#AUTOTAP SOFTWARE COPIES MANUAL#
Our method allows us to reduce the cost of reverse engineering of a script engine binary, which is the largest portion of the development of a script API tracer, and build a script API tracer for a script language with minimum manual intervention. To solve this problem, we propose a method for automatically detecting the hook and tap points in a script engine binary that is essential for building a script Application Programming Interface (API) tracer. We call this unbalanced cost for script languages asymmetry problem. That is, we have to prepare for multiple script languages to analyze malicious scripts written in them.
This diversity of choice in the attacker side unexpectedly imposes a significant cost on the preparation for analysis tools in the defense side. These features provide attackers options to choose a script language for developing their malicious scripts. Script languages are designed to be easy-to-use and require low learning costs. A case study of using the uncovered tap points shows that we can use them to build a robust hidden process detection tool at the hypervisor layer with very low overhead. The experimental results with a number of Linux kernels show that AutoTap is able to automatically uncover the tap points for many kernel objects, which would be very challenging to achieve with manual analysis.
Specifically, starting from the execution of system calls (i.e., the user level programing interface) and exported kernel APIs (i.e., the kernel module/driver development interface), AutoTap automatically tracks kernel objects, resolves their kernel execution context, and associates the accessed context with the objects, from which to derive the tap points based on how an object is accessed (e.g., whether the object is created, accessed, updated, traversed, or destroyed). This paper presents AutoTap, the first system that can automatically uncover the tap points directly from kernel binaries.
#AUTOTAP SOFTWARE COPIES CODE#
However, current practice to extract a tap point for an OS kernel is through either analyzing kernel source code or manually reverse engineering of kernel binary. Automatic uncovering of tap points (i.e., places to deploy active monitoring) in an OS kernel is useful in many security applications such as virtual machine introspection, kernel malware detection, and kernel rootkit profiling.
0 kommentar(er)
