DocumentCode :
2858469
Title :
Stealth breakpoints
Author :
Vasudevan, Amit ; Yerraballi, Ramesh
Author_Institution :
Dept. of Comput. Sci. & Eng., Texas Univ., Arlington, TX
fYear :
2005
fDate :
5-9 Dec. 2005
Lastpage :
392
Abstract :
Microscopic analysis of malicious code (malware) requires the aid of a variety of powerful tools. Chief among them is a debugger that enables runtime binary analysis at an instruction level. One of the important services provided by a debugger is the ability to stop execution of code at an arbitrary point during runtime, using breakpoints. Software breakpoints support an unlimited number of breakpoint locations by changing the code being debugged so that it can be interrupted during runtime. Most, if not all, malware are very sensitive to code modification with self-modifying and/or self-checking (SM-SC) capabilities, rendering the use of software breakpoints limited in their scope. Hardware breakpoints supported by the underlying processor, on the other hand, use a subset of the processor register set and exception mechanisms to provide breakpoints that do not entail code modification. This makes hardware breakpoints the most powerful breakpoint mechanism for malware analysis. However, current processors provide a very limited number of hardware breakpoints (typically 2-4 locations). Thus, a serious restriction is imposed on the debugger to set a desired number of breakpoints without resorting to the limited alternative of software breakpoints. Also, with the ever evolving nature of malware, there are techniques being employed that prevent the use of hardware breakpoints. This calls for a new breakpoint mechanism that retains the features of hardware breakpoints while providing an unlimited number of breakpoints, which cannot be detected or countered. In this paper, we present the concept of stealth breakpoints and discuss the design and implementation of VAMPiRE, a realization of this concept. VAMPiRE cannot be detected or countered and provides unlimited number of breakpoints to be set on code, data, and I/O with the same precision as that of hardware breakpoints. It does so by employing a subtle combination of simple stealth techniques using virtual memory and h- - ardware single-stepping mechanisms that are available on all processors, old and new. This technique makes VAMPiRE portable to any architecture, providing powerful breakpoint ability similar to hardware breakpoints for microscopic malware analysis
Keywords :
data flow analysis; invasive software; program debugging; VAMPiRE; hardware breakpoints; hardware single-stepping mechanisms; malicious code microscopic analysis; malware; software breakpoints; stealth breakpoints; virtual memory;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
Computer Security Applications Conference, 21st Annual
Conference_Location :
Tucson, AZ
ISSN :
1063-9527
Print_ISBN :
0-7695-2461-3
Type :
conf
DOI :
10.1109/CSAC.2005.52
Filename :
1565265
Link To Document :
https://search.ricest.ac.ir/dl/search/defaultta.aspx?DTC=49&DC=2858469
بازگشت