TY - GEN
T1 - Supporting transparent snapshot for bare-metal malware analysis on mobile devices
AU - Guan, Le
AU - Jia, Shijie
AU - Chen, Bo
AU - Zhang, Fengwei
AU - Luo, Bo
AU - Lin, Jingqiang
AU - Liu, Peng
AU - Xing, Xinyu
AU - Xia, Luning
N1 - Funding Information:
National Natural Science Foundation of China under Grant No.: 61772518, 61602476.
Publisher Copyright:
© 2017 Copyright held by the owner/author(s). Publication rights licensed to ACM.
PY - 2017/12/4
Y1 - 2017/12/4
N2 - The increasing growth of cybercrimes targeting mobile devices urges an efficient malware analysis platform. With the emergence of evasive malware, which is capable of detecting that it is being analyzed in virtualized environments, bare-metal analysis has become the definitive resort. Existing works mainly focus on extracting the malicious behaviors exposed during bare-metal analysis. However, after malware analysis, it is equally important to quickly restore the system to a clean state to examine the next sample. Unfortunately, state-of-The-Art solutions on mobile platforms can only restore the disk, and require a time-consuming system reboot. In addition, all of the existing works require some in-guest components to assist the restoration. Therefore, a kernel-level malware is still able to detect the presence of the in-guest components. We propose Bolt, a transparent restoration mechanism for baremetal analysis on mobile platform without rebooting. Bolt achieves a reboot-less restoration by simultaneously making a snapshot for both the physical memory and the disk. Memory snapshot is enabled by an isolated operating system (BoltOS) in the ARM Trust-Zone secure world, and disk snapshot is accomplished by a piece of customized firmware (BoltFTL) for flash-based block devices. Because both the BoltOS and the BoltFTL are isolated from the guest system, even kernel-level malware cannot interfere with the restoration. More importantly, Bolt does not require any modifications into the guest system. As such, Bolt is the first that simultaneously achieves efficiency, isolation, and stealthiness to recover from infection due to malware execution. We have implemented a Bolt prototype working with the Android OS. Experimental results show that Bolt can restore the guest system to a clean state in only 2.80 seconds.
AB - The increasing growth of cybercrimes targeting mobile devices urges an efficient malware analysis platform. With the emergence of evasive malware, which is capable of detecting that it is being analyzed in virtualized environments, bare-metal analysis has become the definitive resort. Existing works mainly focus on extracting the malicious behaviors exposed during bare-metal analysis. However, after malware analysis, it is equally important to quickly restore the system to a clean state to examine the next sample. Unfortunately, state-of-The-Art solutions on mobile platforms can only restore the disk, and require a time-consuming system reboot. In addition, all of the existing works require some in-guest components to assist the restoration. Therefore, a kernel-level malware is still able to detect the presence of the in-guest components. We propose Bolt, a transparent restoration mechanism for baremetal analysis on mobile platform without rebooting. Bolt achieves a reboot-less restoration by simultaneously making a snapshot for both the physical memory and the disk. Memory snapshot is enabled by an isolated operating system (BoltOS) in the ARM Trust-Zone secure world, and disk snapshot is accomplished by a piece of customized firmware (BoltFTL) for flash-based block devices. Because both the BoltOS and the BoltFTL are isolated from the guest system, even kernel-level malware cannot interfere with the restoration. More importantly, Bolt does not require any modifications into the guest system. As such, Bolt is the first that simultaneously achieves efficiency, isolation, and stealthiness to recover from infection due to malware execution. We have implemented a Bolt prototype working with the Android OS. Experimental results show that Bolt can restore the guest system to a clean state in only 2.80 seconds.
UR - http://www.scopus.com/inward/record.url?scp=85038946055&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85038946055&partnerID=8YFLogxK
U2 - 10.1145/3134600.3134647
DO - 10.1145/3134600.3134647
M3 - Conference contribution
AN - SCOPUS:85038946055
T3 - ACM International Conference Proceeding Series
SP - 339
EP - 349
BT - Proceedings - 33rd Annual Computer Security Applications Conference, ACSAC 2017
PB - Association for Computing Machinery
T2 - 33rd Annual Computer Security Applications Conference, ACSAC 2017
Y2 - 4 December 2017 through 8 December 2017
ER -