摘要
文中提出了一种基于QEMU的异常通信行为的半自动分析方法(Socket Analysis based on QEMU,SAQ),该方法能够及时发现Linux中elf格式应用程序的异常通信,预防信息泄露。通过改写QEMU,开发了一款动态跟踪工具QEMU-TRACER,SAQ可利用QEMU-TRACER定位应用程序中的可疑通信函数;通过二进制代码修改,逐一屏蔽可疑通信函数,并通过对比修改前后程序行为的变化来确定和清除异常的网络通信。针对OpenSSH和ProFTPD的测试表明,SAQ能够发现并成功屏蔽其中的异常通信行为。
This paper presented a semi-automatic analysis method based on QEMU emulator(Socket Analysis based on QEMU,SAQ),which can be used to detect covert communication of elf format program on Linux platform and prevent information leakage.By modifying QEMU,a dynamic tracing tools QEMU-TRACER was developed,which can locate the suspicious communication functions in the application using QEMU-TRACER.Utilizing binary rewriting,the suspicious functions were disabled one by one,and then the behaviors of program before and after modification were compared to determine and clear the abnormal communication.Experiments of OpenSSH and ProFTPD show that SAQ can detect the abnormal communication behaviors and succeed in disabling them.
作者
敖权
陆慧梅
向勇
曹睿东
AO Quan;LU Hui-mei;XIANG Yong;CAO Rui-dong(School of Computer Science and Technology,Beijing Institute of Technology, Beijing 100081, China;Department of Computer Science and Technology,Tsinghua University, Beijing 100084 ,China)
出处
《计算机科学》
CSCD
北大核心
2018年第5期89-96,共8页
Computer Science
基金
核高基项目(2012ZX01039-004-4
2012ZX01039-003)资助
