Artifact Mitigation in High-Fidelity Hypervisors

17 USC 105 interim-entered record; under temporary embargo.U.S. Government affiliation is unstated in article text

Studying a Virtual Testbed for Unverified Data

It is difficult to fully know the effects a piece of software will have on your computer, particularly when the software is distributed by an unknown source. The research in this paper focuses on malware detection, virtualization, and sandbox/honeypot techniques with the goal of improving the security of installing useful, but unverifiable, software. With a combination of these techniques, it should be possible to install software in an environment where it cannot harm a machine, but can be tested to determine its safety. Testing for malware, performance, network connectivity, memory usage, and interoperability can be accomplished without allowing the program to access the base operating system of a machine. After the full effects of the software are understood and it is determined to be safe, it could then be run from, and given access to, the base operating system. This thesis investigates the feasibility of creating a system to verify the security of unknown software while ensuring it will have no negative impact on the host machine

ARTIFACT MITIGATION IN HIGH-FIDELITY HYPERVISORS

The use of hypervisors for cyber operations has increased significantly over the past decade, resulting in an associated increase in the demand for higher-fidelity hypervisors. These hypervisors would not exhibit the markers, or artifacts, that expose the presence of the virtualized environments present in most currently available virtualization solutions. To address this, we present an in-depth examination of a subset of virtualization artifacts in order to design and implement a software solution that will reduce the detectability via mitigation of these artifacts. Our analysis includes performant measures of a bare metal machine, a virtualized machine without our mitigations, and a virtualized machine with our mitigations. The analysis also includes a measure of our implemented system's simulated sensor output. Results of the implementation are analyzed to determine the potential performance impact, the accuracy of our system's simulated output, and whether our mitigation technique is appropriate for extending high-fidelity hypervisors.Outstanding ThesisLieutenant Commander, United States NavyApproved for public release. distribution is unlimite

Malware Sandbox Evasion Techniques in Mobile Devices

The mobile platform is where it's at. There are currently very few professionals who dispute this view. Because of the rapidly increasing number of smartphones and other devices powered by the Android operating system all over the world, there has been a corresponding surge in the number of mobile apps, particularly harmful mobile apps.  This form of malware is very new, but it is rapidly changing, and it brings hazards that have not been seen before. As a part of Check Point’s ongoing efforts against the rising tide of mobile dangers, we, the Malware Research Team, want to learn as much as we can about the constantly shifting Android malware landscape. This requires understanding the internal operation of as many malicious apps as we can, so we can learn as much as we can. Manual malware analysis has always been a difficult operation, taking days or even weeks to complete for each sample. Because of this, the work is impracticable even for a small sample pool because of the amount of time it takes. Following the successful application of this strategy to mobile malware, our response is to automate as much of the analysis process as is practically practicable. Idan Revivo and Ofer Caspi from Check Point’s Malware Research Team were tasked with developing a system that would take an application and produce a report describing exactly what it does when it is run, specifically pointing out anything "fishy." This would enable us to perform an initial analysis with no human intervention, which is exactly what they have done. The popular CuckooDroid sandbox and a few other open-source projects form the basis of this automated, cross-platform emulation and analysis framework, which allows for static and dynamic APK inspection in addition to evading some VM-detection techniques, encryption key extraction, SSL inspection, API call trace, basic behavioral signatures, and more.  It is easy to make changes and add new features to the framework, and it draws heavily on the expertise of the current Cuckoo community

