计算机科学 ›› 2018, Vol. 45 ›› Issue (5): 89-96.doi: 10.11896/j.issn.1002-137X.2018.05.016

• 信息安全 • 上一篇    下一篇

基于QEMU的Linux应用异常通信行为分析

敖权,陆慧梅,向勇,曹睿东   

  1. 北京理工大学计算机学院 北京100081,北京理工大学计算机学院 北京100081,清华大学计算机科学与技术系 北京100084,清华大学计算机科学与技术系 北京100084
  • 出版日期:2018-05-15 发布日期:2018-07-25
  • 基金资助:
    本文受核高基项目(2012ZX01039-004-4,2012ZX01039-003)资助

QEMU Based Abnormal Communication Analysis of Linux Applications

AO Quan, LU Hui-mei, XIANG Yong and CAO Rui-dong   

  • Online:2018-05-15 Published:2018-07-25

摘要: 文中提出了一种基于QEMU的异常通信行为的半自动分析方法(Socket Analysis based on QEMU,SAQ),该方法能够及时发现Linux中elf格式应用程序的异常通信,预防信息泄露。通过改写QEMU,开发了一款动态跟踪工具QEMU-TRACER,SAQ可利用QEMU-TRACER定位应用程序中的可疑通信函数;通过二进制代码修改,逐一屏蔽可疑通信函数,并通过对比修改前后程序行为的变化来确定和清除异常的网络通信。针对OpenSSH和ProFTPD的测试表明,SAQ能够发现 并成功屏蔽 其中的异常通信行为。

关键词: 隐蔽通信,动态跟踪,QEMU模拟器,函数调用,二进制修改

Abstract: This paper presented a semi-automatic analysis method based on QEMU emulator(Socket Analysis based on QEMU,SAQ),which can be used to detect covert communication of elf format program on Linux platform and prevent information leakage.By modifying QEMU,a dynamic tracing tools QEMU-TRACER was developed,which can locate the suspicious communication functions in the application using QEMU-TRACER.Utilizing binary rewriting,the suspicious functions were disabled one by one,and then the behaviors of program before and after modification were compared to determine and clear the abnormal communication.Experiments of OpenSSH and ProFTPD show that SAQ can detect the abnormal communication behaviors and succeed in disabling them.

Key words: Covert communication,Dynamic tracing,QEMU emulator,Function call,Binary rewriting

[1] Pandalabs report q2 2016[EB/OL].http://resources.pandasecurity.com/newhome2016/micrositeAD/resources/Pandalabs/Pandalabs-2016-Q2-en.pdf.
[2] Quick Heal[EB/OL].http://dlupdate.quickheal.com/seqrite/documents/en/threat-reports/quarterly_threat_report_q1_2016.pdf.
[3] LUK C K,COHN R,MUTH R,et al.Pin:building customized program analysis tools with dynamic instrumentation[J].Acm Sigplan Notices,2005,40(6):190-200.
[4] SKALETSKY A,DEVOR T,CHACHMON N,et al.Dynamicprogram analysis of microsoft windows applications[C]∥2010 IEEE International Symposium on Performance Analysis of Systems & Software(ISPASS).2010:2-12.
[5] Strace[EB/OL].http://linux.die.net/man/1/strace.
[6] JACOB B,LARSON P,LEITAO B,et al.SystemTap:instrumenting the Linux kernel for analyzing performance and functional problems[M]∥IBM Redbook.2008.
[7] Global market share of mobile operating system[EB/OL].ht-tps://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems.
[8] Mcafee mobile thread report 2016[EB/OL].http://www.mcafee.com/us/resources/reports/rp-mobile-threat-report-2016.pdf.
[9] SCHUSTER F,HOLZ T.Towards reducing the attack surface of software backdoors[C]∥2013 ACM SIGSAC Conference on Computer & Communications Security.2013:851-862.
[10] Linux/sshdoor.abackdooredssh daemon that steals passwords[EB/OL].http://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords.
[11] Source Insight[EB/OL].http://www.sourceinsight.com/.
[12] Understand[EB/OL].http://scitools.com.
[13] Egypt-create call graph from gccrtldump[EB/OL].http://www.gson.org/egypt/egypt.html.
[14] SUN W Z,DU X Y,XIANG Y,et al.CG-RTL:a RTL-basedFunction Call Graph Generator[J].Journal of Chinese Computer Systems,2014,5(3):555-559.(in Chinese) 孙卫真,杜香燕,向勇,等.基于RTL的函数调用图生成工具CG-RTL[J].小型微型计算机系统,2014,35(3):555-559.
[15] BUSH W R,PINCUS J D,SIELAFF D J.A static analyzer for finding dynamic programming errors[J].Software-Practice and Experience,2000,30(7):775-802.
[16] MAGGI F,MATTEUCCI M,ZANERO S.Detecting intrusions through system call sequence and argument analysis[J].IEEE Transactions on Dependable and Secure Computing,2010,7(4):381-395.
[17] ASMITHA K,VINOD P.Linux malware detection using non-parametric statistical methods[C]∥2014 International Con-ference on Advances in Computing,Communications and Informa-tics(ICACCI).2014:356-361.
[18] SHAHZAD F,SHAHZAD M,FAROOQ M.In-execution dy-namic malware analysis and detection by mining information in process control blocks of Linux OS[J].Information Sciences,2013,231:45-63.
[19] XIANG Y,CAO R D,MAO Y H.QEMU-based Dynamic Function Call Tracing[J].Journal of Computer Research and Deve-lopment,2017,4(7):1569-1576.(in Chinese) 向勇,曹睿东,毛英明.基于QEMU的动态函数调用跟踪[J].计算机研究与发展,2017,4(7):1569-1576.
[20] CHIPOUNOV V,KUZNETSOV V,CANDEA G.S2E:A platform for in-vivo multi-path analysis of software systems[J].Acm Sigplan Notices,2011,46(3):265-278.
[21] SARACINO A,MARTINELLI F,ALBORETO G,et al.Data-Sluice:Fine-grained traffic control for Android application[C]∥2016 IEEE Symposium on Computers and Communication(ISCC).2016:702-709.
[22] RUBIN J,GORDON M I,NGUYEN N,et al.Covert communication in mobile applications(t)[C]∥2015 30th IEEE/ACM International Conference on Automated Software Engineering(ASE).2015:647-657.

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!