Koichi Mouri

Tracing malicious injected threads using alkanet Malware analyzer

Recently, malware has become a major security threat to computers. Responding to threats from malware requires malware analysis and understanding malware behavior. However, malware analysts cannot spend the time required to analyze each instance of malware because unique variants of malware emerge by the thousands every day. Dynamic analysis is effective for understanding malware behavior within a short time. The method of analysis to execute the malware and observe its behavior using debugging and monitoring tools. We are developing Alkanet, a malware analyzer that uses a virtual machine monitor based on BitVisor. Alkanet can analyze malware even if the malware applies anti-debugging techniques to thwart analysis by dynamic analysis tools. In addition, analysis overhead is reduced. Alkanet executes malware on Windows XP, and traces system calls invoked by threads. Therefore, the system can analyze malware that infects other running processes. Also, the system call logs are obtained in real time via a IEEE 1394 interface. Other programs can readily examine the log and process the analysis results to understand intentions of malware behavior. In this paper, we describe the design and implementation of Alkanet. We confirm that Alkanet analyzes malware behaviors, such as copying itself, deleting itself, and creating new processes. We also confirm that Alkanet accurately traces threads injected by malware into other processes.

Design and Implementation of an Application State Migration Mechanism between Android Devices

Devices equipped with Android, which is the OS for mobile devices, spread widely, and one user may own plural devices. It is thought that the user uses plural devices properly depending on the situation. For example, the user may use a small device on the way, and a large device in the office. In such situation, it is necessary for improvement of work efficiency to change work environment seamlessly at plural devices. We design and implement a platform to transmit an application used now to other device. This platform enables a user to resume work with the other device. The platform acquires a state of application working at a transmission side device, and transmits it using the communication between the devices. The application in a reception side is restored by the platform using the state. Bluetooth is used for the communication. We offer the platform as a function of Android OS. In this article, we describe the implementation of the platform, the measurements of time to use it, and consideration about results of the measurements.

Salvia: a privacy-aware operating system for prevention of data leakage

We have developed a privacy-aware operating system that focuses on preventing leakage of sensitive data such as personal information. The existing mandatory access control model is too restrictive for processes required to sustain the operations of user programs such as FTP, e-mail client applications, etc. In order to solve this problem, the proposed approach employs two techniques. First, the operating system kernel limits the execution of system calls only if the process could contribute to data leakage. Second, we implemented contexts; contexts are parameter or hints facilitating the evaluation of the risk of data leakage. These contexts also determine whether the kernel allows or disallows the execution of system calls. These techniques make it possible to realize a more adaptive and flexible data protection mechanism than the existing ones. This study describes the proposed approach.

Orthros: A High-Reliability Operating System with Transmigration of Processes

We propose a method to solve problems that accompany recovering from operating system (OS) failures. First, to reduce recovery time, we make two OSes run simultaneously and configure them as an active-backup structure in one computer. This structure can provide a fast recovery from failures by a failover. Recovery time when using the proposed method is about 0.4 seconds at a minimum and up to about 10 seconds even if 2 GB memory is restored. Next, for smooth continuation of services after recovery, the proposed method preserves processes, their network connections, and file caches, and does not have runtime overhead to obtain a process execution status from the running active OS before a crash. In addition, the resources consumed to build the active-backup structure are only one CPU core and a small amount of memory. The hardware required to implement the proposed method is a multi-core processor and one disk for each OS, consequently, introduction of the proposed method incurs low cost. In the evaluation, we confirmed that the downtime was up to about 1.5 seconds when the active OS of the proposed system crashed while running a text editor, an NFS server, and a database server.