Saved in:
Bibliographic Details
Main Authors: Caporaso, Pasquale, Bianchi, Giuseppe, Quaglia, Francesco
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2404.16744
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866913329275994112
author Caporaso, Pasquale
Bianchi, Giuseppe
Quaglia, Francesco
author_facet Caporaso, Pasquale
Bianchi, Giuseppe
Quaglia, Francesco
contents Modern malware poses a severe threat to cybersecurity, continually evolving in sophistication. To combat this threat, researchers and security professionals continuously explore advanced techniques for malware detection and analysis. Dynamic analysis, a prevalent approach, offers advantages over static analysis by enabling observation of runtime behavior and detecting obfuscated or encrypted code used to evade detection. However, executing programs within a controlled environment can be resource-intensive, often necessitating compromises, such as limiting sandboxing to an initial period. In our article, we propose an alternative method for dynamic executable analysis: examining the presence of malicious signatures within executable virtual pages precisely when their current content, including any updates over time, is accessed for instruction fetching. Our solution, named JITScanner, is developed as a Linux-oriented package built upon a Loadable Kernel Module (LKM). It integrates a user-level component that communicates efficiently with the LKM using scalable multi-processor/core technology. JITScanner's effectiveness in detecting malware programs and its minimal intrusion in normal runtime scenarios have been extensively tested, with the experiment results detailed in this article. These experiments affirm the viability of our approach, showcasing JITScanner's capability to effectively identify malware while minimizing runtime overhead.
format Preprint
id arxiv_https___arxiv_org_abs_2404_16744
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle JITScanner: Just-in-Time Executable Page Check in the Linux Operating System
Caporaso, Pasquale
Bianchi, Giuseppe
Quaglia, Francesco
Cryptography and Security
Modern malware poses a severe threat to cybersecurity, continually evolving in sophistication. To combat this threat, researchers and security professionals continuously explore advanced techniques for malware detection and analysis. Dynamic analysis, a prevalent approach, offers advantages over static analysis by enabling observation of runtime behavior and detecting obfuscated or encrypted code used to evade detection. However, executing programs within a controlled environment can be resource-intensive, often necessitating compromises, such as limiting sandboxing to an initial period. In our article, we propose an alternative method for dynamic executable analysis: examining the presence of malicious signatures within executable virtual pages precisely when their current content, including any updates over time, is accessed for instruction fetching. Our solution, named JITScanner, is developed as a Linux-oriented package built upon a Loadable Kernel Module (LKM). It integrates a user-level component that communicates efficiently with the LKM using scalable multi-processor/core technology. JITScanner's effectiveness in detecting malware programs and its minimal intrusion in normal runtime scenarios have been extensively tested, with the experiment results detailed in this article. These experiments affirm the viability of our approach, showcasing JITScanner's capability to effectively identify malware while minimizing runtime overhead.
title JITScanner: Just-in-Time Executable Page Check in the Linux Operating System
topic Cryptography and Security
url https://arxiv.org/abs/2404.16744