Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.

Slides:

Advertisements

Similar presentations

Analyzing Regression Test Selection Techniques

Advertisements

Chapter 3 Basic Input/Output

Saumya Debray The University of Arizona Tucson, AZ

Programming Paradigms and languages

1 Exceptions, Interrupts & Traps Operating System Hebrew University Spring 2007.

Topics covered: CPU Architecture CSE 243: Introduction to Computer Architecture and Hardware/Software Interface.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:

The Procedure Abstraction Part I: Basics Copyright 2003, Keith D. Cooper, Ken Kennedy & Linda Torczon, all rights reserved. Students enrolled in Comp 412.

Pipeline Exceptions & ControlCSCE430/830 Pipeline: Exceptions & Control CSCE430/830 Computer Architecture Lecturer: Prof. Hong Jiang Courtesy of Yifeng.

1 Presenter: Chien-Chih Chen Proceedings of the 2002 workshop on Memory system performance.

Maintaining and Updating Windows Server 2008

Group 5 Alain J. Percial Paula A. Ortiz Francis X. Ruiz.

What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

A Portable Virtual Machine for Program Debugging and Directing Camil Demetrescu University of Rome “La Sapienza” Irene Finocchi University of Rome “Tor.

The Procedure Abstraction Part I: Basics Copyright 2003, Keith D. Cooper, Ken Kennedy & Linda Torczon, all rights reserved. Students enrolled in Comp 412.

Protection and the Kernel: Mode, Space, and Context.

CS 501: Software Engineering Fall 1999 Lecture 16 Verification and Validation.

Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.

Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

Department of Computer Science A Static Program Analyzer to increase software reuse Ramakrishnan Venkitaraman and Gopal Gupta.

Analysis of Branch Predictors

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

1 Malware Analysis and Instrumentation Andrew Bernat and Kevin Roundy Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011.

Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,

Debugging in Java. Common Bugs Compilation or syntactical errors are the first that you will encounter and the easiest to debug They are usually the result.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Software Verification, Validation and Testing.

UBI >> Contents Chapter 2 Software Development tools Code Composer Essentials v3: Code Debugging Texas Instruments Incorporated University of Beira Interior.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.

1 OmniUmpack: Fast, Generic, and Safe Unpacking of Malware Authors: Lerenzo Martignoni, Mihai Christodorescu and Somesh Jha Computer Security Applications.

RAID 2010 Hybrid Analysis and Control of Malware Barton P. Miller 1 Hybrid Analysis of Program Binaries 1 Kevin A. Roundy

Cache Coherence Protocols 1 Cache Coherence Protocols in Shared Memory Multiprocessors Mehmet Şenvar.

Eureka: A Framework for Enabling Static Malware Analysis the 13 th European Symposium on Research in Computer Security (ESORICS) conference 2008 WANG Zhi.

Virtual 8086 Mode  The supports execution of one or more 8086, 8088, 80186, or programs in an protected-mode environment.  An 8086.

Exceptional Control Flow Topics Exceptions except1.ppt CS 105 “Tour of the Black Holes of Computing”

Processor Architecture

Operating Systems ECE344 Ashvin Goel ECE University of Toronto Demand Paging.

Multilevel Caches Microprocessors are getting faster and including a small high speed cache on the same chip.

Full and Para Virtualization

Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.

Question What technology differentiates the different stages a computer had gone through from generation 1 to present?

1 Xen and the Art of Binary Modification Lies, Damn Lies, and Page Frame Addresses Greg Cooksey and Nate Rosenblum, March 2007.

COMP091 – Operating Systems 1 Memory Management. Memory Management Terms Physical address –Actual address as seen by memory unit Logical address –Address.

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

Interrupts and Exception Handling. Execution We are quite aware of the Fetch, Execute process of the control unit of the CPU –Fetch and instruction as.

© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Operating Systems Overview: Using Hardware.

An Offline Approach for Whole-Program Paths Analysis using Suffix Arrays G. Pokam, F. Bodin.

Running Commodity Operating Systems on Scalable Multiprocessors Edouard Bugnion, Scott Devine and Mendel Rosenblum Presentation by Mark Smith.

Maintaining and Updating Windows Server 2008 Lesson 8.

1 University of Maryland Using Information About Cache Evictions to Measure the Interactions of Application Data Structures Bryan R. Buck Jeffrey K. Hollingsworth.

Qin Zhao1, Joon Edward Sim2, WengFai Wong1,2 1SingaporeMIT Alliance 2Department of Computer Science National University of Singapore

Computer Security: Chapter 5 Operating Systems Security.

A Single Intermediate Language That Supports Multiple Implemtntation of Exceptions Delvin Defoe Washington University in Saint Louis Department of Computer.

Introduction to Operating Systems Concepts

Kernel Code Coverage Nilofer Motiwala Computer Sciences Department

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.

Pipelining: Advanced ILP

Functional Units.

