Full potential of dynamic binary translation for AV emulation engine presented at Virus Bulletin 2006

by Jim Wu (Internet security systems),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2006/abstracts/Wu.xml

Summary : "Emulation is widely used for generic unpackers, behavioural AVs, and detection of polymorphic malware. The
state-of-the-art emulation technology in AV has recently leaped from interpretation to dynamic binary translation
(DBT), with performance numbers about 5x to 15x faster than those of interpretation, but still tens of times slower
than the real machine (VB2005). On the other hand, complex packers and polymorphic engines now run hundreds of
millions of instructions, and require seconds to emulate. We urgently need to explore the full potential of
DBT, and push it within 10x slowdown of the real machine.
This paper will trace DBT to earlier academic and industrial researches such as Stanford's Embra and Intel's SoftSDV.
That way we can harness the vast researches on this mature technology for AV emulation engine. The paper will show how
to apply key DBT techniques such as code block and chaining. Ways to shorten development time for instruction
translation will be discussed. Furthermore, it will tackle unique challenges for AV, such as frequent self-modifying
code, as well
as efficient hooking with virtual Win32 APIs. Performance numbers and future work beyond DBT, such as hardware
virtualization, will be discussed.