System Security Symposium (NDSS), 2010.

[2]

D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin. Automatically identifying trigger-based behavior in malware. In Botnet Detection, volume 36 of Advances in Information Security, pages 65--88. 2008.

[3]

D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. X. Song, and H. Yin. Automatically identifying trigger-based behavior in malware. In W. Lee, C. Wang, and D. Dagon, editors, Botnet Detection: Countering the Largest Security Threat, volume 36 of Advances in Information Security, pages 65--88. Springer, 2008.

[4]

J. Cappaert, B. Preneel, B. Anckaert, M. Madou, and K. De Bosschere. Towards tamper resistant code encryption: Practice and experience. In Information Security Practice and Experience, pages 86--100. Springer, 2008.

Digital Library

[5]

L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In Detection of Intrusions, Malware and Vulnerability Analysis (DIMVA), July 2008.

Digital Library

[6]

H. Chang and M. J. Atallah. Protecting software code by guards. In Security and privacy in digital rights management, pages 160--175. Springer, 2002.

[7]

L. A. Clarke. A system to generate test data and symbolically execute programs. Software Engineering, IEEE Transactions on, (3):215--222, 1976.

Digital Library

[8]

J. Crandall, G. Wassermann, D. de Oliveira, Z. Su, S. Wu, and F. Chong. Temporal search: Detecting hidden malware timebombs with virtual machines. In Proc. 12th. International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-XII), Oct. 2006.

Digital Library

[9]

A. Danielescu. Anti-debugging and anti-emulation techniques. CodeBreakers Journal, 5(1), 2008. http://www.codebreakers-journal.com/.

[10]

A. Dinaburg, P. Royal, M. I. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In Proc. ACM Conference on Computer and Communications Security (CCS), pages 51--62, Oct. 2008.

Digital Library

[11]

_dose. Anti-anti-debugging tricks, Mar. 2000. http://www.hcunix.net/papers/dose_anti_anti_debug.html.

[12]

F. Falcon and N. Riva. Dynamic binary instrumentation frameworks: I know you are there spying on me. http://recon.cx/2012/schedule/events/216.en.html.

[13]

P. Ferrie. Anti-unpacker tricks. In Second CARO Workshop on Packers, Decryptors, and Obfuscators, May 2008.

[14]

J. T. Giffin, M. Christodorescu, and L. Kruger. Strengthening software self-checksumming via self-modifying code. In Computer Security Applications Conference, 21st Annual, pages 10--pp. IEEE, 2005.

Digital Library

[15]

B. Horne, L. Matheson, C. Sheehan, and R. E. Tarjan. Dynamic self-checking techniques for improved tamper resistance. In Security and privacy in digital rights management, pages 141--159. Springer, 2002.

[16]

F. Howard. Malware with your Mocha? Obfuscation and anti-emulation tricks in malicious JavaScript. Technical report, Sophos Labs, Sept. 2010.

[17]

M. G. Kang, S. McCamant, P. Poosankam, and D. Song. Dta++: Dynamic taint analysis with targeted control-flow propagation. In NDSS, 2011.

[18]

M. G. Kang, H. Yin, S. Hanna, S. McCamant, and D. Song. Emulating emulation-resistant malware. In Proceedings of the 2nd Workshop on Virtual Machine Security, Nov. 2009.

Digital Library

[19]

Kaspersky Lab. The epic snake: Unraveling the mysteries of the Turla cyber-espionage campaign. 7 Aug 2014. http://www.kaspersky.com/about/news/virus/2014/Unraveling-mysteries-of-Turla-cyber-espionage-campaign.

[20]

B. Korel. Computation of dynamic program slices for unstructured programs. IEEE Transactions on Software Engineering, 23(1):17--34, Jan. 1997.

Digital Library

[21]

B. Korel and J. Laski. Dynamic program slicing. Inf. Process. Lett., 29(3):155--163, Oct. 1988.

Digital Library

[22]

D. Kushner. The real story of Stuxnet. IEEE Spectrum. 26 Feb. 2013.

[23]

M. Lindorfer, C. Kolbitsch, and P. Comparetti. Detecting environment-sensitive malware. In Proc. 14th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 338--357, Sept. 2011.

Digital Library

[24]

G. Lu and S. Debray. Weaknesses in defenses against web-borne malware (extended abstract). In Proc. 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2013.

Digital Library

[25]

C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proc. ACM Conference on Programming Language Design and Implementation (PLDI), pages 190--200, Chicago, IL, June 2005.

