Research And Application About Whole-system Dynamic Analysis Technique On ARM

Whole-system out-of-the-box dynamic analysis is a technique that performs the analysis of a target binary code completely outside the execution environment. This technique provides an excellent isolation between the execution environment and analysis environment and maintains the original form of target OS to the maximum extent, so the analysis result can better reflect the actual properties of the target OS. It also makes it more difficult for the malware to interfere with analysis procedure. Research on malware analysis technique and attack detection technique on PC platforms has illustrated the effectiveness of this technique. Related research about this technique on embedded platform is obviously lagged behind compared with PC platform. We aim to implement the technique of whole-system out-of-the-box dynamic analysis and whole-system semantic view extraction on ARM architecture, and provide the ability of malware analysis and attack detection for ARM architecture in this paper. We seek to have good platform scalability at the same time.Processors based on ARM architecture have occupied more than 90% market share in the field of intelligent mobile devices. According to Gartner’s statistics and forecasts, there have been 1.6 billion internet connecting devices using ARM processor in the world until 2012, and the statistics will be 4 billion in 2017. The emerging of new attack techniques aimed at ARM-based embedded system brings it serious security problems. The research on security defense techniques for ARM-based embedded system in this paper has important practical significance.Based on the summarize of current research on related technique on embedded domain, we describe the design of a whole-system dynamic binary analysis platform named QUEST which can be used to perform malware behavior analysis on ARM architecture in this paper. We also describe the design of a technique named light-VMI which performs a light-weight whole-system semantic view extraction on ARM based embedded system in the following part of this paper. In the of this paper, we implement a technique named whole-system CFI enforcement which can be used to detect control-flow hijacking attacks based on the QUEST and whole-system view extraction technique.The main work can be summarized as follows:1. We construct a whole-system out-of-the-box dynamic analysis framework named QUEST which can be used on ARM architecture and has a good scalability based on the instrumentation of whole-system emulator QEMU. QUEST provides the ability of monitor and analysis of events(include instruction execution, system call, basic block caching and PGD exchange) appear in the QEMU by two-level callback function instrumentation. It can also provide hardware support for binary dynamic analysis and whole-system semantic view extraction in virtual hardware layer. QUEST can provide more fine-grained and precise method for malware analysis on ARM architecture because of its whole-system dynamic out-of-the-box analysis technique is implemented in virtual hardware layer.2. We implement a light-weight virtual machine introspection mechanism named light-VMI which can extract the whole-system semantic view of target OS based on QUEST. This mechanism can effectively solve the semantic gap and reconstruct the semantic information of processes in the target OS. It can also reconstruct the execution semantic for binary code based on API function name restore. Light-VMI can provide effective technique for semantic level behavior observation of target OS by synchronous update the introspection semantic view which is cached in QUEST based on the semantic information change in target OS. We construct an introspection program to extract the progress list from target OS based on light-VMI by reconstructing the progress list from hardware layer. It can effectively detect the hidden progress, including the process that is hidden by direct kernel object manipulation.3. We implement a whole-system CFI enforcement technique which can be used to detect control-flow hijacking attack based on QUEST and whole-system semantic view technique. We also construct two kinds of control-flow hijacking attack examples on ARM architecture, include buffer overflow exploit and ROP attack, and describe detection methods of these attacks under whole-system CFI enforcement technique.We respectively evaluate the three part work of this paper. Results indicate that the techniques we propose, including whole-system out-of-the-box dynamic analysis, whole-system semantic view and whole-system CFI enforcement can effectively provide support for malware analysis and attack detection on ARM architecture.