基于QEMU的Linux应用异常通信行为分析
|
摘要
文中提出了一种基于QEMU的异常通信行为的半自动分析方法(Socket Analysis based on QEMU,SAQ),该方法能够及时发现Linux中elf格式应用程序的异常通信,预防信息泄露。通过改写QEMU,开发了一款动态跟踪工具QEMU-TRACER,SAQ可利用QEMU-TRACER定位应用程序中的可疑通信函数;通过二进制代码修改,逐一屏蔽可疑通信函数,并通过对比修改前后程序行为的变化来确定和清除异常的网络通信。针对OpenSSH和ProFTPD的测试表明,SAQ能够发现并成功屏蔽其中的异常通信行为。
This paper presented a semi-automatic analysis method based on QEMU emulator(Socket Analysis based on QEMU,SAQ),which can be used to detect covert communication of elf format program on Linux platform and prevent information leakage.By modifying QEMU,a dynamic tracing tools QEMU-TRACER was developed,which can locate the suspicious communication functions in the application using QEMU-TRACER.Utilizing binary rewriting,the suspicious functions were disabled one by one,and then the behaviors of program before and after modification were compared to determine and clear the abnormal communication.Experiments of OpenSSH and ProFTPD show that SAQ can detect the abnormal communication behaviors and succeed in disabling them.
This paper presented a semi-automatic analysis method based on QEMU emulator(Socket Analysis based on QEMU,SAQ),which can be used to detect covert communication of elf format program on Linux platform and prevent information leakage.By modifying QEMU,a dynamic tracing tools QEMU-TRACER was developed,which can locate the suspicious communication functions in the application using QEMU-TRACER.Utilizing binary rewriting,the suspicious functions were disabled one by one,and then the behaviors of program before and after modification were compared to determine and clear the abnormal communication.Experiments of OpenSSH and ProFTPD show that SAQ can detect the abnormal communication behaviors and succeed in disabling them.
引文
[1]Pandalabs report q2 2016[EB/OL].http://resources.pandasecurity.com/newhome2016/micrositeAD/resources/Pandalabs/Pandalabs-2016-Q2-en.pdf.
[2]Quick Heal[EB/OL].http://dlupdate.quickheal.com/seqrite/documents/en/threat-reports/quarterly_threat_report_q1_2016.pdf.
[3]LUK C K,COHN R,MUTH R,et al.Pin:building customized program analysis tools with dynamic instrumentation[J].Acm Sigplan Notices,2005,40(6):190-200.
[4]SKALETSKY A,DEVOR T,CHACHMON N,et al.Dynamic program analysis of microsoft windows applications[C]∥2010IEEE International Symposium on Performance Analysis of Systems&Software(ISPASS).2010:2-12.
[5]Strace[EB/OL].http://linux.die.net/man/1/strace.
[6]JACOB B,LARSON P,LEITAO B,et al.SystemTap:instrumenting the Linux kernel for analyzing performance and functional problems[M]∥IBM Redbook.2008.
[7]Global market share of mobile operating system[EB/OL].https://www.statista.com/statistics/266136/global-market-shareheld-by-smartphone-operating-systems.
[8]Mcafee mobile thread report 2016[EB/OL].http://www.mcafee.com/us/resources/reports/rp-mobile-threat-report-2016.pdf.
[9]SCHUSTER F,HOLZ T.Towards reducing the attack surface of software backdoors[C]∥2013ACM SIGSAC Conference on Computer&Communications Security.2013:851-862.
[10]Linux/sshdoor.abackdooredssh daemon that steals passwords[EB/OL].http://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords.
[11]Source Insight[EB/OL].http://www.sourceinsight.com/.
[12]Understand[EB/OL].http://scitools.com.
[13]Egypt-create call graph from gccrtldump[EB/OL].http://www.gson.org/egypt/egypt.html.
[14]SUN W Z,DU X Y,XIANG Y,et al.CG-RTL:a RTL-based Function Call Graph Generator[J].Journal of Chinese Computer Systems,2014,35(3):555-559.(in Chinese)孙卫真,杜香燕,向勇,等.基于RTL的函数调用图生成工具CG-RTL[J].小型微型计算机系统,2014,35(3):555-559.
[15]BUSH W R,PINCUS J D,SIELAFF D J.A static analyzer for finding dynamic programming errors[J].Software-Practice and Experience,2000,30(7):775-802.
[16]MAGGI F,MATTEUCCI M,ZANERO S.Detecting intrusions through system call sequence and argument analysis[J].IEEETransactions on Dependable and Secure Computing,2010,7(4):381-395.
[17]ASMITHA K,VINOD P.Linux malware detection using nonparametric statistical methods[C]∥2014International Conference on Advances in Computing,Communications and Informa-tics(ICACCI).2014:356-361.
