Dynamic malware analysis requires executing untrusted binaries inside strongly isolated, rapidly resettable environments. In practice, many detonation workflows remain tied to heavyweight hypervisors or dedicated bare-metal labs, limiting portability and automation. This challenge has intensified with the adoption of ARM64 developer hardware (e.g., Apple Silicon), where common open-source sandbox recipes and pre-built environments frequently assume x86_64 hosts and do not translate cleanly across architectures. This paper presents pokiSEC, a lightweight, ephemeral malware detonation sandbox that packages the full virtualization and access stack inside a Docker container. pokiSEC integrates QEMU with hardware acceleration (KVM when available) and exposes a browser-based workflow that supports bring-your-own Windows disk images. The key contribution is a Universal Entrypoint that performs runtime host-architecture detection and selects validated hypervisor configurations (machine types, acceleration modes, and device profiles), enabling a single container image and codebase to launch Windows guests on both ARM64 and x86_64 hosts. We validate pokiSEC on Apple Silicon (ARM64) and Ubuntu (AMD64), demonstrating interactive performance suitable for analyst workflows and consistent teardown semantics via ephemeral container lifecycles.
翻译:动态恶意软件分析需要在强隔离、可快速重置的环境中执行不可信二进制文件。实践中,许多引爆工作流仍依赖于重量级虚拟机监控程序或专用裸机实验室,限制了可移植性和自动化能力。随着ARM64开发硬件(如Apple Silicon)的普及,这一挑战愈发严峻:常见的开源沙箱方案和预构建环境通常假设x86_64主机架构,无法在不同架构间直接迁移。本文提出pokiSEC——一种轻量级临时恶意软件引爆沙箱,它将完整的虚拟化与访问栈封装在Docker容器内。pokiSEC集成支持硬件加速的QEMU(在可用时启用KVM),并提供基于浏览器的工作流以支持用户自定义Windows磁盘镜像。其核心贡献在于通用入口点机制,该机制通过运行时主机架构检测自动选择经验证的虚拟机监控器配置(机器类型、加速模式与设备配置文件),使得单一容器镜像和代码库能够在ARM64与x86_64主机上启动Windows客户机。我们在Apple Silicon(ARM64)和Ubuntu(AMD64)平台上验证了pokiSEC,证明其交互性能满足分析工作流需求,并通过临时容器生命周期实现一致的销毁语义。
相关内容
微信扫码咨询专知VIP会员