Architectural Support for OS

Sampoorani, Sivakumar and Joshua

Architectural Support for OS

Fault Tolerant Systems in a Space Environment

Dynamic Binary Translators and Instrumenters

Presentation transcript:

Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo

Introduction Thechnical Overview Parsing Dynamic Capture Response to Overwritten Code Signal- and Exception-Handler Analysis Experimential Results Conclusion Outline

Malware software infects computer systems at an alarming rate, causing economic damages that are estimated at more than billon dollars per year. A primary goal of malware authors is to make these task as difficult and resource intensive as possible. This explain why 90% of malware binary employ analysts-resistance technique, the most prevalent of which are the run-time modifications to existing code, and obfuscations of control transfer in the code. Introduction

The goal of the research is to simplify malware analysis by enabling a return to the traditional analyze-then-execute model. We address these these goals by combining static and dynamic techniques to construct and maintain the control- and data-flow analyses that form the interface through which the analyst under stands and instruments the code

the work makes the following contributions: 1.Pre-execution analysis and instrumentation makes it possible for the analyst to control the execution of malicious code. 2.We give the analyst the ability to instrument malware intuitively and efficiently by providing data-flow analysis capabilities and a control flow graph (CFG) as an interface to the code. 3.The structural analysis allows analysts to be selective in the components they monitor, the operations in those components that they select, and in the granularity of data they collect 4.By combining static and dynamic techniques we allow the analyst to find and analyze code that is beyond the reach of either static and dynamic analysis alone.

Parsing Dynamic Capture Response to Overwritten Code Signal- and Exception-Handler Analysis

Parsing allows us to find and analyze binary code by traversing statically analyzable control flow starting from known entry points into the code. Our initial analysis of the code may be incomplete, but we can fall back on our dynamic capture techniques to find new entry points into the code and use them to reseed our parsing algorithm.

The purpose of our parsing algorithm is to accurately identify binary code and analyze the program’s structure producing an interprocedural control flow graph of the program. The completing goal of good coverage is relatively less important, because our dynamic techniques compensate for lapses in coverage by capturing statically un-analyzable code at run-time and triggering additional parsing.

Control-flow traversal parsing is the basis for most accurate parsing techniques, but make three unsafe assumptions about control flow that can reduce its accuracy. 1.It assumes that function-call sites are always followed by valid code sequence. 2.The algorithm assumes that control flow is only redirected by control transfer instructions. 3.The algorithm assumes that both targets of conditional branch instructions can be taken and therefore contain valid code

Dynamic capture techniques allow us to find and analyze code that is missed by static analysis either because it is not generated until run-time or because it is not reachable through statically analyzable control flow.

Control transfer instructions that use registers or memory values to determine their targets Return instructions of possibly non-returning functions Control transfer instructions into invalid or uninitialized memory regions Instructions that terminate a code sequence by reaching the end of initialized memory

Code overwrites invalidate portions of an existing code analysis and introduce new code that has not yet been analyzed. We adapt DIOTA’s mechanism for detecting code overwrites by write-protecting memory pages that contain code and handling the signals that result from write attempts.

Code overwrites cause significant problems for binary analysis. Most analysis tools cannot analyze overwritten code because they rely on static CFG representations of the code. Code overwrites cause problems for CFGs by simultaneously invalidating portions of the CFG and introducing new code that has yet to be analyzed. We have developed techniques to address this problem by updating the program’s CFG and analyzing overwritten code before it executes.

We use dynamic analysis to resolve signal- and exception-based control transfer obfuscations. We detect signal- and exception-raising instructions and find their dynamically registered handlers through standard techniques, and then add the handlers to our analysis and instrument them to control their execution.

Analysis-resistant programs are often obfuscated by signal- and exception-based control flow. Static analyses cannot reliably determine which instructions will raise signals or exceptions, and have difficulty finding signal and exception handlers, as they are usually registered at run-time Signal and exception handlers can further obfuscate the program by redirecting control flow. When a signal or exception is raised, the operating system gives the handler context information about the fault, including the program counter value. The handler can modify this saved PC value to cause the OS to resume the program’s execution at a different address. The handler overwrites the saved PC value with the address of the program’s original entry point (OEP), causing the OS to resume the program’s execution at its OEP.

1.Load the program into memory, paused at its entry point 2.Remove debugging artifacts 3.Parse from known entry points 4.Instrument newly discovered code 5.Resume execution of the program 6.Handle code discovery event, adding new entry points 7.Goto 3 The key feature of this algorithm is that it allows all of the program’s code to be analyzed and instrumented before it executes. Algorithm for binary code discovery, analysis, and instrumentation

Experimential Results

We set up our malware analysis factory on an air-gapped system with a 32-bit Intel-x86 processor running Windows XP with Service Pack 2 inside of VMWare Server. We then analyzed 200 malware samples. Our tool detected code unpacking in 27% of the samples, code overwrites in 16%, and signal-based control flow in 10%. 33% of the malicious code analyzed by our hybrid techniques was not part of the dynamic execution trace and would not have been identified by dynamic analysis. Malware Analysis

We create a hybrid analysis algorithm that makes it possible to analyze and control the execution of malicious program binaries in a way that is both more intuitive and more efficient than existing methods

Ongoing research in the Dyninst project promises to address the two primary limitations of this work. 1.our instrumentation’s changes to the program’s address space can be detected through anti-tampering techniques such as selfchecksumming. 2.our parsing techniques assume that the targets of conditional control transfers always represent real code, meaning that the obfuscation proposed could be used to pollute our parse with non-code bytes, potentially causing us to instrument data and causing the program to malfunction.