[18]SHAHZAD F,SHAHZAD M,FAROOQ M.In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS[J].Information Sciences,2013,231:45-63.
[19]XIANG Y,CAO R D,MAO Y H.QEMU-based Dynamic Function Call Tracing[J].Journal of Computer Research and Development,2017,54(7):1569-1576.(in Chinese)向勇,曹睿东,毛英明.基于QEMU的动态函数调用跟踪[J].计算机研究与发展,2017,54(7):1569-1576.
[20]CHIPOUNOV V,KUZNETSOV V,CANDEA G.S2E:A platform for in-vivo multi-path analysis of software systems[J].Acm Sigplan Notices,2011,46(3):265-278.
[21]SARACINO A,MARTINELLI F,ALBORETO G,et al.DataSluice:Fine-grained traffic control for Android application[C]∥2016 IEEE Symposium on Computers and Communication(ISCC).2016:702-709.
[22]RUBIN J,GORDON M I,NGUYEN N,et al.Covert communication in mobile applications(t)[C]∥2015 30th IEEE/ACM International Conference on Automated Software Engineering(ASE).2015:647-657.
[2]Quick Heal[EB/OL].http://dlupdate.quickheal.com/seqrite/documents/en/threat-reports/quarterly_threat_report_q1_2016.pdf.
[3]LUK C K,COHN R,MUTH R,et al.Pin:building customized program analysis tools with dynamic instrumentation[J].Acm Sigplan Notices,2005,40(6):190-200.
[4]SKALETSKY A,DEVOR T,CHACHMON N,et al.Dynamic program analysis of microsoft windows applications[C]∥2010IEEE International Symposium on Performance Analysis of Systems&Software(ISPASS).2010:2-12.
[5]Strace[EB/OL].http://linux.die.net/man/1/strace.
[6]JACOB B,LARSON P,LEITAO B,et al.SystemTap:instrumenting the Linux kernel for analyzing performance and functional problems[M]∥IBM Redbook.2008.
[7]Global market share of mobile operating system[EB/OL].https://www.statista.com/statistics/266136/global-market-shareheld-by-smartphone-operating-systems.
[8]Mcafee mobile thread report 2016[EB/OL].http://www.mcafee.com/us/resources/reports/rp-mobile-threat-report-2016.pdf.
[9]SCHUSTER F,HOLZ T.Towards reducing the attack surface of software backdoors[C]∥2013ACM SIGSAC Conference on Computer&Communications Security.2013:851-862.
[10]Linux/sshdoor.abackdooredssh daemon that steals passwords[EB/OL].http://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords.
[11]Source Insight[EB/OL].http://www.sourceinsight.com/.
[12]Understand[EB/OL].http://scitools.com.
[13]Egypt-create call graph from gccrtldump[EB/OL].http://www.gson.org/egypt/egypt.html.
[14]SUN W Z,DU X Y,XIANG Y,et al.CG-RTL:a RTL-based Function Call Graph Generator[J].Journal of Chinese Computer Systems,2014,35(3):555-559.(in Chinese)孙卫真,杜香燕,向勇,等.基于RTL的函数调用图生成工具CG-RTL[J].小型微型计算机系统,2014,35(3):555-559.
[15]BUSH W R,PINCUS J D,SIELAFF D J.A static analyzer for finding dynamic programming errors[J].Software-Practice and Experience,2000,30(7):775-802.
[16]MAGGI F,MATTEUCCI M,ZANERO S.Detecting intrusions through system call sequence and argument analysis[J].IEEETransactions on Dependable and Secure Computing,2010,7(4):381-395.
[17]ASMITHA K,VINOD P.Linux malware detection using nonparametric statistical methods[C]∥2014International Conference on Advances in Computing,Communications and Informa-tics(ICACCI).2014:356-361.
[18]SHAHZAD F,SHAHZAD M,FAROOQ M.In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS[J].Information Sciences,2013,231:45-63.
[19]XIANG Y,CAO R D,MAO Y H.QEMU-based Dynamic Function Call Tracing[J].Journal of Computer Research and Development,2017,54(7):1569-1576.(in Chinese)向勇,曹睿东,毛英明.基于QEMU的动态函数调用跟踪[J].计算机研究与发展,2017,54(7):1569-1576.
[20]CHIPOUNOV V,KUZNETSOV V,CANDEA G.S2E:A platform for in-vivo multi-path analysis of software systems[J].Acm Sigplan Notices,2011,46(3):265-278.
[21]SARACINO A,MARTINELLI F,ALBORETO G,et al.DataSluice:Fine-grained traffic control for Android application[C]∥2016 IEEE Symposium on Computers and Communication(ISCC).2016:702-709.
[22]RUBIN J,GORDON M I,NGUYEN N,et al.Covert communication in mobile applications(t)[C]∥2015 30th IEEE/ACM International Conference on Automated Software Engineering(ASE).2015:647-657.