Computer Science ›› 2018, Vol. 45 ›› Issue (5): 89-96.doi: 10.11896/j.issn.1002-137X.2018.05.016

Previous Articles     Next Articles

QEMU Based Abnormal Communication Analysis of Linux Applications

AO Quan, LU Hui-mei, XIANG Yong and CAO Rui-dong   

  • Online:2018-05-15 Published:2018-07-25

Abstract: This paper presented a semi-automatic analysis method based on QEMU emulator(Socket Analysis based on QEMU,SAQ),which can be used to detect covert communication of elf format program on Linux platform and prevent information leakage.By modifying QEMU,a dynamic tracing tools QEMU-TRACER was developed,which can locate the suspicious communication functions in the application using QEMU-TRACER.Utilizing binary rewriting,the suspicious functions were disabled one by one,and then the behaviors of program before and after modification were compared to determine and clear the abnormal communication.Experiments of OpenSSH and ProFTPD show that SAQ can detect the abnormal communication behaviors and succeed in disabling them.

Key words: Covert communication,Dynamic tracing,QEMU emulator,Function call,Binary rewriting

[1] Pandalabs report q2 2016[EB/OL].http://resources.pandasecurity.com/newhome2016/micrositeAD/resources/Pandalabs/Pandalabs-2016-Q2-en.pdf.
[2] Quick Heal[EB/OL].http://dlupdate.quickheal.com/seqrite/documents/en/threat-reports/quarterly_threat_report_q1_2016.pdf.
[3] LUK C K,COHN R,MUTH R,et al.Pin:building customized program analysis tools with dynamic instrumentation[J].Acm Sigplan Notices,2005,40(6):190-200.
[4] SKALETSKY A,DEVOR T,CHACHMON N,et al.Dynamicprogram analysis of microsoft windows applications[C]∥2010 IEEE International Symposium on Performance Analysis of Systems & Software(ISPASS).2010:2-12.
[5] Strace[EB/OL].http://linux.die.net/man/1/strace.
[6] JACOB B,LARSON P,LEITAO B,et al.SystemTap:instrumenting the Linux kernel for analyzing performance and functional problems[M]∥IBM Redbook.2008.
[7] Global market share of mobile operating system[EB/OL].ht-tps://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems.
[8] Mcafee mobile thread report 2016[EB/OL].http://www.mcafee.com/us/resources/reports/rp-mobile-threat-report-2016.pdf.
[9] SCHUSTER F,HOLZ T.Towards reducing the attack surface of software backdoors[C]∥2013 ACM SIGSAC Conference on Computer & Communications Security.2013:851-862.
[10] Linux/sshdoor.abackdooredssh daemon that steals passwords[EB/OL].http://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords.
[11] Source Insight[EB/OL].http://www.sourceinsight.com/.
[12] Understand[EB/OL].http://scitools.com.
[13] Egypt-create call graph from gccrtldump[EB/OL].http://www.gson.org/egypt/egypt.html.
[14] SUN W Z,DU X Y,XIANG Y,et al.CG-RTL:a RTL-basedFunction Call Graph Generator[J].Journal of Chinese Computer Systems,2014,5(3):555-559.(in Chinese) 孙卫真,杜香燕,向勇,等.基于RTL的函数调用图生成工具CG-RTL[J].小型微型计算机系统,2014,35(3):555-559.
[15] BUSH W R,PINCUS J D,SIELAFF D J.A static analyzer for finding dynamic programming errors[J].Software-Practice and Experience,2000,30(7):775-802.
[16] MAGGI F,MATTEUCCI M,ZANERO S.Detecting intrusions through system call sequence and argument analysis[J].IEEE Transactions on Dependable and Secure Computing,2010,7(4):381-395.
[17] ASMITHA K,VINOD P.Linux malware detection using non-parametric statistical methods[C]∥2014 International Con-ference on Advances in Computing,Communications and Informa-tics(ICACCI).2014:356-361.
[18] SHAHZAD F,SHAHZAD M,FAROOQ M.In-execution dy-namic malware analysis and detection by mining information in process control blocks of Linux OS[J].Information Sciences,2013,231:45-63.
[19] XIANG Y,CAO R D,MAO Y H.QEMU-based Dynamic Function Call Tracing[J].Journal of Computer Research and Deve-lopment,2017,4(7):1569-1576.(in Chinese) 向勇,曹睿东,毛英明.基于QEMU的动态函数调用跟踪[J].计算机研究与发展,2017,4(7):1569-1576.
[20] CHIPOUNOV V,KUZNETSOV V,CANDEA G.S2E:A platform for in-vivo multi-path analysis of software systems[J].Acm Sigplan Notices,2011,46(3):265-278.
[21] SARACINO A,MARTINELLI F,ALBORETO G,et al.Data-Sluice:Fine-grained traffic control for Android application[C]∥2016 IEEE Symposium on Computers and Communication(ISCC).2016:702-709.
[22] RUBIN J,GORDON M I,NGUYEN N,et al.Covert communication in mobile applications(t)[C]∥2015 30th IEEE/ACM International Conference on Automated Software Engineering(ASE).2015:647-657.

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!