计算机科学 ›› 2017, Vol. 44 ›› Issue (11): 246-252.doi: 10.11896/j.issn.1002-137X.2017.11.037
刁铭智,周渊,李舟军,赵宇飞
DIAO Ming-zhi, ZHOU Yuan, LI Zhou-jun and ZHAO Yu-fei
摘要: 基于开源软件Wine模拟了ASLR和UAC Virtualization两种Windows安全机制,使得Wine环境更接近真实的操作系统且更加安全,并利用wineserver机制初步实现了动态行为检测功能,同时借助Wine自身的.wine目录作为样本的运行环境,最终形成了一个较真实的沙箱系统。实验结果表明,该沙箱系统具备了ASLR和UAC Virtua-lization两种安全机制的基本特征。与其他沙箱系统相比,该系统不仅可以对未知样本进行有效的行为检测,而且具有占用资源少、隔离性强、回滚速度快等突出特点,因此能够很好地满足批量部署和运行的需要。
| [1] GUARNIERI C,SCHLOESSER M,et al.Cuckoo Sandbox[EB/OL].https://cuckoosandbox.org. [2] Comodo Instant Malware Analysis[EB/OL].http://cam- as.comodo.com. [3] JOESandbox[EB/OL].http://www.file-analyzer.net. [4] Maldun[EB/OL].https://www.maldun.com. [5] Fireeye by Kingsoft[EB/OL].http://fireeye.ijinshan.com. [6] JANA S,PORTER D,SHMATIKOV V.TxBox:Building Se-cure,Efficient Sandboxes with System Transactions[C]∥IEEE Conference on Security and Privacy.2011:329-344. [7] LI C,TU B B,et al.Design and Implementation of of Linux Application Sandbox Based on Multiple Security Mechanisms[J].Journal of Integration Technology,2014,3(4):31-37.(in Chinese) 李晨,涂碧波,等.基于多安全机制的Linux应用沙箱的设计与实现[J].集成技术,2014,3(4):31-37. [8] CHENG X P,CHEN L J.Design and Implementation of Sandbox Module Based on LSM[J].Computer & Digital Enginee-ring,2014,42(8):1521-1525.(in Chinese) 程香鹏,陈莉君.基于LSM的沙箱模块设计与实现[J].计算机与数字工程,2014,42(8):1521-1525. [9] Sandboxie[EB/OL].http://www.sandboxie.com. [10] CHEN X,ANDERSEN J,MAO Z M,et al.Towards an under- standing of anti-virtualization and anti-debugging behavior in modern malware[C]∥IEEE Conference on Dependable Systems and Networks With FTCS and DCC(DSN).2008:177-186. [11] CARPENTER M,LISTON T,SLOUDIS E.Hiding virtualization from attackers and malware[J].IEEE Security & Privacy,2007,5(3):62-65. [12] LIU K,LU S,LIU C G.POSTER:Fingerprinting the Publicly Available Sandboxes[C]∥Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security.2014:1469-1471. [13] LINDORFER M,KOLBITSCH C,C OMPARETTI P.Detecting Environment-Sensitive Malware[C]∥Proceedings of 14th International Symposium,RAID.2011:338-357. [14] HSU C W,et al.Divergence Detector:A Fine-Grained Approach to Detecting VM-Awareness Malware[C]∥IEEE International Conference on Software Security and Reliability.2013:80-89. [15] KATSUNARI Y,YOSHIHIKO H,T ATSUNORI O,et al.Vulnerability in Public Malware Sandbox Analysis Systems[C]∥Proceedings of 10th IEEE/IPSJ International Symposium.2010:265-268. [16] Wine Develop Guide[EB/OL].http://www.winehq.org/docs /winedev-guide/index. [17] SHACHAM H,PAGE M,PFAFF B,et al.On the effectiveness of address-space randomization[C]∥Proceedings of the 11th ACM Conference on Computer and Communications Security.2004:298-307. [18] LI L,JUST J E,SEKAR R.Address-Space Randomization for Windows Systems[C]∥Proceedings of Computer Security Applications Conference(ACSAC’06).2006:329-338. [19] WHITEHOUSE O.An Analysis of Address Space Layout Randomization on Windows Vista[M].Symantec Advanced Threat Research,2007. [20] Inside Windows Vista User Access Control [EB/OL].https://technet.microsoft.com/zh-cn/magazine/2007.06.uac(en-us).aspx. [21] UAC Windows7 Tutorial[EB/OL].http://sourcedaddy.com/windows-7/users-accounts-and-uac.html. [22] SAMI A,YADEGARI B,RAHIMI H,et al.Malware detection based on mining API calls[C]∥Proceedings of the 2010 ACM Symposium on Applied Computing.2010:1020-1025. [23] QIAO Y,et al.Analyzing Malware by Abstracting the Frequent Itemsets in API Call Sequences[C]∥Proceedings of 12th IEEE International Conference on Trust,Security and Privacy in Computing and Communications.2013:265-270. [24] FARUKI P,LAXMI V,VINOD P,et al.Behavioural detection with API call-grams to identify malicious PE files[C]∥Procee-dings of the First International Conference on Security of Internet of Things.2012:85-91. [25] VirusTotal[EB/OL].https://www.virustotal.com/en. |
| No related articles found! |
|
||
首页