초록 ▼

In an example, there is provided a system and method for execution profiling detection of malicious software objects. An execution profiling (EXP) engine may be provided in conjunction with a binary translation engine (BTE). Both may operate within a trusted execution environment (TEE). Because many

In an example, there is provided a system and method for execution profiling detection of malicious software objects. An execution profiling (EXP) engine may be provided in conjunction with a binary translation engine (BTE). Both may operate within a trusted execution environment (TEE). Because many malware objects make assumptions about memory usage of host applications, they may cause exceptions when those assumptions prove untrue. The EXP engine may proactively detect such exceptions via the BTE when the BTE performs its translation function. Thus, malicious behavior may be detected before a binary runs on a system, and remedial measures may be provided.

대표청구항 ▼

1. A computing apparatus, comprising: a memory including a locally-executing software process; andone or more logic elements, including at least a processor, comprising an execution profiling engine configured for: concurrent with the locally-executing software process, inspecting a segment of the s

1. A computing apparatus, comprising: a memory including a locally-executing software process; andone or more logic elements, including at least a processor, comprising an execution profiling engine configured for: concurrent with the locally-executing software process, inspecting a segment of the software process;before executing the segment, determining that the segment will produce an exception condition when the segment runs;checking transfer target addresses against a list of addresses and address ranges commonly used by malware;validating that the software process is owned by a legitimate software module;subjecting the software process to additional security analysis to identify malicious behavior;designating the software process as potentially malicious; andtaking a security action related to the software process, comprising designating the software process for additional analysis. 2. The computing apparatus of claim 1, wherein the execution profiling engine is provided at least partly in a trusted execution environment. 3. The computing apparatus of claim 1, wherein subjecting the software process to additional security analysis comprises subjecting the software process to computerized deep inspection. 4. The computing apparatus of claim 1, wherein subjecting the software process to additional security analysis comprises designating the software process for analysis by a human security analyzer. 5. The computing apparatus of claim 1, wherein the execution profiling engine is implemented at least partly in hardware. 6. The computing apparatus of claim 1, further comprising a binary translation engine configured for translating the software process from a first form into a second form. 7. The computing apparatus of claim 6, wherein the second form excludes direct manipulation of memory. 8. The computing apparatus of claim 6, wherein the binary translation engine is provided at least partly in a trusted execution environment. 9. The computing apparatus of claim 6, wherein the binary translation engine is configured for translating the software process into an instrumentable form. 10. The computing apparatus of claim 6, wherein at least one of the execution profiling engine and the binary translation engine is at least partly virtualized. 11. One or more tangible, non-transitory computer-readable mediums having stored thereon instructions that, when executed, instruct a processor for providing an execution profiling engine configured for: inspecting a segment of a concurrent locally-executing software process;before executing the segment, determining that the segment will produce an exception condition when the segment runs;checking transfer target addresses against a list of addresses and address ranges commonly used by malware;validating that the software process is owned by a legitimate software module;subjecting the software process to additional security analysis to identify malicious behavior;designating the software process as potentially malicious; andtaking a security action related to the software process, comprising designating the software process for additional analysis. 12. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the instructions are further configured for providing the execution profiling engine at least partly in a trusted execution environment. 13. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein subjecting the software process to additional security analysis comprises subjecting the software process to computerized deep inspection. 14. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein subjecting the software process to additional security analysis comprises designating the software process for analysis by a human security analyzer. 15. The one or more tangible, non-transitory computer-readable mediums of claim 11, wherein the instructions are further configured for providing a binary translation engine operable for translating the software process from a first form into a second form. 16. The one or more tangible, non-transitory computer-readable mediums of claim 15, wherein the second form excludes direct manipulation of memory. 17. The one or more tangible, non-transitory computer-readable mediums of claim 15, wherein the binary translation engine is provided at least partly in a trusted execution environment. 18. The one or more tangible, non-transitory computer-readable mediums of claim 15, wherein the binary translation engine is configured for translating the software process into an instrumentable form. 19. A computer-implemented method, comprising: inspecting a segment of a concurrent locally-executing computational process;before executing the segment, determining that the segment will produce an exception condition when the segment runs;checking transfer target addresses against a list of addresses and address ranges commonly used by malware;validating that the computational process is owned by a legitimate software module;subjecting the computational process to additional security analysis to identify malicious behavior;designating the computational process as potentially malicious; andtaking a security action related to the computational process, comprising designating the software process for additional analysis. 20. The computer-implemented method of claim 19, further comprising: translating the computational process from a first form into a second form, wherein the second form is instrumentable. 21. The computer-implemented method of claim 19, further comprising: subjecting the computational process to additional security analysis, comprising subjecting the computational process to computerized deep inspection. 22. The computer-implemented method of claim 19, further comprising: subjecting the computational process to additional security analysis, comprising designating the computational process for analysis by a human security analyzer. 23. The computer-implemented method of claim 19, further comprising: implementing an execution profiling engine at least partly in hardware. 24. The computer-implemented method of claim 20, wherein the second form excludes direct manipulation of memory. 25. The method of claim 20, wherein translating the computational process from a first form into a second form is provided at least partly in a trusted execution environment.