Jim Wu Internet Security Systems
download slides (PDF)
Emulation is widely used for generic unpackers, behavioural AVs, and detection of polymorphic malware. The state-of-the-art emulation technology in AV has recently leaped from interpretation to dynamic binary translation (DBT), with performance numbers about 5x to 15x faster than those of interpretation, but still tens of times slower than the real machine (VB2005). On the other hand, complex packers and polymorphic engines now run hundreds of millions of instructions, and require seconds to emulate. We urgently need to explore the full potential of DBT, and push it within 10x slowdown of the real machine.
This paper will trace DBT to earlier academic and industrial researches such as Stanford's Embra and Intel's SoftSDV. That way we can harness the vast researches on this mature technology for AV emulation engine. The paper will show how to apply key DBT techniques such as code block and chaining. Ways to shorten development time for instruction translation will be discussed. Furthermore, it will tackle unique challenges for AV, such as frequent self-modifying code, as well as efficient hooking with virtual Win32 APIs. Performance numbers and future work beyond DBT, such as hardware virtualization, will be discussed.