Digital Library

[26]

L. Martignoni, R. Paleari, and D. Bruschi. Conqueror: tamper-proof code execution on legacy systems. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 21--40. Springer, 2010.

Digital Library

[27]

A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Security and Privacy, 2007. SP'07. IEEE Symposium on, pages 231--245. IEEE, 2007.

Digital Library

[28]

A. Moser, C. Kruegel, and E. Kirda. Limits of static analysis for malware detection. In Proc. 23rd Annual Computer Security Applications Conference (ACSAC), pages 421--430, Dec. 2007.

[29]

J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. 2005.

[30]

Oreans Technologies. Themida: Advanced windows software protection system. http://www.oreans.com/themida.php.

[31]

K. J. Ottenstein and L. M. Ottenstein. The program dependence graph in a software development environment. In ACM Sigplan Notices, volume 19, pages 177--184. ACM, 1984.

Digital Library

[32]

R. Paleari, L. Martignoni, G. F. Roglia, and D. Bruschi. A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In Proc. 3rd USENIX Workshop on Offensive Technologies (WOOT '09), Aug. 2009.

Digital Library

[33]

G. Sarwar, O. Mehani, R. Boreli, and D. Kaafar. On the effectiveness of dynamic taint analysis for protecting against private information leaks on android-based devices. In 10th International Conference on Security and Cryptography (SECRYPT), 2013.

[34]

E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In IEEE Symposium on Security and Privacy, pages 317--331, 2010.

Digital Library

[35]

M. I. Sharif, A. Lanzi, J. T. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In Proc. 15th Network and Distributed System Security Symposium (NDSS), Feb. 2008.

[36]

C. Song, P. Royal, and W. Lee. Impeding automated malware analysis with environment-sensitive malware. In Proc. 7th USENIX Conference on Hot topics in Security (HotSec'12), Aug. 2012.

Digital Library

[37]

StrongBit Technology. EXECryptor -- bulletproof software protection. http://www.strongbit.com/execryptor.asp.

[38]

G. Tan, Y. Chen, and M. H. Jakubowski. Delayed and controlled failures in tamper-resistant software. In Information Hiding, volume 4437 of Lecture Notes in Computer Science, pages 216--231. Springer, 2006.

Digital Library

[39]

H.-C. Tsang, M.-C. Lee, and C.-M. Pun. A robust anti-tamper protection scheme. In Availability, Reliability and Security (ARES), 2011 Sixth International Conference on, pages 109--118. IEEE, 2011.

Digital Library

[40]

P. C. Van Oorschot, A. Somayaji, and G. Wurster. Hardware-assisted circumvention of self-hashing software tamper resistance. Dependable and Secure Computing, IEEE Transactions on, 2(2):82--92, 2005.

Digital Library

[41]

P. Wang, S. Kim, and K. Kim. Tamper resistant software through dynamic integrity checking. In Proc. 2005 Symposium on Cryptography and Information Security (SCIS2005), Jan. 2005.

[42]

G. Wurster, P. Van Oorschot, and A. Somayaji. A generic attack on checksumming-based software tamper resistance. In Security and Privacy, 2005 IEEE Symposium on, pages 127--138. IEEE, 2005.

Digital Library

[43]

B. Yadegari and S. Debray. Bit-level taint analysis. In IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM), 2014.

Digital Library

Cited By

Filho ARodríguez RFeitosa E(2022)Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation FrameworksDigital Threats: Research and Practice10.1145/34804633:2(1-28)Online publication date: 8-Feb-2022
https://dl.acm.org/doi/10.1145/3480463
Xue LZhou HLuo XZhou YShi YGu GZhang FAu M(2021)Happer: Unpacking Android Apps via a Hardware-Assisted Approach2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00105(1641-1658)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00105
Hammad MGarcia JMalek SHuchard MKästner CFraser G(2018)Self-protection of Android systems from inter-component communication attacksProceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering10.1145/3238147.3238207(726-737)Online publication date: 3-Sep-2018
https://dl.acm.org/doi/10.1145/3238147.3238207
Show More Cited By

A Framework for Understanding Dynamic Anti-Analysis Defenses
1. Security and privacy
  1. Systems security

Recommendations

A Malware Analysis Platform Based on Taint Analysis
CSA '13: Proceedings of the 2013 International Conference on Computer Sciences and Applications

