Á¤º¸°úÇÐȸ ³í¹®Áö A : ½Ã½ºÅÛ ¹× ÀÌ·Ð
ÇѱÛÁ¦¸ñ(Korean Title) |
Intel VT ±â¼úÀ» ÀÌ¿ëÇÑ Xen ±â¹Ý µ¿Àû ¾Ç¼ºÄÚµå ºÐ¼® ½Ã½ºÅÛ ±¸Çö ¹× Æò°¡ |
¿µ¹®Á¦¸ñ(English Title) |
Development and Analyses of Xen based Dynamic Binary Instrumentation using Intel VT |
ÀúÀÚ(Author) |
±èÅÂÇü
±èÀÎÇõ
¾ö¿µÀÍ
±è¿øÈ£
Taehyoung Kim
Inhyuk Kim
Young Ik Eom
Won Ho Kim
|
¿ø¹®¼ö·Ïó(Citation) |
VOL 37 NO. 05 PP. 0304 ~ 0313 (2010. 10) |
Çѱ۳»¿ë (Korean Abstract) |
¾Ç¼ºÄڵ带 ºÐ¼®Çϱâ À§ÇÑ ±â¹ý¿¡´Â ´Ù¾çÇÑ ¹æ¹ýµéÀÌ Á¸ÀçÇÑ´Ù. ÇÏÁö¸¸ ±âÁ¸ÀÇ ¾Ç¼ºÄÚµå ºÐ¼® ±â¹ýÀ¸·Î´Â ¾Ç¼ºÄÚµåµéÀÇ µ¿ÀÛµéÀ» Á¤È®ÇÏ°Ô ºÐ¼®ÇÏ´Â °ÍÀÌ Á¡Á¡ ¾î·Á¿öÁö°í ÀÖ´Ù. ƯÈ÷, ºÐ¼® ½Ã½ºÅÛµéÀÌ ¾Ç¼ºÄÚµåÀÇ ¾ÈƼ-µð¹ö±ë ±â¼ú¿¡ ÀÇÇØ °¨ÁöµÇ±â ½±°í, ½ÇÇà¼Óµµ µî ¿©·¯ °¡Áö ÇÑ°èÁ¡À» º¸ÀÓ¿¡ µû¶ó À̸¦ ÇØ°áÇÒ ¼ö ÀÖ´Â ºÐ¼® ±â¹ýÀÌ ¿ä±¸µÇ°í ÀÖ´Ù. º» ³í¹®¿¡¼´Â µ¿Àû ÄÚµå ºÐ¼®À» À§ÇÑ ±âº» ¿ä±¸»çÇ×ÀÎ ¸í·É¾î ´ÜÀ§ ºÐ¼® ¹× ¸Þ¸ð¸® Á¢±Ù ÃßÀû ±â´ÉÀ» Á¦°øÇÏ´Â µ¿Àû ÄÚµå ºÐ¼® ½Ã½ºÅÛÀ» ¼³°è ¹× ±¸ÇöÇÑ´Ù. ±×¸®°í DLL ·Îµù ÃßÀûÀ» ÅëÇÑ API È£Ãâ Á¤º¸¸¦ ÃßÃâÇÏ¿©, ´Ù¾çÇÑ ½ÇÇà ÄÚµåµéÀ» ºÐ¼® ÇÒ ¼ö ÀÖ´Â ±â¹Ý ȯ°æÀ» ±¸ÃàÇÑ´Ù. Á¦¾È ½Ã½ºÅÛÀº IntelÀÇ VT ±â¼úÀ» ÀÌ¿ëÇÏ¿© Xen ±â¹ÝÀ¸·Î Àü°¡»óÈ È¯°æÀ» ±¸ÃàÇÏ¿´À¸¸ç, °Ô½ºÆ®¿¡¼´Â À©µµ¿ìÁî XP°¡ µ¿ÀÛÇÒ ¼ö ÀÖµµ·Ï ÇÏ¿´´Ù. Á¦¾È ½Ã½ºÅÛÀ» ÀÌ¿ëÇÏ¿© ´ëÇ¥ÀûÀÎ ¾Ç¼ºÄÚµåµéÀ» ºÐ¼®ÇØ º½À¸·Î½á Á¦¾È ½Ã½ºÅÛ °¢°¢ÀÇ ±â´ÉµéÀÇ È°¿ëÀ» »ìÆ캸°í, Á¦¾È ½Ã½ºÅÛÀÌ ¾Ç¼ºÄÚµåµéÀ» Á¤È®ÇÏ°Ô ºÐ¼® ¹× ŽÁöÇÔÀ» º¸¿©ÁØ´Ù. |
¿µ¹®³»¿ë (English Abstract) |
There are several methods for malware analyses. However, it is difficult to detect malware exactly with existing detection methods. Especially, malware with strong anti-debugging facilities can detect analyzer and disturb their analyses. Furthermore, it takes too much time to analyze malware. In order to resolve these problems of current analyzers, more improved analysis scheme is required. This paper suggests a dynamic binary instrumentation which supports the instruction analysis and the memory access tracing. Addtionally, by supporting the API call tracing with the DLL loading analysis, our system establishes the foundation for analyzing various executable codes. Based on Xen, full-virtualization environment is built using Intel's VT technology. Windows XP can be used as a guest. We analyze representative malware using several functions of our system, and show the accuracy and efficiency enhancements in binary analyses capability of our system. |
Å°¿öµå(Keyword) |
Çϵå¿þ¾î Áö¿ø °¡»óÈ ±â¼ú
¾Ç¼ºÄÚµå ºÐ¼®
µ¿Àû ÄÚµå ºÐ¼® ½Ã½ºÅÛ
¾ÈƼ-µð¹ö±ë ±â¼ú
Hardware-assisted virtualization
Malware analysis
Dynamic binary instrumentation
Anti-debugging
|
ÆÄÀÏ÷ºÎ |
PDF ´Ù¿î·Îµå
|