Hardware-Assisted Malware Analysis


A technical paper titled “On the Feasibility of Malware Unpacking via Hardware-assisted Loop Profiling” was published by researches at Shandong University & Hubei Normal University, Tulane University and University of Texas at Arlington.  This paper was included at the recent 32nd USENIX Security Symposium.

“Hardware Performance Counters (HPCs) are built-in registers of modern processors to count the occurrences of various micro-architectural events. Measuring HPCs values is a cost-effective way to characterize dynamic program behaviors. Because of the ease of use and tamper-resistant advantages, using HPCs coupled with machine learning models to address security problems is on the rise in recent years. However, lately the suitability of HPCs for security has been questioned in light of the non-determinism concerns: measurement errors caused by interrupt skid and time-division multiplexing can undermine the effectiveness of using HPCs in security applications.

With these cautions in mind, we explore ways to tame hardware event’s non-determinism nature for malware unpacking, which is a long-standing challenge in malware analysis. Our research is motivated by two key observations. First, the unpacking process, which involves expensive iterations of decryption or decompression, can incur identifiable deviations in hardware events. Second, loop-centric HPCs profiling can minimize the imprecisions caused by interrupt skid and time-division multiplexing. Therefore, we utilize two mechanisms offered by Intel CPUs (i.e., Precise Event-Based Sampling (PEBS) and Last Branch Record) to develop a generic, hardware-assisted unpacking technique, called LoopHPCs. It offers a new, obfuscation-resilient solution to identify the original code from multiple “written-then-executed” layers. Our controlled experiments demonstrate that LoopHPCs can obtain precise and consistent HPCs values across different Intel CPU architectures and OSs.”

Find the technical paper and slides here. Published August 2023.

Cheng, Binlin, Erika A. Leal, Haotian Zhang, and Jiang Ming. “On the Feasibility of Malware Unpacking via Hardware-assisted Loop Profiling.” In 32nd USENIX Security Symposium (USENIX Security 23), pp. 7481-7498. 2023.

Leave a Reply

(Note: This name will be displayed publicly)