Design and implementation of a sandbox for facilitating and automating IoT malware analysis with techniques to elicit malicious behavior: case studies of functionalities for dissecting IoT malware

As malware poses a significant threat to IoT devices, the technology to combat IoT malware, like sandbox, has not received enough attention. The majority of efforts in existing researches have focused on x86-flavored binaries that are not used for IoT devices. In fact, we have witnessed that many sa...

Full description

Saved in:
Bibliographic Details
Published inJournal of Computer Virology and Hacking Techniques Vol. 19; no. 2; pp. 149 - 163
Main Authors Yonamine, Shun, Taenaka, Yuzo, Kadobayashi, Youki, Miyamoto, Daisuke
Format Journal Article
LanguageEnglish
Published Paris Springer Paris 01.06.2023
Springer Nature B.V
Subjects
Automation
Computer Science
Data analysis
Invited Paper
Malware
Virtual environments
Automated analysis
Malware
ARM
Dynamic analysis
Sandbox
IoT
Online AccessGet full text

Cover

More Information
Summary:As malware poses a significant threat to IoT devices, the technology to combat IoT malware, like sandbox, has not received enough attention. The majority of efforts in existing researches have focused on x86-flavored binaries that are not used for IoT devices. In fact, we have witnessed that many samples of IoT malware that can be observed in the wild are ARM binaries. In this paper, we propose a novel sandbox that is helpful to analyze and understand the IoT malware behavior. Our sandbox system, called Tamer, supports dynamic analysis for ARM binaries and has some features to automate and facilitate IoT malware analysis, like the automated interaction mechanism and the fake network environment for dynamic analysis. In addition, our system adopts features, like dynamic binary instrumentation and virtual machine introspection, which may allow retrieving further insights from malware. With the dataset of real-world malware, we demonstrated that our sandbox system can analyze IoT malware that is specifically designed for infecting IoT devices. Through an analysis experiment on a large number of IoT malware samples, we demonstrate a possibility that our system could facilitate a large scale analysis in an automated manner and retrieve further insights from IoT malware. Furthermore, we demonstrate that the information on IoT malware behavior using Tamer is helpful in understanding the details of IoT malware behavior from the data analysis perspective.
ISSN:2263-8733
2263-8733
DOI:10.1007/s11416-023-00478-x