Á¤º¸°úÇÐȸ ³í¹®Áö B : ¼ÒÇÁÆ®¿þ¾î ¹× ÀÀ¿ë
Current Result Document :
ÇѱÛÁ¦¸ñ(Korean Title) |
°¡»óÈ ±â¹ýÀ¸·Î ³µ¶ÈµÈ ½ÇÇà ÆÄÀÏÀÇ µ¿Àû ºÐ¼® ¹æ¹ý |
¿µ¹®Á¦¸ñ(English Title) |
Dynamic Analysis of Virtualization-Obfuscated Binary Executables |
ÀúÀÚ(Author) |
ÀüÁؼö
ÇÑż÷
Joonsoo Jeon
Taisook Han
|
¿ø¹®¼ö·Ïó(Citation) |
VOL 40 NO. 01 PP. 0061 ~ 0071 (2013. 01) |
Çѱ۳»¿ë (Korean Abstract) |
¾Ç¼ºÄڵ忡´Â ±× ³»¿ëÀ» ºÐ¼®ÇÏ¿© ´ëÀÀÃ¥À» ¸¸µé±â ¾î·Æ°Ô Çϱâ À§ÇÏ¿© ÄÚµå ³µ¶È ±â¹ýµéÀÌ Àû¿ëµÇ¾î ÀÖ°í, »ç¿ëµÇ´Â ³µ¶È ±â¹ýµµ °¥¼ö·Ï °íµµÈµÇ°í ´Ù¾çÇØÁö°í ÀÖ´Ù. ƯÈ÷ ¿øº» ÇÁ·Î±×·¥À» ±¸Á¶°¡ ¾Ë·ÁÁöÁö ¾ÊÀº °¡»ó±â°èÀÇ ¹ÙÀÌÆ®ÄÚµå·Î º¯È¯ÇÏ°í ÇØ´ç ¹ÙÀÌÆ®Äڵ带 ÇÔ²² žÀçÇÑ °¡»ó±â°è·Î ½ÇÇàÇϵµ·Ï ÇÏ´Â °¡»óȸ¦ ÀÌ¿ëÇÑ ³µ¶È ±â¹ýÀº ¿øº» ÇÁ·Î±×·¥ÀÇ ±¸Á¶¸¦ ¿ÏÀüÈ÷ ¹Ù²Ù¾î ºÐ¼®À» ±Øµµ·Î ¾î·Æ°Ô ¸¸µé°í ÀÖÀ¸¸ç, À̸¦ ÀÀ¿ëÇÑ º¯Á¾ ±â¹ýµéµµ ´Ù¼ö µîÀåÇÏ°í ÀÖ´Ù. ÀÌ·¯ÇÑ ³µ¶È ±â¹ýµé¿¡ ÀÏÀÏÀÌ ´ëÀÀÇÏ¿© ¿ª°øÇÐ ±â¹ýÀ» °³¹ßÇÏ´Â °ÍÀº ¸Å¿ì ¾î·Æ´Ù. ±×·¯³ª ³µ¶ÈµÈ ÇÁ·Î±×·¥Àº ÇÊ¿¬ÀûÀ¸·Î ¿øº» ÇÁ·Î±×·¥°ú µ¿ÀÏÇÑ Àǹ̸¦ °¡Á®¾ß ÇϹǷΠÇÁ·Î±×·¥ÀÇ µ¿ÀûÀÎ µ¿ÀÛÀ» Á¶»çÇÏ¿© À̸¦ ¹ÙÅÁÀ¸·Î ÇÁ·Î±×·¥ÀÇ ±¸Á¶¿Í Àǹ̸¦ ºÐ¼®ÇÏ´Â °ÍÀº ºÐ¼®ÀÚ°¡ ÇÁ·Î±×·¥ÀÇ ³»ºÎ¸¦ ÆľÇÇÏ´Â µ¥ Å« µµ¿òÀÌ µÈ´Ù. º» ³í¹®¿¡¼´Â °¡»óÈ ±â¹ýÀ¸·Î ³µ¶ÈµÈ ÇÁ·Î±×·¥ÀÇ ±¸Á¶¿Í Àǹ̸¦ ÆľÇÇÏ´Â µ¥ µµ¿òÀ» ÁÖ´Â µ¿Àû ºÐ¼® ¾Ë°í¸®ÁòÀ» ¼³°èÇÏ°í À̸¦ ±¸ÇöÇÏ¿© ºÐ¼®¿¡ µµ¿òÀ» ÁÖ´Â µµ±¸¸¦ °³¹ßÇÏ¿´´Ù. ºÐ¼®ÀÚ´Â Á¦¾ÈµÈ ±â¹ýµé°ú °³¹ßµÈ µµ±¸¸¦ ÀÌ¿ëÇÏ¿© ³µ¶ÈµÈ ¾Ç¼ºÄڵ带 ÀÌÇØÇϴµ¥ °É¸®´Â ½Ã°£À» Àý¾àÇÒ ¼ö ÀÖ´Ù°í ÆǴܵȴÙ.
|
¿µ¹®³»¿ë (English Abstract) |
Understanding the behavior of a malware is a difficult task because malware writers distort the binary executable with obfuscation techniques. Moreover, obfuscation techniques become sophisticated and diverse, and even the virtualization technique is applied. With virtualization of a binary executable, original instructions are transformed into bytecodes of unidentifiable virtual machine (VM) that simulates VM bytecodes during the execution. The virtualization modifies the structure of the programs and causes hard and time-consuming analyses. Furthermore, variations of VM hinder to devise a standard reverse-engineering technique. Nonetheless, since an obfuscated program inevitably has the same semantics as the original program, monitoring dynamic behaviors of the program will help the analyzers to figure out the inside based on the structure and semantics of its run traces. In this paper, we describe our observation on virtualization-obfuscation and present dynamic analysis algorithms and implement an analysis tool that analyzes the structure and semantics of run traces. We expect malware analyzers to save time in understanding an obfuscated malware with
our tool.
|
Å°¿öµå(Keyword) |
°¡»óÈ ±â¹ý
³µ¶È
¾Ç¼ºÄÚµå ºÐ¼®
µ¿Àû ÇÁ·Î±×·¥ ºÐ¼®
¼ÒÇÁÆ®¿þ¾î º¸¾È
Virtualization
Obfuscation
Malware Analysis
Dynamic Analysis
Software Security
|
ÆÄÀÏ÷ºÎ |
PDF ´Ù¿î·Îµå
|