TEMU: The BitBlaze Dynamic Analysis Component
[Overview] [Publications] [Back to BitBlaze]
The BitBlaze infrastructure provides a component, called TEMU, for
dynamic binary analysis. TEMU is built upon a whole-system emulator,
QEMU, and has the following functionalities:
- Dynamic taint analysis. TEMU is able to perform whole-system
dynamic taint analysis. Marking certain information sources (e.g.,
keystrokes, network inputs, reads for certain memory locations, and
function call outputs) as tainted, TEMU keeps track of the tainted
information propagating in the system. This feature also provides a
plug-in environment for mixed concrete and symbolic exeuction, in
which symbolic values are marked as tainted, and concrete values as
untainted.
- OS awareness. TEMU is able to reason about OS-level semantics, which is
essential for meaningful analysis. In particular, it understands which process
and module the current execution is in, and what API call is currently invoked
and its argument information.
- In-depth behavioral analysis. TEMU is able to understand how an
analyzed binary interacts with the environment, such as what API calls are
invoked, and what outstanding memory locations are accessed. By marking the
inputs as tainted (i.e., symbolic), TEMU provides insights about how outputs
are formulated from inputs.
- Panorama: Capturing System-wide Information Flow for Malware
Detection and Analysis
- Heng Yin, Dawn Song, Manuel Egele, Chirstopher Kruegel, and Engin Kirda.
To appear in Proceedings of the 14th ACM Conference of Computer and
Communication Security (CCS'07), October, 2007.
- Dynamic Spyware Analysis
- Manuel Egele, Christopher Kruegel, Engin Kirda, Heng Yin and Dawn Song.
In the Proceedings of USENIX Annual Technical Conference, June 2007
Back to BitBlaze