Full Transparency in DBI frameworks

TL;DR

This paper introduces COBAI, a user-friendly and transparent dynamic binary instrumentation framework for malware analysis, along with a benchmark suite to evaluate analysis evasion resistance.

Contribution

The paper presents COBAI, a novel DBI framework emphasizing ease of use and transparency, and a benchmark suite for assessing analysis evasion resistance.

Findings

COBAI outperforms existing DBI frameworks in ease of use.

The benchmark suite effectively measures analysis evasion resistance.

COBAI maintains low overhead while providing transparency.

Abstract

Following the increasing trends of malicious applications or cyber threats in general, program analysis has become a ubiquitous technique in extracting relevant features. The current state-of-the-art solutions seem to fall behind new techniques. For instance, dynamic binary instrumentation (DBI) provides some promising results, but falls short when it comes to ease of use and overcoming analysis evasion. In this regard, we propose a two-fold contribution. First, we introduce COBAI (Complex Orchestrator for Binary Analysis and Instrumentation), a DBI framework designed for malware analysis, prioritizing ease-of-use and analysis transparency, without imposing a significant overhead. Second, we introduce an aggregated test suite intended to stand as a benchmark in determining the quality of an analysis solution regarding the protection against evasion mechanisms. The efficiency of our solution is validated by a careful evaluation taking into consideration other DBI frameworks, analysis environments, and the proposed benchmark.