Android Security: A Survey of Issues, Malware Penetration, and Defenses

Smartphones have become pervasive due to the availability of office applications, Internet, games, vehicle guidance using location-based services apart from conventional services such as voice calls, SMSes, and multimedia services. Android devices have gained huge market share due to the open architecture of Android and the popularity of its application programming interface (APIs) in the developer community. Increased popularity of the Android devices and associated monetary benefits attracted the malware developers, resulting in big rise of the Android malware apps between 2010 and 2014. Academic researchers and commercial antimalware companies have realized that the conventional signature-based and static analysis methods are vulnerable. In particular, the prevalent stealth techniques, such as encryption, code transformation, and environment-aware approaches, are capable of generating variants of known malware. This has led to the use of behavior-, anomaly-, and dynamic-analysis-based methods. Since a single approach may be ineffective against the advanced techniques, multiple complementary approaches can be used in tandem for effective malware detection. The existing reviews extensively cover the smartphone OS security. However, we believe that the security of Android, with particular focus on malware growth, study of antianalysis techniques, and existing detection methodologies, needs an extensive coverage. In this survey, we discuss the Android security enforcement mechanisms, threats to the existing security enforcements and related issues, malware growth timeline between 2010 and 2014, and stealth techniques employed by the malware authors, in addition to the existing detection methods. This review gives an insight into the strengths and shortcomings of the known research methodologies and provides a platform, to the researchers and practitioners, toward proposing the next-generation Android security, analysis, and malware detection techniques

Comparative Analysis of Malware Behavior in Hardware and Virtual Sandboxes

openMalicious software, or malware, continues to be a pervasive threat to computer systems and networks worldwide. As malware constantly evolves and becomes more sophisticated, it is crucial to develop effective methods for its detection and analysis. Sandboxing technology has emerged as a valuable tool in the field of cybersecurity, allowing researchers to safely execute and observe malware behavior in controlled environments. This thesis presents a comprehensive investigation into the behavior of malware samples when executed in both hardware and virtual sandboxes. The primary objective is to assess the effectiveness of hardware sandboxing in capturing and analyzing malware behaviors compared to traditional virtual sandboxes. The research methodology involves the execution of various malware samples in both hardware and virtual sandboxes, followed by the analysis of key parameters, including memory changes, file system logs, and network traffic. By comparing the results obtained from the two sandboxing approaches, this study aims to provide insights into the advantages and limitations of each method. Furthermore, the research delves into the potential evasion techniques employed by malware to bypass detection in either sandboxing environment. Identifying such evasion strategies is vital for enhancing the overall security posture and developing more robust defense mechanisms against evolving malware threats. The findings of this research contribute to the field of cybersecurity by shedding light on the strengths and weaknesses of hardware and virtual sandboxes for malware analysis. Ultimately, this work serves as a valuable resource for security practitioners and researchers seeking to improve malware detection and analysis techniques in the ever-evolving landscape of cybersecurity threats.Malicious software, or malware, continues to be a pervasive threat to computer systems and networks worldwide. As malware constantly evolves and becomes more sophisticated, it is crucial to develop effective methods for its detection and analysis. Sandboxing technology has emerged as a valuable tool in the field of cybersecurity, allowing researchers to safely execute and observe malware behavior in controlled environments. This thesis presents a comprehensive investigation into the behavior of malware samples when executed in both hardware and virtual sandboxes. The primary objective is to assess the effectiveness of hardware sandboxing in capturing and analyzing malware behaviors compared to traditional virtual sandboxes. The research methodology involves the execution of various malware samples in both hardware and virtual sandboxes, followed by the analysis of key parameters, including memory changes, file system logs, and network traffic. By comparing the results obtained from the two sandboxing approaches, this study aims to provide insights into the advantages and limitations of each method. Furthermore, the research delves into the potential evasion techniques employed by malware to bypass detection in either sandboxing environment. Identifying such evasion strategies is vital for enhancing the overall security posture and developing more robust defense mechanisms against evolving malware threats. The findings of this research contribute to the field of cybersecurity by shedding light on the strengths and weaknesses of hardware and virtual sandboxes for malware analysis. Ultimately, this work serves as a valuable resource for security practitioners and researchers seeking to improve malware detection and analysis techniques in the ever-evolving landscape of cybersecurity threats

Denial-of-Service Attacks on Host-Based Generic Unpackers

China National Science FoundationThis research was mostly done when the first three authors, Limin Liu, Jiang Ming, and Zhi Wang, were researchers working in Singapore Management University. It was partially supported by National Science Foundation (NSF) China under the agreements 90718005, 70890084/G021102, and 60573015.</p