Christopher Kruegel to Present on Full-System Emulation at Black Hat 2014

Christopher Kruegel to Present on Full-System Emulation at Black Hat 2014

Today, forensics experts and malware protection solutions face a myriad of challenges when attempting to extract information from malicious files. Sandboxing (Dynamic Analysis) is a popular method for identifying malicious behaviors associated with running or opening a given file, providing the ability to examine the actions which that file is responsible for. Sandboxing technology is gaining popularity for use in detecting targeted threats and zero-day attacks because this approach need not rely on detecting malicious code. Instead, it can leverage the ability to identify suspicious behavioral patterns to assess the risk inherent in running a given sample and provide intelligence about the protocols and infrastructure that attackers have at their disposal.

Of course, many of the attackers have a vested interest in making it much more difficult to extract intelligence from their backdoors or implants. New techniques to evade or complicate first-generation sandbox analysis of samples are growing in popularity and diversity. With malware authors constantly evolving new techniques to hamper automated analysis, what is a researcher to do?

Next Generation Sandbox using Full-system emulation is one of the latest weapons in the advanced malware protection arsenal. By simulating the physical hardware (including CPU and memory), full-system emulation provides the deepest level of visibility into malware behavior, and it is also the hardest for advanced malware to evade. When compared to first-generation sandboxing techniques, the advantage of the approach is clear.

Join Co-Founder and Chief Scientist of Lastline, Christopher Kruegel, on Wednesday, August 6th at 11:45am PST as he presents on full-system emulation.

Briefing will delve deeper into:

  • designing and building sandbox (dynamic analysis) systems
  • information one should seek to extract with a sandbox platform
  • advantages and limitations of externally instrumented full-system emulation
  • added value in comparison with other approaches such as OS emulation or traditional virtualization solutions which instrument from inside the analysis environment
  • recent examples of several classes of evasion techniques observed in the wild
  • solutions to these challenges, each enabled by full-system emulation