Research on Emulator-Based Sandbox Systems

doi:10.3969/j.issn.1671-1122.2015.09.032

Netinfo Security ›› 2015, Vol. 15 ›› Issue (9): 139-143.doi: 10.3969/j.issn.1671-1122.2015.09.032

• Orginal Article • Previous Articles Next Articles

Research on Emulator-Based Sandbox Systems

Hang YU^1,^2,³(), Li-min LIU^1,³, Neng GAO^1,³, Hong-da LI^1,³

1.State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
2.University of Chinese Academy of Sciences, Beijing 100049, China
3.Data Assurance and Communication Security Research Center, Beijing 100093, China

Received:2015-07-15 Online:2015-09-30 Published:2015-11-13

Abstract

Abstract:

Malware authors frustrate the dynamic analysis by the means of detecting whether the malware is executed in the sandbox. This method is called anti-virtualization technology. To defeat anti-virtualization, malware analysts try their bests to guarantee the consistency of real world and sandbox. Firstly, this paper analyses the semantic monitoring capacities, internals and security issues of existing sandbox systems, and then summarizes that emulator-based sandbox systems have advantages over others in isolation, full-system view and high monitoring efficiency. Also, we analyze the reason why emulator-based sandbox systems are not transparent enough.

Key words: sandbox, anti-virtualization, emulator

CLC Number:

TP309

Hang YU, Li-min LIU, Neng GAO, Hong-da LI. Research on Emulator-Based Sandbox Systems[J]. Netinfo Security, 2015, 15(9): 139-143.

Figures/Tables 7

References 18

[1]	王小山,杨安,石志强,等. 工业控制系统信息安全新趋势[J]. 信息网络安全,2015,(1):6-11.
[2]	Flame[EB/OL].
[3]	姚为光. 软件加壳技术的研究[D].成都:电子科技大学. 2011.
[4]	任伟,柳坤,周金. AnDa:恶意代码动态分析系统[J]. 信息网络安全,2014,(8):28-33.
[5]	Chen X, Andersen J, Mao Z M, et al.Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware[C]//Dependable Systems and Networks With FTCS and DCC, 2008. DSN 2008. IEEE International Conference on. IEEE, 2008: 177-186.
[6]	彭小详,户振江,龚涛,等. 恶意代码自动脱壳技术研究[J]. 信息网络安全,2014,(5):41-45.
[7]	Willems C, Holz T, Freiling F.Toward automated dynamic malware analysis using cwsandbox[J]. IEEE Security & Privacy, 2007 (2): 32-39.
[8]	Cuckoo Sandbox[EB/OL], .
[9]	Bayer U, Kruegel C, Kirda E.TTAnalyze: A tool for analyzing malware[M]. NA, 2006.
[10]	Anubis[EB/OL], https://anubis.iseclab.org/, 2015-6.
[11]	Dinaburg A, Royal P, Sharif M, et al.Ether: malware analysis via hardware virtualization extensions[C]//Proceedings of the 15th ACM conference on Computer and communications security. ACM, 2008: 51-62.
[12]	Smith J, Nair R.Virtual machines: versatile platforms for systems and processes[M]. Elsevier, 2005.
[13]	x86 virtualization[EB/OL].
[14]	Xen[EB/OL].
[15]	Neugschwandtner M, Platzer C, Comparetti P M, et al.Danubis-dynamic device driver analysis based on virtual machine introspection[M]//Detection of Intrusions and Malware, and Vulnerability Assessment. Springer Berlin Heidelberg, 2010: 41-60.
[16]	Chen P M, Noble B D.When virtual is better than real [operating system relocation to virtual machines][C]//Hot Topics in Operating Systems, 2001. Proceedings of the Eighth Workshop on. IEEE, 2001: 133-138.
[17]	Yan L K, Jayachandra M, Zhang M, et al.V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis[J]. ACM Sigplan Notices, 2012, 47(7): 227-238.
[18]	朱平,杜彦辉. 基于虚拟机与API调用监控技术的APT木马取证研究[J]. 信息网络安全,2014,(4):78-81.

Research on Emulator-Based Sandbox Systems

RichHTML

PDF (PC)

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 7

References 18

Related Articles 2

Recommended Articles

Metrics

Comments

[1]	Weiping WEN, Bozhi WU, Yingnan JIAO, Yongqiang HE. Design and Implementation on Malicious Documents Detection Tool Based on Machine Learning [J]. Netinfo Security, 2018, 18(8): 1-7.
[2]	ZHAO Yang, HU Long, XIONG Hu, QIN Zhi-guang. Dynamic Analysis Scheme of Android Malware Based on Sandbox [J]. 信息网络安全, 2014, 14(12): 21-26.