MalT and Ninja: Transparent Malware Debugging on x86 and ARM

Presented at DEF CON China Beta (2018), May 12, 2018, 12:30 p.m. (20 minutes).

With the rapid proliferation of malware attacks on the Internet, understanding these malicious behaviors plays a critical role in crafting effective defense. Existing malware analysis platforms leave detectable fingerprints like uncommon string properties in QEMU, signatures in Linux kernel profiles,and artifacts on basic instruction execution semantics. Since these fingerprints provide the malware a chance to split its behavior depending on whether the analysis system is present or not, existing analysis systems are not sufficient to analyze the sophisticated malware. In this talk, we present the framework for transparent malware analysis, which leverages the hardware features in existing PC and mobile devices to increase the transparency of malware analysis. In particular, we introduce MalT on the x86 architecture and Ninja on the ARM architecture. MalT uses the system management mode as the execution environment and performance monitor unit as hardware assistant to facilitate the analysis, whereas Ninja involves the TrustZone technology and embedded trace macrocell to improve the transparency. Moreover, both MalT and Ninja are OS-agnostic, and do not require modification to the operation system or the target application.


Presenters:

  • Zhenyu Ning - Ph.D. candidate, Wayne State University Fengwei Zhang Assistant Professor, Wayne State University
    Zhenyu Ning is a Ph.D. candidate with the Computer Science Department at Wayne State University. He received his master degree in computer science from Tongji University in 2011. His research interests are in the areas of hardware-assisted system security, embedded systems, and trusted execution environments.

Links:

Similar Presentations: