Abstract

Malware analysis relies heavily on the use of virtual machines (VMs) for functionality and safety. There are subtle differences in operation between virtual and physical machines. Contemporary malware checks for these differences and changes its behavior when it detects a VM presence. These anti-VM techniques hinder malware analysis. Existing research approaches to uncover differences between VMs and physical machines use randomized testing, and thus cannot guarantee completeness.
In this article, we propose a detect-and-hide approach, which systematically addresses anti-VM techniques in malware. First, we propose cardinal pill testing—a modification of red pill testing that aims to enumerate the differences between a given VM and a physical machine through carefully designed tests. Cardinal pill testing finds five times more pills by running 15 times fewer tests than red pill testing. We examine the …

Metadata

publication

ACM Transactions on Privacy and Security (TOPS) 21 (1), 1-31, 2017

year

2017

publication date

2017/12/6

authors

Hao Shi, Jelena Mirkovic, Abdulla Alwabel

link

https://dl.acm.org/doi/abs/10.1145/3139292

journal

ACM Transactions on Privacy and Security (TOPS)

volume

21

issue

1

pages

1-31

publisher

ACM