Non-intrusive Virtual Machine Analysis and Reverse Debugging with SWAT

Dovgalyuk, Pavel; Vasiliev, Ivan; Fursova, Natalia; Dmitriev, Denis; Abakumov, Mikhail; Макаров, Владимир Александрович

doi:10.1109/qrs51102.2020.00036

Cited by 2 publications

(2 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…For the Full-system emulation of QEMU, Zhang et al detail in [36] a partial list of implementation gaps, such as General Protection exceptions not being raised as in hardware upon, e.g., accessing a reserved MSR register. Recently, Dovgalyuk et al in [12] report on incorrect FPU context information in QEMU, using the detection that D'Elia et al [9] wrote for Pin.…”

Section: Discussionmentioning

confidence: 99%

Evaluating Dynamic Binary Instrumentation Systems for Conspicuous Features and Artifacts

et al. 2022

View full text Add to dashboard Cite

Dynamic binary instrumentation (DBI) systems are a popular solution for prototyping heterogeneous program analyses and monitoring tools. Several works from academic and practitioner venues have questioned the transparency of DBI systems, with anti-analysis detection sequences being found already in malware and executable protectors. The present Field Note details new and established detection methods and evaluates recent versions of popular DBI systems against them. It also sets out reflections on potential remediations and alternatives available to security researchers for their daily needs. We make available a large collection of implemented detections, hoping it can help the community build better DBI runtimes and tools.

show abstract

Section: Discussionmentioning

confidence: 99%

Evaluating Dynamic Binary Instrumentation Systems for Conspicuous Features and Artifacts

et al. 2022

View full text Add to dashboard Cite

show abstract

“…Наш подход к интроспекции основан на перехвате редко меняющихся событий (системные вызовы) и анализе ядерных структур данных в памяти виртуальной машины. Интерфейс системных вызовов меняется в рамках существующей системы очень редко [12]. Обычно только добавляются новые варианты функций или старые перестают использоваться.…”

Section: поиск поверхности атакиunclassified

Natch: using virtual machine introspection and taint analysis for detection attack surface of the software

Dovgalyuk¹,

Климушенкова²,

Fursova³

et al. 2022

Proceedings of ISP RAS

View full text Add to dashboard Cite

Natch is a tool that provides a convenient way of obtaining an attack surface. By attack surface we mean a list of executable files, dynamic libraries and functions that are responsible for input data processing (such as: files, network packets) during task execution. Functions that end up in the attack surface are possible sources of software vulnerabilities, so they should be given an increased attention during an analysis. At the heart of the Natch tool lay improved methods of tainted data tracking and virtual machines introspection. Natch is built on the basis of the full-system QEMU emulator, so it allows you to analyze any system components, including even the OS kernel and system drivers. The collected attack surface data is visualized by SNatch, which is tool for data post-processing and GUI implementation. SNatch comes with Natch tool by default. Attack surface obtaining can be built into CI/CD for integrational and system testing. A refined attack surface will increase the effectiveness of functional testing and fuzzing in the life cycle of secure software.

show abstract

Non-intrusive Virtual Machine Analysis and Reverse Debugging with SWAT

Cited by 2 publications

References 11 publications

Evaluating Dynamic Binary Instrumentation Systems for Conspicuous Features and Artifacts

Evaluating Dynamic Binary Instrumentation Systems for Conspicuous Features and Artifacts

Natch: using virtual machine introspection and taint analysis for detection attack surface of the software

Contact Info

Product

Resources

About