SaMOSA: Sandbox for Malware Orchestration and Side-Channel Analysis

TL;DR

SaMOSA is a modular Linux sandbox environment designed for comprehensive malware analysis in OT and CPS systems, capturing multiple synchronized side-channels and supporting customization for diverse analysis tasks.

Contribution

SaMOSA introduces a customizable Linux sandbox that captures multiple side-channels and emulates network services, filling a gap in malware analysis tools for OT and CPS environments.

Findings

Captures system calls, network, disk, and hardware performance side-channels.

Supports x86-64, ARM64, and PowerPC architectures.

Demonstrated effectiveness through three malware case studies.

Abstract

Cyber-attacks on operational technology (OT) and cyber-physical systems (CPS) have increased tremendously in recent years with the proliferation of malware targeting Linux-based embedded devices of OT and CPS systems. Comprehensive malware detection requires dynamic analysis of execution behavior in addition to static analysis of binaries. Safe execution of malware in a manner that captures relevant behaviors via side-channels requires a sandbox environment. Existing Linux sandboxes are built for specific tasks, only capture one or two side-channels, and do not offer customization for different analysis tasks. We present the SaMOSA Linux sandbox that allows emulation of Linux malwares while capturing time-synchronized side-channels from four sources. SaMOSA additionally provides emulation of network services via FakeNet, and allows orchestration and customization of the sandbox environment via pipeline hooks. In comparison to existing Linux sandboxes, SaMOSA captures more side-channels namely system calls, network activity, disk activity, and hardware performance counters. It supports three architectures predominantly used in OT and CPS namely x86-64, ARM64, and PowerPC 64. SaMOSA fills a gap in Linux malware analysis by providing a modular and customizable sandbox framework that can be adapted for many malware analysis tasks. We present three case studies of three different malware families to demonstrate the advantages of SaMOSA.