Storage Mirroring for Bare-Metal Malware Analysis on FPGA Devices

Abstract

Malware continue to be a major security threat for computer systems. Due to their fast-growing number and increasing complexity, automated analysis methods are preferred by security analysts over manual ones. The automated dynamic analysis of malware executes the samples in controlled environments and monitors their potentially malicious behavior. Modern malware can detect these emulated or virtualized environments and suspend their malicious activities to foil the analysis. Consequently, the ultimate technique for analyzing the behavior of malware is through execution of the samples in bare metal analysis environments. Detection aside, restoring the analysis system to a clean state after each analysis is challenging. To resolve this, in this paper we propose an FPGA-implemented storage mirroring technique for instantaneous restoration of the storage device and the retrieval of the files having been modified during the sample execution.