摘要
基于虚拟化技术的恶意软件行为分析是近年来出现的分析恶意软件的方法。该方法利用虚拟化平台良好的隔离性和控制力对恶意软件运行时的行为进行分析,但存在两方面的不足:一方面,现有虚拟机监视器(Virtual Machine Monitor,VMM)的设计初衷是提高虚拟化系统的通用性和高效性,并没有充分考虑虚拟化系统的透明性,导致现有的VMM很容易被恶意软件的环境感知测试所发现。为此,提出一种基于硬件辅助虚拟化技术的恶意软件行为分析系统——THVA。THVA是一个利用了安全虚拟机(SVM)、二级页表(NPT)和虚拟机自省等多种虚拟化技术完成的、专门针对恶意软件行为分析的微型VMM。实验结果表明,THVA在行为监控和反恶意软件检测方面表现良好。
Malware analysis based on Hardware-assisted Virtualization Monitor has been recently presently,which utilize the strong isolation and the ability to control Guest OS of virtualization platform to analyze the malware runtime behavior.But there are two shortages: one is that the design motive of VMM is not for transparency but for functionality and performance,which induce VMM to be detected by malware’s virtualization environment detection;another is that VMM’s code are too large and complex,and part of their function is unnecessary.These features bring more"side-effects"and vulnerabilities.Therefore,a malware analysis system based on Hardware-assisted Virtualization Monitor—THVA is presented.THVA is thin VMM,which only about 6000 lines code,utilizing the SVM,NPT,EAP and virtual machine introspection technologies to achieve,and special for malware analysis.The result of experiments shows that THVA is good for virtual machine introspection,behavior monitor and anti-detection,etc.In addition,THVA utilizes the Security Mode Transition technology to enhance the performance itself for about 18.2%.
出处
《计算机安全》
2012年第9期2-7,共6页
Network & Computer Security
