Virtualization_and_Binary_Centric_Approach_to_Malware_Analysis by VegasStreetProphet


									    Virtualization and Binary Centric Approach                                                              REPLACE
                                                                                                           THIS PHOTO

                 to Malware Analysis
                        PIs: Heng Yin at Syracuse University
                                                                                                           PI #2 Name

Project Overview
The objective of this project is to advance malware analysis techniques with two thrusts
• Build powerful and robust binary analysis framework
• Tackle both newly emerging and long-stand security problems with the analysis framework

             DECAF: Dynamic Executable Code Analysis Framework
  Multi-Target Analysis Framework                             Multi-Layer Semantic View Extraction
  • Architecture: ARM, X86, 32-bit/64-bit                     • Seamlessly Reconstruct OS & Dalvik
  • OS: XP, Win7, Linux, Android                                Views [USENIX Security 2012]
  Designed for In-depth Security Analysis                     Transparent Analysis
  • External Monitoring                                       • Heterogeneous Record & Replay:
  • Efficient for Fine-grained Instrumentation                  HVM -> S/W Emulation [VEE’12]
                          The source code will soon be released!

   Multi-Stage Exploit Diagnosis [NDSS’12]                   Robust Memory Forensics (Preliminary)
 • Objective: Automatically analysis and classify           • Challenges: 1) Limited knowledge, no source code
   multi-stage sophisticated software exploits                access to OS Kernel; 2) Complexity in kernel data
 • Solution: Identify pointer misuses (i.e., Key Attack       structures (e.g., generic pointers, polymorphism);
   Steps) through dynamic type inference; Generate a          3) subject to DKOM attacks
   dependency graph to characterize exploit steps           • Solution: 1) Dynamic binary analysis to construct
                                                              concrete data structure graphs; 2) Apply Random
                                                              Surf model; 3) Probabilistically recognize kernel
                                                              objects with high precision and robustness.
   High-Fidelity Tainting [Preliminary]
 • Problems: 1) Existing taint policies are ad-hoc; 2)
   plenty of implementations for different archs and
   platforms, but error prone and incomplete
 • Solution: 1) Formal modeling and verification; 2)
   IR-level implementation: “one correct
   implementation for all”.

                              Interested in meeting the PIs? Attach post-it note below!

                       NSF Secure and Trustworthy Cyberspace Inaugural Principal Investigator Meeting
                                                    Nov. 27 -29th 2012
                                                   National Harbor, MD

To top