Storage Mirroring for Bare-Metal Systems on FPGA Devices.

Malicious applications, malware, continue to be a major security threat for computer systems. Due to the fast growing number and increasing complexity of malware, manual analysis became impractical and automated methods are preferred by security analysts. The automated dynamic analysis of malware executes the samples in controlled environments and monitors the execution for potentially malicious behavior. The vulnerability of this method is that modern malware detect these emulated or virtualized environments and suspend their malicious activities to foil the analysis. However, the malware exhibit a semantically different behavior when running directly on computer system hardware, i.e. bare-metal systems. Consequently, the ultimate technique for analyzing the behavior of malware is through execution of the samples in bare-metal analysis environments. Nevertheless, restoring the system to a clean state after each sample analysis is challenging. In order to restore the storage device state of a bare-metal system to a clean state, in this paper we propose an FPGA-implemented storage mirroring technique for instantaneous restoration of the storage device and, optionally, the retrieval of the files having been modified during the sample execution. The FPGA-based system can be integrated in commodity computer systems with Serial ATA storage devices. The retrieval of modified files is supported for systems running Windows operating systems with NTFS file-system. The experimental results demonstrate the viability of the solution.