EmuID: Detecting presence of emulation through microarchitectural characteristic on ARM

Cited 0 time in webofscience Cited 0 time in scopus
  • Hit : 45
  • Download : 0
Software emulation is at the core of efficient automated software analysis. It allows efficient use of computing resources by running multiple instances on a single machine. Also, software emulation naturally provides a strong sandboxing that contains the analyzed target software. Software emulation techniques and principles have been implemented in dynamic binary translators (DBI) and emulators used extensively in practice. Transparency of emulation is one of the essential aspects of emulation engines. That is, hiding the presence of emulation from the software that is being emulated is vital in many use cases of software emulation (e.g., malware analysis). Detecting the presence of emulation through various methods and preventing such exploits have been an important topic in the field. Emulation detection is commonly used in protecting commercial software against reverse engineering or abused by malware developers who intend to sabotage their malware analysis. Many works have proposed methods for emulation detection, while others introduced mitigations. In this paper, we present EmuID that exploits a peculiar microarchitectural caveat of the ARM architecture to detect emulation. Our method is accurate, implementation-agnostic, and robust. Our evaluations show that our method detects ARM execution in well-known emulation engines on ARM (i.e., ARM-on-ARM) as well as cross-architecture ARM emulation on the x86 architecture (i.e., ARM-on-x86. Also, mitigation of our approach would require non-trivial modifications to emulation engines, unlike the heuristics-based detection methods that can be readily mitigated once the mechanisms are known. (C) 2021 Elsevier Ltd. All rights reserved.
Publisher
ELSEVIER ADVANCED TECHNOLOGY
Issue Date
2022-02
Language
English
Article Type
Article
Citation

COMPUTERS & SECURITY, v.113

ISSN
0167-4048
DOI
10.1016/j.cose.2021.102569
URI
http://hdl.handle.net/10203/294776
Appears in Collection
CS-Journal Papers(저널논문)
Files in This Item
There are no files associated with this item.

qr_code

  • mendeley

    citeulike


rss_1.0 rss_2.0 atom_1.0