Binary program analysis represents a fundamental pillar of modern system security. Fine-grained methodologies like dynamic taint analysis still suffer from deployment complexity and performance overhead despite significant progress. Traditional in-process analysis tools trigger severe \textbf{address-space conflicts} that inevitably disrupt the native memory layout of the target. These conflicts frequently cause layout-sensitive exploits and evasive malware to deviate from their intended execution paths or fail entirely. This paper introduces \textbf{HALF} as a novel framework that resolves this fundamental tension while ensuring both analysis fidelity and practical performance. HALF achieves high-fidelity address-space transparency by leveraging a kernel-assisted process hollowing mechanism. This design effectively eliminates the observation artifacts that characterize traditional instrumentation tools. We further mitigate the synchronization latency of decoupled execution by implementing an exception-driven strategy via a lightweight kernel monitor. Extensive evaluation of a Windows-based prototype demonstrates that HALF maintains superior performance compared to conventional in-process baselines. HALF also provides unique capabilities for deconstructing complex, stealthy threats where existing frameworks fail to maintain execution integrity.
翻译:二进制程序分析是现代系统安全的基础支柱。尽管取得了显著进展,但诸如动态污点分析等细粒度方法仍面临部署复杂性和性能开销的挑战。传统的进程内分析工具会引发严重的**地址空间冲突**,这种冲突不可避免地破坏目标程序的原始内存布局。这些冲突经常导致对布局敏感的漏洞利用和规避性恶意软件偏离其预期执行路径或完全失效。本文提出**HALF**作为一种新型框架,在确保分析保真度和实用性能的同时,从根本上解决了这一矛盾。HALF通过利用内核辅助的进程空洞化机制,实现了高保真的地址空间透明性。该设计有效消除了传统插桩工具固有的观测伪影。我们进一步通过轻量级内核监视器实现异常驱动策略,从而缓解解耦执行的同步延迟。基于Windows原型的广泛评估表明,与传统的进程内基线相比,HALF保持了更优的性能。在现有框架无法维持执行完整性的复杂隐蔽威胁解构场景中,HALF还展现出独特的能力。