Intel 实验室 Xiaoning Li @InForSec
演讲人： 李晓宁 Intel实验室安全研究员/ 架构师
主题：Building a fundamentally improved malware analysis sandbox without virtualization
Today hardware virtualization based appliances are an important component in enterprise defense landscape. To catch malware specifically APT attacks, virtual appliance systems play a critical role to be able to analyze samples, collect runtime behavior and indicate level of maliciousness.
Virtual appliance systems leverage the advantages from HW and SW virtualization systems such as known-clean image recovery, runtime inspection using hypervisors and so on. But at the same time, we have to accept the weakness of virtual systems because there are too many signatures from virtual systems including specific device names, device properties, VMM behaviors, and even side effects from instruction execution on virtual platforms. In the past years, we have seen many malware samples such as Smokeloader that have begun to “detect” virtual systems. We have also published [Ref] couple new approaches to detect SW and HW virtual systems.
To select an ideal virtual system to host a malware sandbox analysis system, we need native and light-weight in-memory inspection techniques alongwith the ability to rapidly recover known-clean images. If we can build these capabilities in a native system without any virtualization then we can significantly reduce the impact of sandbox analysis.
To address these challenges, we present the design of a specific bare metal system to provide bare-metal malware inspection and rapid OS recovery, alongwith techniques for leveraging these capabilities for malware analysis. In this talk, we will describe how we achieve this goal and results from this system.
Xiaoning Li is a security researcher and architect at Intel Labs and focuses on analyzing/detecting/preventing 0 day/malware with existing/new processor features. For the past 10+ years, his work has been focusing on both hardware/software security system co-design and advanced threat research. Xiaoning holds 20+ grant/filling patents in security areas including processor/system security and has published more than 20+ conference/invited talks including BlackHat, CanSecWest, ShmooCon, Source etc.