A framework for understanding dynamic anti-analysis defenses

Jing Qiu; Babak Yadegari; Brian Johannesmeyer; Saumya Debray; Xiaohong Su

doi:10.1145/2689702.2689704

A framework for understanding dynamic anti-analysis defenses

Jing Qiu, Babak Yadegari, Brian Johannesmeyer, Saumya Debray, Xiaohong Su

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

Malicious code often use a variety of anti-analysis and anti-tampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.

Original language	English
Title of host publication	Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014
Publisher	Association for Computing Machinery
ISBN (Electronic)	9781605586373
DOIs	https://doi.org/10.1145/2689702.2689704
Publication status	Published - 9 Dec 2014
Externally published	Yes
Event	4th Program Protection and Reverse Engineering Workshop, PPREW 2014 - New Orleans, United States Duration: 9 Dec 2014 → …

Publication series

Name	ACM International Conference Proceeding Series
Volume	12-December-2014

Conference

Conference	4th Program Protection and Reverse Engineering Workshop, PPREW 2014
Country/Territory	United States
City	New Orleans
Period	9/12/14 → …

Funding

This research was supported in part by the Air Force Office of Scientific Research (AFOSR) under grant no. FA9550-11-1-0191 and the National Science Foundation (NSF) under grants CNS-1115829, CNS-1145913, III-1318343, and CNS-1318955. This research was also funded by National Natural Science Foundation of China (NSFC) 61173021. The opinions, findings, and conclusions expressed in this paper are solely those of the authors and do not necessarily reflect the views of AFOSR, NSF or NSFC.

Keywords

Anti-analysis defense
Sefl-checksumming
Taint analysis
Timing defense

Access to Document

10.1145/2689702.2689704

Persistent URL (handle)

Persistent link

Cite this

Qiu, J., Yadegari, B., Johannesmeyer, B., Debray, S., & Su, X. (2014). A framework for understanding dynamic anti-analysis defenses. In Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014 Article a2 (ACM International Conference Proceeding Series; Vol. 12-December-2014). Association for Computing Machinery. https://doi.org/10.1145/2689702.2689704

@inproceedings{aa43b22db2814c528000e5beb64dea05,

title = "A framework for understanding dynamic anti-analysis defenses",

abstract = "Malicious code often use a variety of anti-analysis and anti-tampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.",

keywords = "Anti-analysis defense, Sefl-checksumming, Taint analysis, Timing defense",

author = "Jing Qiu and Babak Yadegari and Brian Johannesmeyer and Saumya Debray and Xiaohong Su",

year = "2014",

month = dec,

day = "9",

doi = "10.1145/2689702.2689704",

language = "English",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

booktitle = "Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014",

note = "4th Program Protection and Reverse Engineering Workshop, PPREW 2014 ; Conference date: 09-12-2014",

}

Qiu, J, Yadegari, B, Johannesmeyer, B, Debray, S & Su, X 2014, A framework for understanding dynamic anti-analysis defenses. in Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014., a2, ACM International Conference Proceeding Series, vol. 12-December-2014, Association for Computing Machinery, 4th Program Protection and Reverse Engineering Workshop, PPREW 2014, New Orleans, United States, 9/12/14. https://doi.org/10.1145/2689702.2689704

A framework for understanding dynamic anti-analysis defenses. / Qiu, Jing; Yadegari, Babak; Johannesmeyer, Brian et al.
Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014. Association for Computing Machinery, 2014. a2 (ACM International Conference Proceeding Series; Vol. 12-December-2014).

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - A framework for understanding dynamic anti-analysis defenses

AU - Qiu, Jing

AU - Yadegari, Babak

AU - Johannesmeyer, Brian

AU - Debray, Saumya

AU - Su, Xiaohong

PY - 2014/12/9

Y1 - 2014/12/9

N2 - Malicious code often use a variety of anti-analysis and anti-tampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.

AB - Malicious code often use a variety of anti-analysis and anti-tampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.

KW - Anti-analysis defense

KW - Sefl-checksumming

KW - Taint analysis

KW - Timing defense

UR - https://www.scopus.com/pages/publications/84984996380

UR - https://www.scopus.com/inward/citedby.url?scp=84984996380&partnerID=8YFLogxK

U2 - 10.1145/2689702.2689704

DO - 10.1145/2689702.2689704

M3 - Conference contribution

AN - SCOPUS:84984996380

T3 - ACM International Conference Proceeding Series

BT - Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014

PB - Association for Computing Machinery

T2 - 4th Program Protection and Reverse Engineering Workshop, PPREW 2014

Y2 - 9 December 2014

ER -

A framework for understanding dynamic anti-analysis defenses

Abstract

Publication series

Conference

Funding

Keywords

Access to Document

Persistent URL (handle)

Other files and links

Fingerprint

Cite this