Nowadays, malware has become one of the most serious threats to information security, which causes incalculable economic losses. In this paper, we introduce a malware analysis platform based on taint analysis. Our platform focuses on the overflow attack ...
Apposcopy: semantics-based detection of Android malware through static analysis
FSE 2014: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering

We present Apposcopy, a new semantics-based approach for identifying a prevalent class of Android malware that steals private user information. Apposcopy incorporates (i) a high-level language for specifying signatures that describe semantic ...
Dynamic spyware analysis
ATC'07: 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference

Spyware is a class of malicious code that is surreptitiously installed on victims' machines. Once active, it silently monitors the behavior of users, records their web surfing habits, and steals their passwords. Current anti-spyware tools operate in a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

PPREW-4: Proceedings of the 4th Program Protection and Reverse Engineering Workshop

December 2014

77 pages

ISBN:9781605586373

DOI:10.1145/2689702

Program Chairs:
Mila Dalla Preda
University of Verona, Italy
,
J. Todd McDonald
University of South Alabama, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

PPREW-4

PPREW-4: 4th Program Protection and Reverse Engineering Workshop

December 9, 2014

LA, New Orleans, USA

Acceptance Rates

PPREW-4 Paper Acceptance Rate 7 of 14 submissions, 50%;

Overall Acceptance Rate 21 of 36 submissions, 58%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
238
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)1

Reflects downloads up to 12 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Filho ARodríguez RFeitosa E(2022)Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation FrameworksDigital Threats: Research and Practice10.1145/34804633:2(1-28)Online publication date: 8-Feb-2022
https://dl.acm.org/doi/10.1145/3480463
Xue LZhou HLuo XZhou YShi YGu GZhang FAu M(2021)Happer: Unpacking Android Apps via a Hardware-Assisted Approach2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00105(1641-1658)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00105
Hammad MGarcia JMalek SHuchard MKästner CFraser G(2018)Self-protection of Android systems from inter-component communication attacksProceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering10.1145/3238147.3238207(726-737)Online publication date: 3-Sep-2018
https://dl.acm.org/doi/10.1145/3238147.3238207
Yadegari BStephens JDebray SAhn GPretschner AGhinita G(2017)Analysis of Exception-Based Control TransfersProceedings of the Seventh ACM on Conference on Data and Application Security and Privacy10.1145/3029806.3029826(205-216)Online publication date: 22-Mar-2017
https://dl.acm.org/doi/10.1145/3029806.3029826
Sadeghi ABagheri HGarcia JMalek S(2017)A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android SoftwareIEEE Transactions on Software Engineering10.1109/TSE.2016.261530743:6(492-530)Online publication date: 1-Jun-2017
https://doi.org/10.1109/TSE.2016.2615307
Shi DTang XYe Z(2017)Detecting environment-sensitive malware based on taint analysis2017 8th IEEE International Conference on Software Engineering and Service Science (ICSESS)10.1109/ICSESS.2017.8342924(322-327)Online publication date: Nov-2017
https://doi.org/10.1109/ICSESS.2017.8342924
Chenke LFeng YQiyuan GJiateng YJian X(2017)Anti-Reverse-Engineering Tool of Executable Files on the Windows Platform22017 IEEE International Conference on Computational Science and Engineering (CSE) and IEEE International Conference on Embedded and Ubiquitous Computing (EUC)10.1109/CSE-EUC.2017.158(797-800)Online publication date: Jul-2017
https://doi.org/10.1109/CSE-EUC.2017.158
Xu HZhou YLyu MZhou JLopez J(2016)N-version ObfuscationProceedings of the 2nd ACM International Workshop on Cyber-Physical System Security10.1145/2899015.2899026(22-33)Online publication date: 30-May-2016
https://dl.acm.org/doi/10.1145/2899015.2899026
Ahmadi MUlyanov DSemenov STrofimov MGiacinto GBertino ESandhu RPretschner A(2016)Novel Feature Extraction, Selection and Fusion for Effective Malware Family ClassificationProceedings of the Sixth ACM Conference on Data and Application Security and Privacy10.1145/2857705.2857713(183-194)Online publication date: 9-Mar-2016
https://dl.acm.org/doi/10.1145/2857705.2857713
Lim CNicsen (2015)Mal-EVE: Static detection model for evasive malware2015 10th International Conference on Communications and Networking in China (ChinaCom)10.1109/CHINACOM.2015.7497952(283-288)Online publication date: Aug-2015
https://doi.org/10.1109/CHINACOM.2015.7497952
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents