Abstract
In this paper, we propose a new dynamic and configurable approach to anti-emulation malware analysis, aiming at improving transparency of existing analyses techniques. We test the effectiveness of existing widespread free analyzers and we observe that the main problem of these analyses is that they provide static and immutable values to the parameter used in anti-emulation tests. Our approach aims at overcoming these limitations by providing an abstract non-interference-based approach modeling the fact that parameters can be modified dynamically, and the corresponding executions compared.
This work is partly supported by the MIUR FIRB project FACE (Formal Avenue for Chasing malwarE) RBFR13AJFT.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
International Mobile Equipment Identity.
- 2.
International Mobile Subscriber Identity.
References
Bellini, F., Chiodi, R., Mastroeni, I.: Mime: a formal approach for multiple investigation in (android) malware emulation analysis. Technical report RR 97/2015 (2015). http://hdl.handle.net/11562/926789
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Conference Record of POPL 1977, pp. 238–252. ACM (1977)
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of CCS 2008, pp. 51–62. ACM (2008)
P. Ferrie. Attacks on virtual machine emulators. Symantec Corporation, Mountain View (2007)
Giacobazzi, R., Mastroeni, I.: Abstract non-interference: parameterizing non-interference by abstract interpretation. In: Proceedings of POPL 2004, pp. 186–197. ACM (2004)
Kang, M.G., Yin, H., Hanna, S., McCamant, S., Song, D.: Emulating emulation-resistant malware. In: Proceedings of VMSec 2009, pp. 11–22. ACM (2009)
Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011)
Liston, T., Skoudis, E., On the cutting edge: Thwarting virtual machine detection (2006). http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf
Mastroeni, I.: On the rôle of abstract non-interference in language-based security. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 418–433. Springer, Heidelberg (2005)
Mastroeni, I.: Abstract interpretation-based approaches to security - A survey on abstract non-interference, its challenging applications. In: Semantics, Abstract Interpretation, Reasoning about Programs: Essays Dedicated to David A. Schmidt on the Occasion of his 60th Birthday, pp. 41–65 (2013)
Paleari, R., Martignoni, L., Fresi Roglia, G., Bruschi, D.: A fistful of red-pills: how to automatically generate procedures to detect cpu emulators. In: Procedings of WOOT 2009, p. 2. USENIX Association (2009)
Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In Proceedings of EuroSec 2014, pp. 5:1–5:6. ACM (2014)
D. Quist, V. Smith. Detecting the presence of virtual machines using the local data table. Offensive Computing (2006). http://index-of.es/Misc/vm.pdf
Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1–18. Springer, Heidelberg (2007)
Rutkowska, J.: Red pill... or how to detect vmm using (almost) one cpu instruction (2004). http://www.securiteam.com/securityreviews/6Z00H20BQS.html
Vishnani, K., Pais, A.R., Mohandas, R.: Detecting & defeating split personality malware. In: Proceedings of SECURWARE 2011, pp. 7–13 (2011)
Yan, L.K., Jayachandra, M., Zhang, M., Yin, H.: V2e: combining hardware virtualization and software emulation for transparent and extensible malware analysis. Sigplan Not. 47(7), 227–238 (2012)
Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of SP 2012, pp. 95–109. IEEE Computer Society (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Bellini, F., Chiodi, R., Mastroeni, I. (2016). MIME: A Formal Approach to (Android) Emulation Malware Analysis. In: Garcia-Alfaro, J., Kranakis, E., Bonfante, G. (eds) Foundations and Practice of Security. FPS 2015. Lecture Notes in Computer Science(), vol 9482. Springer, Cham. https://doi.org/10.1007/978-3-319-30303-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-30303-1_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30302-4
Online ISBN: 978-3-319-30303-1
eBook Packages: Computer ScienceComputer Science (R0)