Full potential of dynamic binary translation for AV emulation engine

Jim Wu Internet Security Systems

  download slides (PDF)

Emulation is widely used for generic unpackers, behavioural AVs, and detection of polymorphic malware. The state-of-the-art emulation technology in AV has recently leaped from interpretation to dynamic binary translation (DBT), with performance numbers about 5x to 15x faster than those of interpretation, but still tens of times slower than the real machine (VB2005). On the other hand, complex packers and polymorphic engines now run hundreds of millions of instructions, and require seconds to emulate. We urgently need to explore the full potential of DBT, and push it within 10x slowdown of the real machine.

This paper will trace DBT to earlier academic and industrial researches such as Stanford's Embra and Intel's SoftSDV. That way we can harness the vast researches on this mature technology for AV emulation engine. The paper will show how to apply key DBT techniques such as code block and chaining. Ways to shorten development time for instruction translation will be discussed. Furthermore, it will tackle unique challenges for AV, such as frequent self-modifying code, as well as efficient hooking with virtual Win32 APIs. Performance numbers and future work beyond DBT, such as hardware virtualization, will be discussed.

Poll

Do you use the same password(s) across multiple websites?
I use the same password for all sites
I have a number of passwords but use the same for some sites
I use a different password for each site
I don't sign up to any sites that require a password

Leave a comment
View 4 comments
Jobs Recruit Sidebar

VB100 certification

VB100 This month VB's test team put 26 products to the test on Windows Server 2008. John Hawes has the full results.
See full results.
Virus Bulletin currently has 190,601 registered users.