Skip to main content
SpringerLink
Log in

Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks

  • Conference paper
  • First Online:
Developments and Advances in Defense and Security

Part of the book series: Smart Innovation, Systems and Technologies ((SIST,volume 152))

Abstract

Malicious applications pose as one of the most relevant issues in today’s technology scenario, being considered the root of many Internet security threats. In part, this owes the ability of malware developers to promptly respond to the emergence of new security solutions by developing artifacts to detect and avoid them. In this work, we present three countermeasures to mitigate recent mechanisms used by malware to detect analysis environments. Among these techniques, this work focuses on those that enable a malware to detect dynamic binary instrumentation frameworks, thus increasing their attack surface. To ensure the effectiveness of the proposed countermeasures, proofs of concept were developed and tested in a controlled environment with a set of anti-instrumentation techniques. Finally, we evaluated the performance impact of using such countermeasures.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 219.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    See https://github.com/ailton07/eXait_Plugin_PinDetectionByDEPNeglect, https://github.com/ailton07/eXait_Plugin_CodeCacheDetectionByFEEDBEAF, https://github.com/ailton07/eXait_Plugin_PinDetectionByTLS.

  2. 2.

    See https://github.com/ailton07/PinVMShield.

References

  1. Arafa, P.: Time-aware dynamic binary instrumentation. Ph.D. thesis, University of Waterloo (2017)

    Google Scholar 

  2. AV-TEST GmbH: The AV-TEST Security Report 2017/2018 (2018)

    Google Scholar 

  3. Balzarotti, D., Cova, M., Karlberger, C., Kirda, E., Kruegel, C., Vigna, G.: Efficient detection of split personalities in malware. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2010)

    Google Scholar 

  4. Bruening, D., Zhao, Q., Amarasinghe, S.: Transparent dynamic instrumentation. ACM SIGPLAN Not. 47(7), 133–144 (2012)

    Article  Google Scholar 

  5. Carpenter, M., Liston, T., Skoudis, E.: Hiding virtualization from attackers and malware. IEEE Secur. Priv. 5(3), 62–65 (2007)

    Article  Google Scholar 

  6. CPU2006, S.: Standard performance evaluation corporation. https://www.spec.org/cpu2006/ (2006) (Online)

  7. Falcón, F., Riva, N.: Dynamic binary instrumentation frameworks: I know you’re there spying on me (2012)

    Google Scholar 

  8. Ferrie, P.: Attacks on virtual machine emulators. Symantec Adv. Res. Threat. Res. 1–13 (2007)

    Google Scholar 

  9. Greamo, C., Ghosh, A.: Sandboxing and virtualization: modern tools for combating malware. IEEE Secur. Priv. 9(2), 79–82 (2011)

    Article  Google Scholar 

  10. Hron, M., Jermář, J.: SafeMachine malware needs love, too. https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/sponsorAVAST-VB2014.pdf (2014) (Online)

  11. Kaspersky lab: Kaspersky lab detects 360,000 new malicious files daily—up 11.5% from 2016. https://www.kaspersky.com/about/press-releases/2017_kaspersky-lab-detects-360000-new-malicious-files-daily (2017) (Online)

  12. Kirat, D., Vigna, G., Kruegel, C.: Barecloud: Bare-metal analysis-based evasive malware detection. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 287–301. USENIX Association, San Diego, CA (2014)

    Google Scholar 

  13. Kumar, A.V., Vishnani, K., Kumar, K.V.: Split personality malware detection and defeating in popular virtual machines. In: Proceedings of the 5th International Conference on Security of Information and Networks (SIN), pp. 20–26. ACM (2012)

    Google Scholar 

  14. Li, X., Li, K.: Defeating the transparency features of dynamic binary instrumentation. BlackHat US (2014)

    Google Scholar 

  15. Lueck, G., Patil, H., Pereira, C.: PinADX: An interface for customizable debugging with dynamic instrumentation. In: Proceedings of the 10th International Symposium on Code Generation and Optimization (CGO), pp. 114–123. ACM, New York, NY, USA (2012)

    Google Scholar 

  16. Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN conference on Programming Language Design and Implementation, PLDI ’05, pp. 190–200. ACM, New York, NY, USA (2005)

    Google Scholar 

  17. Microsoft: Thread Local Storage. https://msdn.microsoft.com/en-us/library/windows/desktop/ms686749(v=vs.85).aspx (2018) (Online)

  18. Pan, H., Asanović, K., Cohn, R., Luk, C.K.: Controlling program execution through binary instrumentation. SIGARCH Comput. Archit. News 33(5), 45–50 (2005)

    Article  Google Scholar 

  19. Polino, M., Continella, A., Mariani, S., D’Alessio, S., Fontata, L., Gritti, F., Zanero, S.: Measuring and Defeating Anti-Instrumentation-Equipped Malware. Detection of Intrusions and Malware and Vulnerability Assessment, pp. 73–96. Springer International Publishing, Cham (2017)

    Chapter  Google Scholar 

  20. Rodríguez, R.J., Artal, J.A., Merseguer, J.: Performance evaluation of dynamic binary instrumentation frameworks. IEEE Lat. Am. Trans. (Rev. IEEE Am. Lat.) 12(8), 1572–1580 (2014)

    Article  Google Scholar 

  21. Rodríguez, R.J., Gaston, I.R., Alonso, J.: Towards the detection of isolation-aware malware. IEEE Lat. Am. Trans. 14(2), 1024–1036 (2016)

    Article  Google Scholar 

  22. Sun, K., Li, X., Ou, Y.: Break Out of The Truman Show: Active Detection and Escape of Dynamic Binary Instrumentation. Black Hat Asia (2016)

    Google Scholar 

  23. Vishnani, K., Pais, A.R., Mohandas, R.: Detecting & defeating split personality malware. In: Proocedings of the 5th International Conference on Emerging Security Information, Systems and Technologies (SECURWARE), pp. 7–13 (2011)

    Google Scholar 

  24. Zhechev, Z.: Security evaluation of dynamic binary instrumentation engines. Master’s thesis, Department of Informatics Technical University of Munich (2018)

    Google Scholar 

Download references

Acknowledgements

The research of A. Santos Filho and E. L. Feitosa supported in part by the FAPEAM Proc. No. 009/2017 and by the Federal University of Amazonas (UFAM). The research of R. J. Rodríguez was supported in part by the University, Industry and Innovation Department of the Aragonese Government under Programa de Proyectos Estratégicos de Grupos de Investigación (project references T21-17R).

Author information

Authors and Affiliations

  1. Instituto de Computação, Universidade Federal do Amazonas (UFAM), Manaus, Brazil

    Ailton Santos Filho & Eduardo L. Feitosa

  2. Centro Universitario de la Defensa, Academia General Militar, Zaragoza, Spain

    Ricardo J. Rodríguez

Authors
  1. Ailton Santos Filho
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ricardo J. Rodríguez
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Eduardo L. Feitosa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ailton Santos Filho .

Editor information

Editors and Affiliations

  1. Departamento de Engenharia Informática, Universidade de Coimbra, Coimbra, Portugal

    Álvaro Rocha

  2. Military Engineering Institute, Rio de Janeiro, Brazil

    Robson Pacheco Pereira

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Filho, A.S., Rodríguez, R.J., Feitosa, E.L. (2020). Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks. In: Rocha, Á., Pereira, R. (eds) Developments and Advances in Defense and Security. Smart Innovation, Systems and Technologies, vol 152. Springer, Singapore. https://doi.org/10.1007/978-981-13-9155-2_1

Download citation

Publish with us

Policies and ethics

Search

Navigation