An emulation is created when an emulator device (hardware) or program (software) allows for one system (the host) to mimic the functions of a separate system (the guest). An emulation environment is most frequently used to allow a host system to run software programs, peripherals, or other devices designed for the guest system that wouldn’t normally run on the host system.
In the case of cyber security, emulation environments are employed by security teams to analyze potentially malicious files and URLs. Emulation is an older method of malware detection and is often discussed in relation to its frequent counterpart, hooking. Emulations for analyzing malware fall into one of two categories: (1) those that emulate an operating system (OS emulation), or (2) those that emulate system hardware (system emulation). OS emulation is the lesser used of the two varieties, and as it’s much easier for malware to detect and evade, is seldom employed independently of other analysis methods.
When malware is run within an emulation, the emulation environment will temporarily create virtual objects as the malware tries to interact with them. Examples of these objects could include system memory or a system registry. Within an emulation environment, these objects are only imitations of their real system counterparts, but are equally useful for the purpose of providing insight into a suspicious program’s behavior.
Emulations are useful for monitoring the behavior of suspicious programs while using fewer resources than sandbox environments. Unfortunately, emulating an operating system is extremely cumbersome, and one of its major drawbacks is its scalability. While emulations utilize minimal resources, they are computationally complex, and can result in extremely slow runtimes. Of course, this shortcoming can be counterbalanced by cutting corners and simplifying the emulation environment, but doing so invariably leads to a reduced insight into the targeted malware’s activity. Finally, emulation creates inevitable timing penalties between the emulated environment and the real system, and these time discrepancies are easily discoverable by advanced malware.