Full potential of dynamic binary translation for AV emulation engine

Jim Wu Internet Security Systems

  download slides (PDF)

Emulation is widely used for generic unpackers, behavioural AVs, and detection of polymorphic malware. The state-of-the-art emulation technology in AV has recently leaped from interpretation to dynamic binary translation (DBT), with performance numbers about 5x to 15x faster than those of interpretation, but still tens of times slower than the real machine (VB2005). On the other hand, complex packers and polymorphic engines now run hundreds of millions of instructions, and require seconds to emulate. We urgently need to explore the full potential of DBT, and push it within 10x slowdown of the real machine.

This paper will trace DBT to earlier academic and industrial researches such as Stanford's Embra and Intel's SoftSDV. That way we can harness the vast researches on this mature technology for AV emulation engine. The paper will show how to apply key DBT techniques such as code block and chaining. Ways to shorten development time for instruction translation will be discussed. Furthermore, it will tackle unique challenges for AV, such as frequent self-modifying code, as well as efficient hooking with virtual Win32 APIs. Performance numbers and future work beyond DBT, such as hardware virtualization, will be discussed.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.