敖权,陆慧梅,向勇,曹睿东.基于QEMU的Linux应用异常通信行为分析[J].计算机科学,2018,45(5):89-96
基于QEMU的Linux应用异常通信行为分析
QEMU Based Abnormal Communication Analysis of Linux Applications
投稿时间:2017-04-29  修订日期:2017-07-12
DOI:10.11896/j.issn.1002-137X.2018.05.016
中文关键词:  隐蔽通信,动态跟踪,QEMU模拟器,函数调用,二进制修改
英文关键词:Covert communication,Dynamic tracing,QEMU emulator,Function call,Binary rewriting
基金项目:本文受核高基项目(2012ZX01039-004-4,2012ZX01039-003)资助
作者单位E-mail
敖权 北京理工大学计算机学院 北京100081  
陆慧梅 北京理工大学计算机学院 北京100081  
向勇 清华大学计算机科学与技术系 北京100084 xyong@csnet4.cs.tsinghua.edu.cn 
曹睿东 清华大学计算机科学与技术系 北京100084  
摘要点击次数: 335
全文下载次数: 224
中文摘要:
      文中提出了一种基于QEMU的异常通信行为的半自动分析方法(Socket Analysis based on QEMU,SAQ),该方法能够及时发现Linux中elf格式应用程序的异常通信,预防信息泄露。通过改写QEMU,开发了一款动态跟踪工具QEMU-TRACER,SAQ可利用QEMU-TRACER定位应用程序中的可疑通信函数;通过二进制代码修改,逐一屏蔽可疑通信函数,并通过对比修改前后程序行为的变化来确定和清除异常的网络通信。针对OpenSSH和ProFTPD的测试表明,SAQ能够发现 并成功屏蔽 其中的异常通信行为。
英文摘要:
      This paper presented a semi-automatic analysis method based on QEMU emulator(Socket Analysis based on QEMU,SAQ),which can be used to detect covert communication of elf format program on Linux platform and prevent information leakage.By modifying QEMU,a dynamic tracing tools QEMU-TRACER was developed,which can locate the suspicious communication functions in the application using QEMU-TRACER.Utilizing binary rewriting,the suspicious functions were disabled one by one,and then the behaviors of program before and after modification were compared to determine and clear the abnormal communication.Experiments of OpenSSH and ProFTPD show that SAQ can detect the abnormal communication behaviors and succeed in disabling them.
查看全文  查看/发表评论  下载PDF阅读器