| Malware analysis is a crucial step to prevent malware attacks.As one of the commonly used program analysis technologies,dynamic binary analysis usually depends on program runtime information,and the program's data flow consists of numerous useful runtime information.In the existing program data flow systems,the analyst usually puts the malware's execution under the software emulator and analyzes the whole system by means of instrumentation,but the overall overhead is extremely large,the efficiency is deeply decreased so the transparency of the analysis can not be ensured.A method for efficiently tracking the data flow in process-level is proposed in order to resolve these problems.First of all,combined with the QEMU user mode TCG engine is low in efficiency but easy to instrument and KVM accelerator is not easy to control but efficient,this paper introduces a dynamic KVM/TCG switching system,which places the malware's execution under the TCG engine and the rest of the system under KVM engine,so it can make full use of the advantages of both engines.Second,it implements a system which translates the guest code into LLVM intermediate language and performs the instruction-level instrumentation taint propagation based on the language.When the malicious program makes some external API calls,the instruction-level instrumentation propagation is stopped and a patch is designed for function-level taint using API parameters and semantic analysis technical.Then it designs a cache of instrumentation optimization strategy to address the low efficiency of LLVM intermediate language and it designs different shadow memory data structures for devices and storages according to the access frequency.Finally,the performance and efficiency of the data flow tracking system are tested in both IE browser and notepad.The experimental results show that the data flow tracking method just incurs 4.243 x slowdown relative to the KVM accelerate which makes it more practical than pure emulator. |
PDF Full Text Request