中国科大学位与研究生教育
课程名称: 教师:
当前位置:
 >> 
 >> 
支持透明快照的移动设备裸机恶意软件分析
支持透明快照的移动设备裸机恶意软件分析
教师介绍

本讲教师:林璟锵
所属学科:工科
人  气:333

课程介绍
林璟锵,博士,中国科学院信息工程研究所研究员、博导。长期致力于网络空间安全研究,尤其是密码技术在计算机网络系统的应用。论文发表在IEEE S&P、NDSS、IEEE TDSC、IEEE TKDE、IEEE TIFS等国际会议和期刊,包括ISC 2014 Best Student Paper Award和ACSAC 2017 Outstanding Paper Award。2017年,作为项目负责人承担国家重点研发计划网络空间安全重点专项“基于国产密码算法的移动互联网密码服务支撑基础设施关键技术”。承担和参加了国家973计划、国家863计划、国家自然科学基金、国家科技支撑计划等多项课题。2017年获中国科学院朱李月华优秀教师奖,2016年获中国密码学会密码创新二等奖,2015年获密码科技进步一等奖,2004年获北京市科学技术二等奖,2005年获国家科技进步二等奖。 The increasing growth of cybercrimes targeting mobile devices urges an efficient malware analysis platform. With the emergence of evasive malware, which is capable of detecting that it is being analyzed in virtualized environments, bare-metal analysis has become the definitive resort. Existing works mainly focus on extracting the malicious behaviors exposed during bare-metal analysis. However, after malware analysis, it is equally important to quickly restore the system to a clean state to examine the next sample. Unfortunately, state-of-the-art solutions on mobile platforms can only restore the disk, and require a time-consuming system reboot. In addition, all of the existing works require some in-guest components to assist the restoration. Therefore, a kernel-level malware is still able to detect the presence of the in-guest components. We propose Bolt, a transparent restoration mechanism for baremetal analysis on mobile platform without rebooting. Bolt achieves a reboot-less restoration by simultaneously making a snapshot for both the physical memory and the disk. Memory snapshot is enabled by an isolated operating system (BoltOS) in the ARM TrustZone secure world, and disk snapshot is accomplished by a piece of customized firmware (BoltFTL) for flash-based block devices. Because both the BoltOS and the BoltFTL are isolated from the guest system, even kernel-level malware cannot interfere with the restoration. More importantly, Bolt does not require any modifications into the guest system. As such, Bolt is the first that simultaneously achieves efficiency, isolation, and stealthiness to recover from infection due to malware execution. We have implemented a Bolt prototype working with the Android OS. Experimental results show that Bolt can restore the guest system to a clean state in only 2.80 seconds.

评论

针对该课程没有任何评论,谈谈您对该课程的看法吧?
  • 用户名: 密 码:
致谢:本课件的制作和发布均为公益目的,免费提供给公众学习和研究。对于本课件制作传播过程中可能涉及的作品或作品部分内容的著作权人以及相关权利人谨致谢意!
课件总访问人次:16351083
中国科学技术大学研究生网络课堂试运行版,版权属于中国科学技术大学研究生院。
本网站所有内容属于中国科学技术大学,未经允许不得下载传播。
地址:安徽省合肥市金寨路96号;邮编:230026。TEL:+86-551-63602922;E-mail:wlkt@ustc.edu.cn。